List of chrome browser extensions that can be useful while performing application security assessments. Some of the extensions are already discussed earlier in our blog. On the sidenote, a similar collection exists for Firefox users – check SecFox at Mozilla Addons Collection site
Note: Below table will be updated regularly. If you find any addons that are not listed but might be useful while conducting pentests, please mention in comments.
Proxy Switchy! is an advanced proxy manager for Google Chrome, it allows users to manage and switch between multiple proxy profiles quickly and easily.
This will be one must-have addition to the chrome addons that helps for security testing which we had discussed earlier here. While conducting blackbox security assessments, we normally do analysis on communication between the server and the browser (client). This is done with the help of various software proxy interceptors such as Paros, Webscarb, Burp etc. by redirecting traffic to these proxies.
Most of the times its required to change the browser proxy settings to
1. Change the port to switch the listener (proxy) that intercepts web traffic
2. Filter the URLs that are not in our scope to reduce the overhead on the proxy.
3. Match the URLs to send to different listeners based on certain patterns.
Proxy switch can help to easily overcome the situations mentioned above.
NotScripts gives you a high degree of “NoScript” like control over what javascript, iframes, and plugins runs in your browser to increase security and lower the CPU usage. It is useful to help mitigate some attacks like certain cross-site scripting (XSS) vulnerabilities and drive by downloads by blocking the third-party content before it even runs with it’s default deny policy.
You can whitelist the sites you want through an easy to use url bar icon and drop down menu.
NotScripts uses a unique and novel method to provide this “NoScript” like functionality in Google Chrome that was not previously possible. It introduces a break through technique of intelligent HTML5 storage caching to over come the limitations in Google Chrome that prevented an extension like this from being made before. NotScripts blocks third-party content BEFORE they load and it does this while also having a whitelist. This is one of the key extensions that many people have been waiting for since Google Chrome came out.
AdBlock is one of the most popular browser extension that prevents ads or annoying page elements those are usually displayed in any webpage. It works by matching the pattern of unwanted elements in the page with what is available in its database and filters them.
Adblock can be made more efficient by adding custom patterns for the elements to be filtered.. This feature of AdBlock can be extended to block not only the ads but also the malicious content those are injected in seemingly genuine sites. This is done by adding MalwareDomains subscription to our Adblock preferences. MalwareDomain contains a list of domains that are known to be used to propagate malware and spyware. Adblock verifies whether there are any cross domain content loaded from any of malicious websites present in that list and if there is, then it blocks those elements.
Note: Subscribing to this list can increase the load time of the site. Increase in security at the cost of slight reduction in performance.
Here, we illustrate the steps to add the MalwareDomain list to our Adblock addon available for Chrome and Firefox browsers.
Download Adblock for Chrome here.
1. Access the AdBlock Options from the Chrome Extensions page and add MalwareDomains URL (http://malwaredomains.lanik.us/malwaredomains_full.txt)
2. Entered URL will now display in the subscriptions list. Make sure that its checked.
It is the revolution of web browsers; they rule internet now. Browsers have evolved so much from what we had seen during the days of IE6. Now Firefox, Chrome, Opera, IE are on war to prove who is the best. They try different ways to win the heart of users; Firefox took a great leap by introducing the ‘panaroma’ feature – focus on multitasking, chrome gets appreciation for its fluid design – focus on simplicity & ease of use, Opera and IE has browser stability on priority – focus on robustness.
During this evolution, some browsers tries to standout from others by introducing a new feature which had never been available in any of their counterparts. But the other browsers instead wait for the users comments on the new feature implemented, if appreciated, they implement the same feature in theirs, may be in a better way. The browser who introduced that feature first might even loose its credit in due course. User is forced to switch from their favorite browser for a ‘single feature’ they found useful in the ‘other’ browser. Once they completely switch and get used to the new browser, the old one brings out the same feature plus few bonus features. This cycle never ends. Firefox introduced tabs and extensions when IE did not have in them, people were attracted to it and finally switched to firefox. Then the light weight chrome came with Tab tearing, web apps, new tab page with speed dial and many other features, made few users to make chrome as their default browser. Firefox then inherited few of chromes’ features, syncing and expose like tab candy/panaroma effects. We don’t have to switch browsers just for UI features, and if at all we do, it should be seamless.
This article tries to identify best features in each of the browser and the features we expect to be part any modern browser. Here, we try to baseline few ideas, those ideas which takes browser design to the next level.
Browser Main Screen (Mockup)
MOCKUP - Main Screen - Click over image to zoom
Google has launched Secure Google search hosted on SSL lately . This post talks on how to enable this Secure Google search to the browser search bar/search suggestions in Firefox, Chrome and IE browsers.
Updated: Added Screenshots for IE
Go to the Mozilla Addons Page and add Google SSL Search Plugin
Select ‘Start using it right away in the dialog box that displays – Add “Google SSL” to the list of engines available in the search bar?
Right Click on Chrome Omnibar(Address bar) and Select ‘Edit Search Engines’.
In the Edit Search Engines Dialog box add https://www.google.com/search?q=%s in the URL field and click on Make Default Button.
Dont forget to check the Chrome Extensions List for Security Testers, here (Internal Post)
3. Internet Explorer
Click on the Install Button to see the following screen. Check the ‘Make this my default search provider’
Now the Search box in IE will display Google.
via Google Blog and TechDows
This post lists 13 Chrome Extensions to aid security testers during their web application pen testing.
HTML5 is a new and upcoming technology which has enough features to introduce potential security issues if not properly implemented. A new project has been initiated in Google Code to keep developers updated on the security concerns to be kept in mind while developing their apps with HTML5.
Description of Project in Authors Terms,
This project is an attempt to create a well maintained, informative and categorized cheat sheet to highlight HTML5 as well as other client side and related security issues and ways to avoid them. The project is meant to target web developers as well as security researchers and especially browser vendors since many of the problems we found are based on faulty or quirky implementations. Focus is on completeness, comprehensibility and timeliness as well as continuity – benefits many other related cheat sheets don’t exactly provide.
Websecurify is a powerful web application security testing environment designed from the ground up to provide the best combination of automatic and manual vulnerability testing technologies. This tool automatically identifies web application vulnerabilities by using advanced discovery and fuzzing technologies.
WebSecurify is available in major OS platforms – Windows, Mac and Linux. Its even available as a Chrome extension.
Post Updated:
I had mentioned in my previous post about Pendule – WebDeveloper Equivalent In Chrome, but lately the developer of WebDeveloper has released Chrome compatible version of this popular Firefox addon. WebDeveloper is definitely a favorite tool used by application security analysts and now it comes handy when you are testing your target in chrome. I think I’ll have to start a new series like SecFox, for Chrome.
WebDeveloper For Chrome (Click to Zoom)
3d access addons apps appsec automate batch chrome code command concept customize Download files Firefox free google Graphics greasemonkey icon imageEditing linux mail mp3 online organize passwords pics Portable rightclick scan scripts Secfox store sync systools tips updates usb va versions videos webdesign xss youtube
WP Cumulus Flash tag cloud by Roy Tanck and Luke Morton requires Flash Player 9 or better.
