List of chrome browser extensions that can be useful while performing application security assessments. Some of the extensions are already discussed earlier in our blog. On the sidenote, a similar collection exists for Firefox users – check SecFox at Mozilla Addons Collection site
Note: Below table will be updated regularly. If you find any addons that are not listed but might be useful while conducting pentests, please mention in comments.
Proxy Switchy! is an advanced proxy manager for Google Chrome, it allows users to manage and switch between multiple proxy profiles quickly and easily.
This will be one must-have addition to the chrome addons that helps for security testing which we had discussed earlier here. While conducting blackbox security assessments, we normally do analysis on communication between the server and the browser (client). This is done with the help of various software proxy interceptors such as Paros, Webscarb, Burp etc. by redirecting traffic to these proxies.
Most of the times its required to change the browser proxy settings to
1. Change the port to switch the listener (proxy) that intercepts web traffic
2. Filter the URLs that are not in our scope to reduce the overhead on the proxy.
3. Match the URLs to send to different listeners based on certain patterns.
Proxy switch can help to easily overcome the situations mentioned above.
AdBlock is one of the most popular browser extension that prevents ads or annoying page elements those are usually displayed in any webpage. It works by matching the pattern of unwanted elements in the page with what is available in its database and filters them.
Adblock can be made more efficient by adding custom patterns for the elements to be filtered.. This feature of AdBlock can be extended to block not only the ads but also the malicious content those are injected in seemingly genuine sites. This is done by adding MalwareDomains subscription to our Adblock preferences. MalwareDomain contains a list of domains that are known to be used to propagate malware and spyware. Adblock verifies whether there are any cross domain content loaded from any of malicious websites present in that list and if there is, then it blocks those elements.
Note: Subscribing to this list can increase the load time of the site. Increase in security at the cost of slight reduction in performance.
Here, we illustrate the steps to add the MalwareDomain list to our Adblock addon available for Chrome and Firefox browsers.
Download Adblock for Chrome here.
1. Access the AdBlock Options from the Chrome Extensions page and add MalwareDomains URL (http://malwaredomains.lanik.us/malwaredomains_full.txt)
2. Entered URL will now display in the subscriptions list. Make sure that its checked.
It is the revolution of web browsers; they rule internet now. Browsers have evolved so much from what we had seen during the days of IE6. Now Firefox, Chrome, Opera, IE are on war to prove who is the best. They try different ways to win the heart of users; Firefox took a great leap by introducing the ‘panaroma’ feature – focus on multitasking, chrome gets appreciation for its fluid design – focus on simplicity & ease of use, Opera and IE has browser stability on priority – focus on robustness.
During this evolution, some browsers tries to standout from others by introducing a new feature which had never been available in any of their counterparts. But the other browsers instead wait for the users comments on the new feature implemented, if appreciated, they implement the same feature in theirs, may be in a better way. The browser who introduced that feature first might even loose its credit in due course. User is forced to switch from their favorite browser for a ‘single feature’ they found useful in the ‘other’ browser. Once they completely switch and get used to the new browser, the old one brings out the same feature plus few bonus features. This cycle never ends. Firefox introduced tabs and extensions when IE did not have in them, people were attracted to it and finally switched to firefox. Then the light weight chrome came with Tab tearing, web apps, new tab page with speed dial and many other features, made few users to make chrome as their default browser. Firefox then inherited few of chromes’ features, syncing and expose like tab candy/panaroma effects. We don’t have to switch browsers just for UI features, and if at all we do, it should be seamless.
This article tries to identify best features in each of the browser and the features we expect to be part any modern browser. Here, we try to baseline few ideas, those ideas which takes browser design to the next level.
Browser Main Screen (Mockup)
MOCKUP - Main Screen - Click over image to zoom
Google has launched Secure Google search hosted on SSL lately . This post talks on how to enable this Secure Google search to the browser search bar/search suggestions in Firefox, Chrome and IE browsers.
Updated: Added Screenshots for IE
Go to the Mozilla Addons Page and add Google SSL Search Plugin
Select ‘Start using it right away in the dialog box that displays – Add “Google SSL” to the list of engines available in the search bar?
Right Click on Chrome Omnibar(Address bar) and Select ‘Edit Search Engines’.
In the Edit Search Engines Dialog box add https://www.google.com/search?q=%s in the URL field and click on Make Default Button.
Dont forget to check the Chrome Extensions List for Security Testers, here (Internal Post)
3. Internet Explorer
Click on the Install Button to see the following screen. Check the ‘Make this my default search provider’
Now the Search box in IE will display Google.
via Google Blog and TechDows
Chrome is becoming popular among the developers due to its extended support for the upcoming web technologies. If these features of chrome can help the developers to dissect & analyse the newest web applications, so can it for security analysts. Firefox has become so popular among the security guys due to the availability of addons like WebDeveloper/Firebug which can aid them during their security assessments.
The extension Pendule is an attempt to reproduce the features of WebDeveloper Addon for firefox. Currently it doesn’t support all the features of WebDeveloper but expected to incorporate soon.
Pendule - Chrome Extension
1. Form Manipulations
2. View Javascripts
3. Show Image Paths Inline
Download Pendule: 
Stay updated with addons discussed in the SecFox series, the most popular section of this blog. For that you need to subscribe to the SecFox addon collection available in the mozilla addons site.
SecFox is collection of addons which can be used to customize any firefox to a security assessment tool. At the time of writing this collection has 40+ addons which can help the web app sec testers during their assessments.
In this part of the Secfox series, we will be discussing about the addons that can help us during the app security assessments which involves cookie analysis and manipulation.
These addons can be of huge help when we perform the type of tests mentioned below.
We use a proxy interceptor like Paros/Burp/WebScarab to trap the HTTP requests and modify the values during its transit. For this to happen, we need to setup a proxy and ensure that it listens to the browser traffic. An additional step is required if the application uses an SSL connection, i.e. to store the Proxy’s forged certificate in the browser. The intercepted request enables us to add new cookies or modify the existing ones. We can also check when exactly are the cookie values issued and whether it is getting flushed upon session expiration.
We have various addons for firefox which makes the tasks mentioned above easier. Certain addons allow to view the cookies stored in the browser and others allows us to edit it. The advantage – we don’t need any proxy to do this job, we can view/edit from the browser itself.
1. View Cookies
This addon adds a tab in the ‘Page Info’ box available on the Firefox context menu.
View Cookies Addon
Download Link:
2. Add N Edit Cookies
This addon integrates a Cookie Editor to firefox. This also allows us to edit the attributes of the cookie.
Download Link:
Pen testers fondly use webproxy a lot to manipulate the HTTP requests created by the browser before it is sent to the web sever. This helps us to verify the the absence of any server side validations or flaw in the client side validations. But feel lucky if you are using Firefox while performing web app security assessments, ’cause we have a cool extension ‘GroundSpeed’ which exactly does that.
I dont want to blabber much on describing how it works since the author has a nice writeup in his GroundSpeed homepage.
“Groundspeed is an open-source Firefox extension that manipulates the interface of web applications in order to make the life of the security tester easier. It allows security testers to manipulate the way they interact with the web application’s user interface by manipulating the forms and form elements, eliminating annoying limitations and client-side controls.
Some of the practical uses of Groundspeed include changing the types of form fields, like for example changing hidden fields into text fields, removing size and length limitations on input fields and modifying any JavaScript event handlers to bypass client side validation.
Groundspeed works by dynamically modifying the Document Object Model (DOM) of the page after Firefox has finished loading and rendering it. The changes take effect immediately and, since it happens entirely on the client side without generating new requests to the server, it is completely transparent to the application.”
Google Gears provides enhanced interactive functionality for websites designed to use it: drag-and-drop, client-side database storage, and the ability to view and work with specially prepared websites when offline (not connected to the Internet).
Now-a-days most of the feature rich sites interact with the Gears installed in the PC and makes our browsing experience better. But what if we frequently switch our PCs and use portable version of Firefox! what if we dont have admin privileges in the PC we are currently working with? Gears Portable Addon can save our day.
3d access addons apps appsec automate batch chrome code command concept customize Download files Firefox free google Graphics greasemonkey icon imageEditing linux mail mp3 online organize passwords pics Portable rightclick scan scripts Secfox store sync systools tips updates usb va versions videos webdesign xss youtube
WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.
