When conducting a penetration test of a web application, it is very helpful to have some additional functionality built into our web browsers. My primary browser I use for conducting assessments is Mozilla’s Firefox.
Firefox Add-ons I Use
- AdBlock Plus – I disable this AdBlocker while testing as I want to see all the images and ads. But sometimes I use Firefox for browsing other things.
- Cookies Manager+ – Add/edit/delete cookies
- Extended Statusbar – Gives you more info about your system and network traffic (target IP address, time for responses, etc.) in a bar.
- FireGestures – Right click and move the mouse to do things like move back a page, close a tab, etc.
- FlashFirebug – Allows Firebug to examine flash content
- FoxyProxy Standard – Quick switching between proxies (Burp, ZAP, remote proxy…)
- Ghostery – Great replacement for NoScript to block ads/widgets/trackers in pages. Disable it while testing. Enable it after.
- JSONView – View JSON responses in a pretty format
- ShowIP – Show the IP of your target in a toolbar
- User Agent Switcher – Switch user agents to appear like your Firefox is a different browser. Make your own User Agent strings with XSS in them for more fun!
- Tamper Data – Simple proxy for examining and editing web app traffic.
So I tweeted and asked people to submit their favorites. Those are below. There are some really good suggestions that I had forgotten about too. Thanks to Mike Saunders @hardwaterhacker , Andrew Smith @jakx_, and Kevin Sugihara @sugitime.
- Hackbar – A swiss army knife of toolbars for attackers.
- Soa client – Need to talk to a WSDL or via SOAP? Here’s a client.
- httprequester – Addon that makes GET/POST/PUT and other HTTP requests in browser.
- RESTClient – Client for making…wait for it…RESTful requests through your browser.
- HSM – This is a collection of a BUNCH of addons. Kind of a one-stop-shop for appsec addons.