Did you know that you can turn Mozilla FireFox into a useful penetration testing tools with just a few add-ons, in this article we will present you with 10 useful add-ons
FoxyProxy is a Firefox extension which automatically switches an internet connection across one or more proxy servers based on URL patterns. Put simply, FoxyProxy automates the manual process of editing Firefox’s Connection Settings dialog. Proxy server switching occurs based on the loading URL and the switching rules you define.
- Switch proxies with URL pattern matching
- Custom colors make it easy to see which proxy is in use
- Advanced logging shows you which proxies were used and when
- Automatically synchronize all of your proxy settings with your other Firefox instances when you use Firefox Sync. Import/Export settings to files when not using Firefox Sync
Live HTTP Headers
A really useful extension for penetration testing, you can display live headers of each http request and response. You are also able to save header information by clicking on a button
This toolbar will help you in testing sql injections, XSS holes and site security. It is NOT a tool for executing standard exploits and it will NOT teach you how to hack a site. Its main purpose is to help a developer do security audits on his code. If you know what your doing, this toolbar will help you do it faster. If you want to learn to find security holes, you can also use this toolbar, but you will probably also need a book, a lot of Google and a brain 🙂
# The advantages are:
– Even the most complicated urls will be readable
– The focus will stay on the textarea, so after executing the url (Ctrl+Enter) you can just go on typing / testing
– The url in textarea is not affected by redirects.
– I tend to use it as a notepad 🙂
– Useful tools like on the fly uu/url decoding etc.
– All functions work on the currently selected text.
– MD5/SHA1/SHA256 hashing
– MySQL/MS SQL Server/Oracle shortcuts
– XSS useful functions
– And lots more 😉 Go test it!
SQL Inject Me
SQL Inject Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.
The tool works by submitting your HTML forms and substituting the form value with strings that are representative of an SQL Injection attack.
The tool works by sending database escape strings through the form fields. It then looks for database error messages that are output into the rendered HTML of the page.
The tool does not attempting to compromise the security of the given system. It looks for possible entry points for an attack against the system. There is no port scanning, packet sniffing, password hacking or firewall attacks done by the tool.
You can think of the work done by the tool as the same as the QA testers for the site manually entering all of these strings into the form fields.
Access vulnerabilities in an application can allow an attacker to access resources without being authenticated. Access-Me is a Firefox extension used to test for Access vulnerabilities.
The current version of Access-Me is an Exploit-Me tool used to test some access vulnerabilities related to web applications. The tool works by sending several versions of the last page request. A request with the session removed will be sent. A request using the HTTP HEAD verb and a request using a made up SECCOM verb will be sent. A combination of session and HEAD/SECCOM will also be sent.
Packet Storm search plugin
This plugin lets you search on Packet Storm – www.packetstormsecurity.org – database. Packet Storm offers an abundant resource of up-to-date and historical security tools, exploits, and advisories.
OSVDB search plugin
This plugin lets you search on the open source vulnerability database. It searches not only on titles but all text
PassiveRecon provides information security professionals with the ability to perform “packetless” discovery of target resources utilizing publicly available information.
Simply visit the target entity’s website (using Tor), right mouse-click and navigate to the PassiveRecon menu, or use the status bar menu. From there you can open individual public domain websites or click Show All to view all of the sites at once.
Snort IDS Rule Search
Search for Snort IDS Rules. This search add-ons allows you to search for Snort IDS rules on the snort.org website.
CryptoFox is an encryption/decryption tool for Mozilla Firefox, with dictionary attack support for cracking MD5 passwords. The tool supports many encryption algorithms already.