In this blog post I will introduce you to a few Firefox Add-Ons which are useful when assessing the security of web applications. There are many, many more Add-ons that people swear by but these ones help me out a lot.
To test a web application you are going to need a web browser to do so. That browser will need to be passed through a local proxy such as OWASP’s Zap or PortSwigger’s Burp Suite Pro if you are on someone’s payroll. I suggest that you pick Firefox for this purpose and that you use a completely separate web browser for keeping up-to-date with Twitter, idling in slack channels etc.
*STOP* In addition to the main point of this post let me park up in this lay by and drop an anecdote on you.
Many moons ago (~2006 I think) I was helping a newbie start their career. I told them to use one web browser for testing and another for their browsing. They didn’t listen to that advice. So when they uploaded their test data for archive it included their proxy logs. As I QAed their report I opened up the proxy logs to check some details and spotted that it included a whole raft of personal browsing and therefore their password which they reused on everything at the time.
I didn’t overly abuse that privileged information before the point was made that you need to keep things separate. Shout out to newbie who still newbs, though they never write or visit anymore. I still love you. Not least because every newbie since has had this anecdote told to them and it has rounded out the point nicely.
Anecdote dropped. Lets discuss the four Add-Ons that help me out loads.
Multi Account Containers
This is amazing. You can setup containers which are completely separate instances of Firefox. This means you can setup one tab to login as an admin level user and another tab to operate as a standard user:
These containers are marked by the colour you have assigned them and display the name on the far right:
This is a game changer honestly. I feel like the way I worked before was in a cave with no light. Now I can line up access control checks with improved ease and more efficiently test complicated logic. Absolutely brilliant.
A shout out to Chris who showed this one to me.
Web Developer Toolbar
Cookie Quick Manager
URL – https://addons.mozilla.org/en-US/firefox/addon/cookie-quick-manager/
Technically you can manipulate cookies using Web Developer toolbar. I just find the interface with this Add-On much easier to use for this one:
When you just want to clear a cookie, or maybe try swapping a value with another user this is quick and simple.
User-Agent Switcher and Manager
URL – https://addons.mozilla.org/en-GB/firefox/addon/user-agent-string-switcher/
Sometimes an application responds differently to different User-Agent strings. You can use a Burp match and replace rule or you can use this add-on which has the benefit of a massive list of built in User-Agent strings.
You can also add a little bit to you User-Agent to differentiate your users like this:
By applying the setting to the container you can mark up which level of user made the request. Now that I do this I have found it absolutely invaluable in sorting out what I was doing.
When you view the requests in your local proxy you will instantly know which user level was making that particular request. This is vital particularly where apps issues lots of teeny tiny annoying requests per minute. When it is otherwise easy to lose which browser container was saying what.
I hope that has helped you. If you have any other Add-ons you think are vital please sling me a comment or a Tweet. I’d like to look into more.