0P3N Blog Blog Post
Ready to Start Your Career?
Create Free Account
By: MaskedFrog
July 11, 2016

Browser Plug-Ins and Extensions for Pentesters/Security Analysts

By: MaskedFrog
July 11, 2016
By: MaskedFrog
July 11, 2016
Browser Plug-Ins and Extensions for Pentesters/Security Analysts - CybrarySometimes, it's necessary to probe a server or network without the resources at hand to load bloated proxies or web testing frameworks. Here's where browser plug-ins and extensions shine.This short list of plug-ins/extensions is not exhaustive. There are hundreds, if not thousands, of plug-ins and Extensions available with dozens and dozens of them intended for pentesting purposes. They can also be readily be repurposed by pentesters.For a variety of reasons, it's often necessary for the pentester to view and sometimes change the data that's exchanged - as browsers request resources from web servers and those servers return the resources. These tools make it possible to see and change cookies, view hidden form fields and even change POST data making SQL injection possible directly from a browser. It's not command line simple - but pretty close.You may already taken a look at site://robots.txt and noted some interesting directories. We'll set that aside for the time being. What other core web site attributes might we be interested in?How about cookies? Most, if not all, Content Managers make use of cookies to keep track of the state or value of some variables and other attributes of our unique visit. Using a Cookie Manager will make them more accessible to us as site visitors. Our first browser addition will be a cookie manager plug-in/add-on.`Cookie Manager+v.1.11.1Last Update: 6Jun2016View, edit, create new cookiesGet it here: Cookie Manager+Do an Add-On search from a Mozilla-based browser and find other cookie managers`Now that we can see our cookies, and even change them, keep an eye out for interesting values, including:`user=password=uid=isloggedin=`Stuff like that is all too often the site simply maintaining critical objects like Usernames, Passwords, Log on status on your device - making it oh so easy to present spoofed access tokens that should be authenticated, but just aren't because it's easier for the site developer to just store them in a cookie and be done with it. After all, cookies are site specific. Right? Ever wonder why a site looks so different on your Smart Phone or Tablet than it does on your Desktop PC? The site is probably using the User-Agent: string associated with your browser. The next addition to our browser will allow us to change that string and make our browser look like a Smartphone (either an Android, iPhone, even a Blackberry). Or, perhaps we have a Linux desktop but would like to see how a site presents itself to a Windoze box.`Quickly and easily switch between popular user-agent strings.Get it here: User-Agent Switcher` We've only just begun when it comes to manipulating the data our browser sends a web site. With our next tool, we'll be able to see and edit GET or POST requests before they leave our browser and get processed by the server we're investigating.`TamperData----------Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.Trace and time HTTP response/requests.Security test web applications by modifying POST parameters.FYI: The current version of Google Web Accelerator is incompatible with the tampering function of TamperData. Your browser will crash.Get it here: TamperData Plug-in for Firefox` Our next fun tool is useful for changing the attributes of an already rendered page. Maybe there are hidden fields in a form and we'd much rather see them on the page itself and not have to hunt them down in the _View Source. So, let's grab Firebug and use it to inspect any and all the elements of rendered pages. There's more forgetting what you entered in that greyed out Password box - just change the attribute for that entry box from "password" to "text" and you'll no longer be dependent on the page author providing a tick box to "show password." You can see for yourself that you didn't make any typos while entering the password.`Firebug-------Firebug integrates with Firefox to put a wealth of development tools at your fingertips while you browse. You can edit, debug, and monitor CSS, HTML, and JavaScript live in any web page...Get it here: Firebug` Of course, I saved the best for last. This next tool is actually a toolbar that can be added to Firefox the same way your bookmarks can be displayed as a toolbar. Why is this toolbar so handy? With the exception of viewing or changing the User-Agent this Developer's tool can do just about everything else we've covered above. Like Firebug, it can isolate and view every element of a rendered page. However, it doesn't have the facility to edit or change any page element the way Firebug can. It does have a menu entry to make all those obfuscated Password boxes visible. Enough preamble`Web-Developer & Toolbar-----------------------This is a huge Toolkit of tools for viewing, sometimes manipulating, the data rendered.Get it here: Web Developer Toolbar`and a button to hide/reveal the toolbar`Get Toolbar button: Web Developer Toolbar Button Thanks and I hope this is useful to you.

Join over 2 million IT and cyber professionals advancing their careers

OR REGISTER WITH

Google

Already have an account? Sign In »

Ready to Share Your Original Content?

Build your Cybersecurity or IT Career

Accelerate in your role, earn new certifications, and develop cutting-edge skills using the fastest growing catalog in the industry