Note: Below table will be updated regularly. If you find any addons that are not listed but might be useful while conducting pentests, please mention in comments.

This will be one must-have addition to the chrome addons that helps for security testing which we had discussed earlier here. While conducting blackbox security assessments, we normally do analysis on communication between the server and the browser (client). This is done with the help of various software proxy interceptors such as Paros, Webscarb, Burp etc. by redirecting traffic to these proxies.

Most of the times its required to change the browser proxy settings to
1. Change the port to switch the listener (proxy) that intercepts web traffic
2. Filter the URLs that are not in our scope to reduce the overhead on the proxy.
3. Match the URLs to send to different listeners based on certain patterns.

Proxy switch can help to easily overcome the situations mentioned above.

Features

- Manage and switch between multiple proxy profiles.
- Change the proxy configuration of Chrome and IE in one click.
- URL based switch rules.
- Supports Socks v4 and v5.
- Change LAN and VPN/Dial-up proxy settings.
- Quickly add rules for currently active websites.
- Quick proxy switch between two profiles or cycle all profiles.
- Online rule list support (AutoProxy compatible), more details here.
- Export switch rules as PAC/RuleList file.
- Backup/Restore options.
- Proxy change monitoring.
- Colorful profiles and icons.
- Supports Windows, Linux (32/64 bit) and Mac OS X.

Screenshots

Proxy Switchy! Info
App Name	Proxy Switchy!
License	free
Type	portable
App URL
More Info	link

Adblock can be made more efficient by adding custom patterns for the elements to be filtered.. This feature of AdBlock can be extended to block not only the ads but also the malicious content those are injected in seemingly genuine sites. This is done by adding MalwareDomains subscription to our Adblock preferences. MalwareDomain contains a list of domains that are known to be used to propagate malware and spyware. Adblock verifies whether there are any cross domain content loaded from any of malicious websites present in that list and if there is, then it blocks those elements.

Note: Subscribing to this list can increase the load time of the site. Increase in security at the cost of slight reduction in performance.

Here, we illustrate the steps to add the MalwareDomain list to our Adblock addon available for Chrome and Firefox browsers.

I. Adding MalwareDomain Subscription in Chrome

Download Adblock for Chrome here.

1. Access the AdBlock Options from the Chrome Extensions page and add MalwareDomains URL (http://malwaredomains.lanik.us/malwaredomains_full.txt)

2. Entered URL will now display in the subscriptions list. Make sure that its checked.

II. Adding MalwareDomain Subscription in Firefox

Download AdBlock Plus for Firefox here.

1. Open the Adblock Plus Preferences and click on the ‘Add Filter Subscription’ from the Filters menu.

2. Click on ‘Add a different subscription’ link.

3. Add the MalwareDomains URL in the subscription entry (http://malwaredomains.lanik.us/malwaredomains_full.txt)

4. List of domains to be filtered will be displayed under the filter which we have newly subscribed. Make sure that its enabled.

Links

• MalwareDomains List
• Other AdBlock Suscriptions
• AdBlock for Chrome
• AdBlock for Firefox

MalwareDomains Subscription List Info
App Name	MalwareDomains Subscription List
License	free
Type	online
App URL
More Info	link

During this evolution, some browsers tries to standout from others by introducing a new feature which had never been available in any of their counterparts. But the other browsers instead wait for the users comments on the new feature implemented, if appreciated, they implement the same feature in theirs, may be in a better way. The browser who introduced that feature first might even loose its credit in due course. User is forced to switch from their  favorite browser for a ‘single feature’ they found useful in the ‘other’ browser. Once they completely switch and get used to the new browser, the old one brings out the same feature plus few bonus features. This cycle never ends. Firefox introduced tabs and extensions when IE did not have in them, people were attracted to it and finally switched to firefox. Then the light weight chrome came with Tab tearing, web apps, new tab page with speed dial and many other features, made few users to make chrome as their default browser. Firefox then inherited few of chromes’ features, syncing and expose like tab candy/panaroma effects. We don’t have to switch browsers just for UI features, and if at all we do, it should be seamless.

This article tries to identify best features in each of the browser and the features we expect to be part any modern browser. Here, we try to baseline few ideas, those ideas which takes browser design to the next level.

Browser Main Screen (Mockup)

MOCKUP - Main Screen - Click over image to zoom

Highlights

Main Screen

1. Menu Button

Drop down to access frequently access browser actions like preferences, print options, edit etc. To replace standard browser tool bar. (Inspired from firefox/opera)

2. Extension Button

Displays drop down that contains icons of the extensions to activate/deactivate them, or displays extensions options in sub-menus. Does not consume your address bar space as used to in firefox or previous chrome version. (Inspired from Chromium resizable bar that displays extension icons)

3. Bookmarks Button

Displays organized bookmarks in dropdown, no more bookmarks bar – (Can be created in firefox by customize options for toolbar)

4. Only Favicons in tab title

We just need favicons to know which tab is what. Most of the websites have favicon now-a-days (Inspired from faviconize tab firefox extension/pin tabs/app tabs)

5. Tabs that behaves like Dock/Taskbar icons in OSX/Win7

MOCKUP - Switch pages from same site with hover preview

One favicon displayed for one domain/website. Its like transformation from Win XP quicklauch to Win7 Taskbar. 2 pages from Facebook are to be indicated by one tab and should allow user to switch over the pages from that single Facebook icon displayed. For example, hovering over the icon should display preview of different pages open from that same site. So this keeps the number of tabs open in the browser under control. (Inspired from OSX dock/Win7 Peek).

6. Tab Sets/Groups

Tabs should be grouped to different sets and only those tabs belonging to that set should be visible on the browser window. This gives us distraction free environment. We should be able to move the tabs across the tabset by drag-n-drop (Inspired by Opera Tab Sets/Firefox Panorama)

Example -

• SOCIAL Set – Facebook, Twitter, LinkedIn etc
• WORK Set – Stackoverflow, Superuser, Dev Forums etc
• FUN Set – Youtube, Failblog etc

7. DropZone for Downloads

We don’t need a separate downloads window to keep track of our downloads.  All we need is a small icon which displays the status of our downloads and should reveal the items downloaded only when required. So idea is to click on that dropzone icon to pop up a stack which displays the downloaded items/in progress ones. Another feature we would want is to be able to drag and drop the target URLs directly to the dropzone to start the download to the default downloads folder. (Inspired from Download statusbar firefox extensions/ flashget)

Check the Mockup

8. Semi Transparent Status Bar to display full URL (Autohides)

Status bar displays only when we hover over any link (Inspired from Chrome)

9. Unload the tabs on demand/Not all tabs are loaded during browser start

Some of the websites sends Ajax request continually load the time based dynamic content every n seconds even if the page is not active. For examples gmail syncs with the server to check for new email and there might be different apps that does the same. But we might not want gmail to do so and we dont want to close the tab either. So the solution is to unload the tab and activate/load it only when required. This happens during browser start as well, we load only the last tab this significantly increase browser startup time. (Inspired from Bartab Firefox addon)

10. Mouse Gesture Support

Less keystrokes – More usable browsers will be. Built-in support for mouse gestures. (Inspired by FireGestures Firefox addon and Chrome Gestures addon in Chrome)

11. Sync ‘Everything’

Every time you do a fresh install of your favorite browser anywhere, you have to spend hours to customize it. Do it at home and you repeat all again at work, or on your new laptop. All browsers should have built-in capabilities to sync preferences, extensions, bookmarks, and everything to ensure that user doesn’t even notice any change if browses at home or at work. He should be given options to create profile and sync those at work or home. (Inspired from Firefox weave, built-in with Firefox 4 though)

New Tab/ Hidden Address Bar

MOCKUP - New Tab Popup

1. Pops-up on demand

Address bar consumes unnecessary space of our precious screen real estate. We need address bar only when we access a new page so why should it be visible all the time? Clicking on the newtab icon displays a popup that has a tiny address bar. This is like a omnibar/awesomebar which means single box to accept URL as well as search string. (Inspired from AppPanel enabled using startup switch in Chrome).

2. Search Site

Below the address bar are the favicons of the currently open tabs. Example, select the icon of twitter then enter the search term to search twitter for something. Reduces many steps this way.

3. Top Sites (Starred)

Few starred sites/frequently used sites (may be top 10) are displayed in drop down when the Star icon is clicked. So open these sites with a click (Most visited in Chrome, Top Sites in Safari)

Tab Grid

A new perspective to our usual browsing experience. This displays preview of currently opened tabs in a grid, tabs can be easily identified/switched to from here. We should be able to close the tabs with a click without switching back to the page.

MOCKUP - Tab Grid

1. New Tab from Grid

This is the best part, we can create tabs by just entering the address of the page you want to access from the grid itself. Example – create tabs for Google reader/ Gmail or any site instantaneously and let it load when you are still in the grid. So in future grid enables user to quickly create and open multiple tabs. (Inspired from IE in Win7 mobile)

2. Switch Tabsets from Grid

Click on the tabset button to preview the tabs belonging to that set. Easily drag and drop the tabs to different sets from the Grid as well. (Inspired from Firefox Panorama/OSX Expose)

• Counter on Panorama feature – This feature in Firefox will become little complex and unmanageable after opening maybe 30 tabs (or on laptop screens). We will end up in have 10 or 15 tab piles. But the method mentioned in this article lets users to manage tabs on that tab set and does not display all the tabs in all the sets.

3. Open New Page of Opened Tab

List of opened tabs displayed in the Grid, click on it to clone the site to a different page.

Conclusion

Like the term ‘Tabs’ which is now a standard in all the browser, we expect the ideas mentioned in the post to be integral part of every browser. Let the users have seamless browser switch if the opt for. So in future, users should consider the parameters like speed, stability, performance to let them decide on the chosen and not just the UI based influences.

Mockups Below For Reference

Main Screen - Click over image to zoom

Hover Preview

New Tab Popup

Tab Grid

Please mention in comments if there are any features you would want to see in all the browsers or you deny on any of the idea mentioned.

Author of this post is familiar with different web browsers like IE 4 – 8, Now Defunct Netscape Navigator, Firefox (all versions), Opera, Chrome (all versions), Safari and many others. Has been evangelizing web browsers since 90s.

Updated: Added Screenshots for IE

1. Firefox

Go to the Mozilla Addons Page and add Google SSL Search Plugin

Select ‘Start using it right away in the dialog box that displays – Add “Google SSL” to the list of engines available in the search bar?

2. Chrome

Right Click on Chrome Omnibar(Address bar) and Select ‘Edit Search Engines’.

In the Edit Search Engines Dialog box add https://www.google.com/search?q=%s in the URL field and click on Make Default Button.

Dont forget to check the Chrome Extensions List for Security Testers, here (Internal Post)

3. Internet Explorer

• Access the Add Search Providers page

• In the Create Your Own enter https://www.google.com/search?q=TEST in the URL field

Click on the Install Button to see the following screen. Check the ‘Make this my default search provider’

Now the Search box in IE will display Google.

via Google Blog and TechDows

The extension Pendule is an attempt to reproduce the features of WebDeveloper Addon for firefox. Currently it doesn’t support all the features of WebDeveloper but expected to incorporate soon.

Pendule - Chrome Extension

Features

1. Form Manipulations

2. View Javascripts

3. Show Image Paths Inline

Download Pendule:

SecFox is collection of addons which can be used to customize any firefox to a security assessment tool. At the time of writing this collection has 40+ addons which can help the web app sec testers during their assessments.

An ‘addon collector‘ addon is to be installed to get the SecFox updates. So if any new addon added to SecFox collection gives an alert to the subscriber.

Check the video below which explains how.

Download Secfox Collection :

These addons can be of huge help when we perform the type of tests mentioned below.

• Cookie Prediction
• Session Fixation
• Cookie Persistence/Expiration
• Broken Session Management

Traditional Method

We use a proxy interceptor like Paros/Burp/WebScarab to trap the HTTP requests and modify the values during its transit. For this to happen, we need to setup a proxy and ensure that it listens to the browser traffic. An additional step is required if the application uses an SSL connection, i.e. to store the Proxy’s forged certificate in the browser. The intercepted request enables us to add new cookies or modify the existing ones. We can also check when exactly are the cookie values issued and whether it is getting flushed upon session expiration.

Usage of Addons

We have various addons for firefox which makes the tasks mentioned above easier. Certain addons allow to view the cookies stored in the browser and others allows us to edit it. The advantage – we don’t need any proxy to do this job, we can view/edit from the browser itself.

1. View Cookies

This addon adds a tab in the ‘Page Info’ box available on the Firefox context menu.

View Cookies Addon

Download Link:

2. Add N Edit Cookies

This addon integrates a Cookie Editor to firefox. This also allows us to edit the attributes of the cookie.

Add n Edit Cookies Addon

Download Link:

3. FireCookie

If you are using Firebug a lot, then cookies are easily accessible inside firebug tabs if you have FireCookie installed.

FireCookie Addon

Download Link:

4. Cookie Swap

This is an amazing addon which helps us to switch between various cookie profiles. This addon saves all the cookies for a particular domain to the chosen profile. These profiles can be managed through a Profile Manager which comes with the tool. One can add and organize the profile which can be easily swapped from the Firefox status bar. This is of great use if you are testing the application which has multiple login credentials.

Cookie Swap - Status Bar

Cookie Swap - Manage Profiles

Download Link:

5. WebDeveloper – View Cookies

Web developer has a built-in cookie viewer and editor. Once you select on ‘View Cookies’ available under the ‘Cookies’ menu, a new tab is displayed with a big list of cookies for that particular domain and options to edit it. I prefer using ‘Add n Edit Cookie’ to this addon.

WebDeveloper - View Cookies

Download Link:

Video Demo

Watch the following video. Here, I quickly go through each of the addon I’d mentioned above.

Stay tuned… Secfox will continue….

Pen testers fondly use webproxy a lot to manipulate the HTTP requests created by the browser before it is sent to the web sever. This helps us to verify the the absence of any server side validations or flaw in the client side validations. But feel lucky if you are using Firefox while performing web app security assessments, ’cause we have a cool extension ‘GroundSpeed’ which exactly does that.

I dont want to blabber much on describing how it works since the author has a nice writeup in his GroundSpeed homepage.

“Groundspeed is an open-source Firefox extension that manipulates the interface of web applications in order to make the life of the security tester easier. It allows security testers to manipulate the way they interact with the web application’s user interface by manipulating the forms and form elements, eliminating annoying limitations and client-side controls.

Some of the practical uses of Groundspeed include changing the types of form fields, like for example changing hidden fields into text fields, removing size and length limitations on input fields and modifying any JavaScript event handlers to bypass client side validation.

Groundspeed works by dynamically modifying the Document Object Model (DOM) of the page after Firefox has finished loading and rendering it. The changes take effect immediately and, since it happens entirely on the client side without generating new requests to the server, it is completely transparent to the application.”

Check the video

Conclusion

Whatever GroundSpeed can do can be done with Firebug, but this makes life super easy. We might tend to mess the HTML code displayed in the firebug window. But with GroundSpeed, we exactly achieve want we want. Another advantage of this addon compared to firebug is that this helps us to minimize the time wasted in searching for the variable names and the attributes which we intend to change if we had used Firebug.

As the author quotes, Firebug is meant for Developers and GroundSpeed for PenTesters. We hope that there will be many enhancements in the future so as to make this a full fledged PenTest addon.

Gallery

GroundSpeed Conversions

GroundSpeed - Remove Max Length

Install GroundSpeed Firefox Addon:

Now-a-days most of the feature rich sites interact with the Gears installed in the PC and makes our browsing experience better. But what if we frequently switch our PCs and use portable version of Firefox! what if we dont have admin privileges in the PC we are currently working with? Gears Portable Addon can save our day.

This add-on is an unmodified repackaging of Google’s binaries via the official Windows installer/updater. (In other words, it’s the official releases, simply ZIP’d into an XPI file.)

Installation

1. Download and install Google Gears Portable (This is an experimental addon so check ‘Let me install this experimental add-on‘ to install this addon
2. Restart your firefox.
3. Go to the site you want to enable Gears and click on the Gears icon.
4. As shown in the below screenshot Allow the Gears Access.

Download Gears Portable :