Video Screencast Help
Security Community Blog

Firefox & Web Application Security: Arming Your Browser Part II

Created: 22 Oct 2012 • Updated: 11 Nov 2013
Vince Kornacki's picture
+5 5 Votes
Login to vote

Welcome back! This installment of the “Firefox & Web Security: Arming Your Browser” series will focus on add-ons that can be used to begin probing the target web application for vulnerabilities. Let’s jump right in!

User Agent Switcher
When browsers request a page they automatically include the “User-Agent” header in order to inform the web server of the browser software and operating system. For example, consider the following “User-Agent” header:

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:15.0) Gecko/20100101 Firefox/15.0.1

This header informs the web server that the browser software is Firefox 15.0.1 running on a 64-bit Linux operating system. Web servers frequently utilize this information in order to customize content for specific browsers (e.g., Microsoft Firefox versus Internet Explorer) and/or devices (e.g., desktop computer versus mobile device). The User Agent Switcher add-on allows you to dynamically change the “User-Agent” header automatically included by Firefox, allowing you to inspect alternative content returned by the web application. Just select “Tools”, “Default User Agent”, “User Agent Switcher”, and “Options”. The available “User-Agent” headers are conveniently sorted by device and operating system:

By default only a few “User-Agent” headers are included. However, a comprehensive list of “User-Agent” headers can be downloaded from the following location:

http://techpatterns.com/downloads/firefox/useragentswitcher.xml

Alternative content returned by the target web application can now be probed for vulnerabilities. The User-Agent Switcher add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/

Cookies Manager+
In the last installment of this blog series we looked at the View Cookies add-on. While the View Cookies add-on is extremely convenient for viewing cookies, it doesn’t allow you to modify cookies values. While slightly more complicated, the Cookies Manager+ add-on allows you to modify cookie values. Just select “Cookies Manger+” from the “Tools” menu in order to display the Cookies Manager+ window:

From this interface you can add, edit, or delete arbitrary cookies, allowing you to probe the target web application for authentication and authorization vulnerabilities. The Cookies Manager+ add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/

Firebug
The Firebug add-on is a Swiss Army knife for web application security professionals. Firebug adds an icon to the right of the home button. Just click the icon in order to display the Firebug panel, which is divided into several tabs:

Firebug allows you to perform several useful functions:

  • Inspect HTML and CSS
  • Debug JavaScript
  • Explore the DOM
  • Analyze network connections
  • Manage cookies

However, the crown jewel of Firebug is the JavaScript debugger, which is generally regarded as the best of breed JavaScript debugger. The Firebug JavaScript debugger is invaluable when analyzing complex JavaScript for vulnerabilities. Just like traditional debugger software, Firebug supports setting breakpoints, watching variables, and inspecting the stack. The Firebug add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/firebug/

FlashFirebug
Unfortunately the Firebug add-on does not include a Flash Player debugger. Bummer. Fortunately Firebug has a cousin, and he is much cooler than that annoying cousin Oliver twerp from The Brady Bunch. The FlashFirebug add-on allows you to debug Flash content within the target web application. FlashFirebug requires the Flash Player Plugin Content Debugger, which can be downloaded from the following location:

http://www.adobe.com/support/flashplayer/downloads.html

Note that under Windows operating systems there are separate versions of the Flash Player Plugin Content Debugger for the Mozilla Firefox and Microsoft Internet Explorer browsers. The FlashFirebug add-on adds a “Flash” tab to the Firebug panel:

Flash player content can now be debugged and analyzed for vulnerabilities. Note that the FlashFirebug Pro version includes advanced features for $9.99 per year. The FlashFirebug add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/flashfirebug/

Web Developer
The Web Developer add-on is obviously designed for web developers, but includes several features useful to web application security professionals. Web Developer adds a toolbar below the main Firefox toolbar:


 

Web Developer offers several useful features:
  • Disable JavaScript
  • Convert form methods (converting POST to GET is extremely useful)
  • Display form details (pictured above)
  • Display hidden elements
  • Outline non-secure elements
  • View generated source (including external JavaScript and CSS files)

The Web Developer add-on is available from the following location:

https://addons.mozilla.org/en-US/firefox/addon/web-developer/

Conclusion
As Freddie Mercury once crooned, “Another one bites the dust!” This installment of the “Firefox & Web Application Security: Arming Your Browser” series covered add-ons that can be used to begin probing the target web application for vulnerabilities. Next time we’ll focus on add-ons that can be used to launch hardcore attacks against the target web application. Same Bat Time. Same Bat Channel.

 

Blog Entry Filed Under: