When conducting a penetration test of a web application, it is very helpful to have some additional functionality built into our web browsers. My primary browser I use for conducting assessments is Mozilla’s Firefox.

Firefox Add-ons I Use

1. AdBlock Plus – I disable this AdBlocker while testing as I want to see all the images and ads. But sometimes I use Firefox for browsing other things.
2. Cookies Manager+ – Add/edit/delete cookies
3. Extended Statusbar – Gives you more info about your system and network traffic (target IP address, time for responses, etc.) in a bar.
4. Firebug – All around good tool for examining the underlying HTML/JavaScript/other code on the web page. Similar to the “Developer Tools” option in Chrome and
5. FireGestures – Right click and move the mouse to do things like move back a page, close a tab, etc.
6. FlashFirebug – Allows Firebug to examine flash content
7. FoxyProxy Standard – Quick switching between proxies (Burp, ZAP, remote proxy…)
8. Ghostery – Great replacement for NoScript to block ads/widgets/trackers in pages. Disable it while testing. Enable it after.
9. JSONView – View JSON responses in a pretty format
10. ShowIP – Show the IP of your target in a toolbar
11. User Agent Switcher – Switch user agents to appear like your Firefox is a different browser. Make your own User Agent strings with XSS in them for more fun!
12. Tamper Data – Simple proxy for examining and editing web app traffic.

Your Suggestions

So I tweeted and asked people to submit their favorites. Those are below. There are some really good suggestions that I had forgotten about too. Thanks to Mike Saunders ‏@hardwaterhacker , Andrew Smith ‏@jakx_, and Kevin Sugihara ‏@sugitime.

• Hackbar – A swiss army knife of toolbars for attackers.
• Soa client – Need to talk to a WSDL or via SOAP? Here’s a client.
• httprequester – Addon that makes GET/POST/PUT and other HTTP requests in browser.
• RESTClient – Client for making…wait for it…RESTful requests through your browser.
• HSM – This is a collection of a BUNCH of addons. Kind of a one-stop-shop for appsec addons.