Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.
Security Community Blog

Firefox & Web Application Security: Arming Your Browser Part I

Created: 16 Oct 2012 • Updated: 11 Nov 2013
Vince Kornacki's picture
+5 5 Votes
Login to vote

There are approximately 9,162,009 web application security tools out there, but sometimes all you need is a trusty web browser! Mozilla Firefox add-ons “let you add new features and change the way your browser or application works”, allowing developers to extend browser functionality in ways that are extremely useful to web application security professionals (https://addons.mozilla.org/en-US/about). This blog series will examine 15 of the most useful Firefox add-ons for web application security professionals. This installment will focus on add-ons used to gather information about the target web application. Buckle up!

Wappalyzer
Let’s start with the basics. When you begin a web application security assessment, one of the first tasks is to analyze the operating system and software deployed on the target web application server. The Wappalyzer add-on makes this task a breeze. Just click the Wappalyzer icon to the right of the address bar and the add-on analyzes the deployed operating system and software:

In this case the application is built with Microsoft ASP.NET running on an IIS web server on a Windows operating system. In addition, the application utilizes Webtrends and comScore analytics software and the jQuery JavaScript framework. All of these software components can now be researched for applicable vulnerabilities. The Wappalyzer add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/wappalyzer/

ASP.NET Viewstate Viewer
You know that ASP.NET application that we just Wappalyzed? Odds are that application utilizes the ASP.NET ViewState parameter. As HTTP is a stateless protocol, the ViewState parameter tracks state across application callbacks, storing initial property values and tracking subsequent changes to those values. The ViewState parameter is fundamentally a hash table serialized into a string and then Base64 encoded. IIS can be configured to secure ViewState parameters, but developers sometimes neglect this important defense mechanism. And developers sometimes include sensitive information within unencrypted ViewState parameters. Do you smell what the Rock is cooking? The ASP.NET Viewstate Viewer add-on can be used to decode unencrypted ViewState parameters. Just right click on a page that utilizes a ViewState parameter and select “Show ViewState” from the context menu:

Both the decoded and original ViewState parameter values are displayed. Note that encrypted ViewState parameters will look like gibberish when decoded. The ASP.NET Viewstate Viewer add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/aspnet-viewstate-viewer/

Calomel SSL Validation
When the average John Q. Surfer thinks of web security, three letters automatically pop into his head: S-S-L! However, poorly configured SSL connections are actually worse than cleartext HTTP connections as John Q. Surfer is lulled into a false sense of security. The Calomel SSL Validation add-on inserts a color coded toolbar button to the left of the address bar. The toolbar color reflects the security of the SSL connection, from weakest to strongest: red, orange, yellow, blue, or green. Clicking on the Calomel SSL Validation toolbar displays detailed information about the SSL connection:
 

Several useful pieces of information can be gleaned from this display:

  • Whether the certificate’s common name (CN) matches the actual server name
  • The key length of the negotiated symmetric cipher
  • The key length of the RSA modulus
  • The issuer of the SSL certificate
  • The expiration date of the SSL certificate

Although the entire supported SSL cipher suite cannot be enumerated, Calomel SSL Validation can be configured to negotiate either strong or weak ciphers, so the relative security of the supported cipher suite can be determined. The Calomel SSL Validation add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/calomel-ssl-validation/

View Cookies
No, unfortunately we aren’t talking about Oreos. As HTTP is a stateless protocol, cookies are integral to web application authentication and authorization. The View Cookies add-on allows you to view all cookies set for the current page. Just right click on the page and select “View Page Info”. The View Cookies add-on inserts a convenient “Cookies” tab within the “Page Info” window that displays the names and values of all cookies set for the current page:

However, note that cookie values cannot be modified with View Cookies. But don’t fret; we’ll cover another add-on that can be used to modify cookie values in the next installment of this blog series. The View Cookies add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/view-cookies/

Live HTTP Headers
HTTP request and response headers often contain extremely useful information. The Live HTTP Headers add-on allows you to view all request and response headers transmitted for the current page. Just right click on the page and select “View Page Info”. The Live HTTP Headers add-on inserts a convenient “Headers” tab within the “Page Info” window that displays all request and response headers for the current page:

The request headers cannot be modified, but don’t go postal; we’ll cover another add-on that can be used to modify request header values in an upcoming installment of this blog series. The Live HTTP Headers add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/live-http-headers/

HttpFox
The Live HTTP Headers add-on is pretty darn cool, but what if you want to view more than just the request and response headers? Like Live HTTP Headers, the HttpFox add-on also allows you to view the request and response headers. However, HttpFox also allows you to view cookies, the query string, and POST parameters. Just select “Tools”, “Web Developer”, “HttpFox”, and “Toggle HttpFox” in order to display the HttpFox panel:

HttpFox operation can be toggled with the “Start” and “Stop” buttons. The HttpFox add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/httpfox/

Conclusion
Well that wraps up this installment of the “Firefox & Web Security: Arming Your Browser” series. This installment covered add-ons that can be used to gather information about the target web application. Next time we’ll focus on add-ons that can be used to begin probing the target web application for vulnerabilities. Same Bat Time. Same Bat Channel.

Blog Entry Filed Under: