Application security

Firefox Plug-ins a Security Engineer Needs to Know

Steve Lynch
June 26, 2015 by
Steve Lynch

Plug-ins are programs that runs within software, which can improve the features of software. For example, a browser could be simply used for browsing purposes. But by adding plug-ins we could change the total browsing experience. As we all know, Firefox is a browser that supports various plug-ins. Plug-ins support various features like animations, videos scripts, etc. that are not supported by default browsers. Mozilla's Firefox is a user-friendly browser with about 35 % user rate. Since the Internet today is not only a valuable source of information, but a crime tool for various cyber attacks and thefts it is important to understand how plug-ins interact with our browsers so that we can secure our systems properly. We use plug-ins used for various purposes, such for ensuring a safe browsing, grabbing information, entertainment uses etc. Let's discuss some add-ons that helps to carry out an attack or for getting intel on a targeted website.

The following are useful add-ons that will help in carrying out penetration testing and for gathering information:

  • FoxyProxy Standard: It's an advanced proxy management plug-in that improves the proxy capabilities of the browser. This add-on analyses the URL patterns and switches the internet connection across different proxy servers. It shows an animated icon as indicator that a proxy is in use. The foxyproxy window is shown below:

Figure 1 : Foxyproxy Window

This add-on has a logging history tab that could help us in finding the servers used. In addition, we can set when the plug-in to be used according to the nature of the URL. We can say that these features make them more efficient than other proxy changing plug-ins.

  • Firebug: Firebug is a web development tool integrated to a browser. With this add-on, we can edit HTML, CSS, or java script in any live webpage and directly view the changes made. This helps us to identify the vulnerabilities in the webpage and web applications, and opens up a window to carry out a penetration attack or could be used to collect data from the user end. It helps us to inspect HTML elements inside a page. The CSS tab tells you everything about the styles in a page. We can make changes to the code and view the changes immediately on the page. In addition, codes could be copies from the page for further development. It also has scale and margins to align the images and text according to our need. If a page is taking more time to load, we can view the network activity with Firebug and identify the reason for slow loading of the page. Firebug has a powerful java script debugger which helps to measure the performance and errors in the script. Document Object Model is related to functions and objects in the code. The DOM tab in the panel helps to easily identify these tags in the code and could be easily edited with this property. It has an auto complete feature that makes editing much simpler. Firebug helps us to view and manage cookies in the browser. We can set or deny cookie for specific websites. The cookies accepted list can be viewed and we can sort them according to their values. The Firebug panel is as shown below :

Figure 2 : Firebug Panel

  • Live HTTP Headers: These are very helpful penetration tool. IT displays live headers of each http request and response. It has a save option which helps us to save the required fields. HTTP header information could be used for troubleshooting, analyzing, and tuning a website. It contains data about character set, language, caching, authorization etc. Normally this data is not visible while browsing. With the help of this add-on, we can easily get this information. We could consider this as a basic sniffer application. While testing a web-based application we can exactly view the exchange of http header using this add-on. We can easily identify what is happening and stop the packet capture to analyze what has happened. This add-on helps to replay of packets to check what type of inputs an application can accept. If we need to change any values in the header or URL, all we have to do is to highlight the packet, edit, and replay it. This is a Mozilla based add-on, and will work in both Windows and Linux based systems. To view header information of a page right click and go to "View Page Info." Now a window will pop up with several tabs in it. Click on the Header tab to view the information on the current page. We can use the replay option from the Add-on tab in options menu or by pressing "Ctrl+Shift+A". The image given below is the header information obtained with the add-on on Google mail :

Figure 3 : Header information on www.gmail.com

  • Hackbar: This add-on is a simple penetration-testing tool. Hackbar appears like an extension of the address bar in Firefox, which provides long injection URLs during penetration testing. This also has the capability to perform encryption, encoding, POST data manipulation etc. It helps in testing SQL injections, XSS holes, and website security. The tabs on the hackbar provide common functions for working with different types of data, like hash algorithms encoding and decoding in Base64 etc.
  • Firesheep: Firesheep allows you to attack HTTP sessions of users on same network, like the ones in cafés, airports, hotels etc.This add-on captures and shows all the accounts as a list. While logging in a website, the initial process is to submit the username and password for authentication. This request is replied with cookie, which is later used for all requests towards that particular website. All websites usually protect the initial login phase and leaves the rest unprotected. In an open network, these cookies are easily available and could help in launching an attack. When a user visits an insecure website it captures and shown in the firesheep list. If you double click on any item, you are logged in as them.
  • Tamper Data: This add-on is mainly used view and edit HTTP requests. As soon as we press enter, the add-on starts recording all the requests made to reach out and display the website. The tamper data window has many columns, which provides us with various information like time, duration, size, method, URL, flags etc. We can select each request from the window to view further details called "tamper details."

    We can also copy the data in the window to an external file for future reference. Tamper Data main window is shown below:

Figure 4: Tamper Data main window

In the window, there is a "Start Tamper" button. After we click on that, for every request made from the browser we will be given a notification with three options. The three options will be Tamper, Submit and Abort request. If we press the submit button, the request gets places as it is. Abort request will cancel the request and the tamper button helps to edit the request to be made. After clicking the tamper button, a window opens up with various fields to modify the request as shown below:

Figure 5 : Request edit window

The top left corner of the window shows the URL to where the being request is made. The left hand side of the window has the request header fields where we can edit the parameters before placing the request. The right hand side contains POST data on the made request. We can see the post values that have been sent through the request. By right clicking the right side, we can add our values to it. HTTP GET parameters can't be modified with this add-on.

  • Foxtor: This is a simple and effective ad-on which helps us to browse the internet anonymously

    The add-on just uses various proxies to access the internet thus making it difficult to track us to fixed location. Usually when we use internet we leave behind a trail that could track our activities. Foxtor prevents such trails and uses an encrypted Tor network for its users. It gives more privacy than some normal proxy servers. The add-on shows masked and unmasked status showing you are visible or not. You can manually mask and unmask the browsing by clicking the icon in the browser. Foxtor also has privacy preferences that automatically configures to the settings. The two main elements of Foxtor are Tor and Privoxy. Tor helps in communicating anonymously over internet and Privoxy makes sure all the communications are made through the Tor network. Together they give us freedom to browse freely in the internet. This was developed from the Tor browser, which performs the same function as foxtor.

    For example in some countries, YouTube has banned some videos. You won't be able to watch these videos if you using a default browser. After installing foxtor, our presence in the website will appear from a different location since we are using an encrypted network and different proxy.

  • CryptoFox: Cryptofox is an encryption decryption add-on. It is integrated to the address bar as an extension towards downwards. It has two fields and a button. The first field is where you type in the text that needs to be encrypted. The next field is where you have to choose what type of encryption or conversion we have to perform. It has about 40 different techniques that could be performed. This one even has dictionary attack support for cracking MD5 passwords. Let's see how a Crptofox can be used. Here I am using basic AES 128-Bit Encryption to encrypt a work and let's try cracking it with AES 128-Bit decrypt. The cryptofox fields are as show below:

Figure 6: Encryption Using CryptoFox

Here I have typed in "helloworld!" as the text to be encrypted. In the second field, select AES 128-bit encryption and press decode button. Now a dialog box will pop up to enter the password for the encryption. The same password should be used for decryption also to obtain the correct data. The dialog box is as below:

Figure 7: Pop up for entering password

The password entered here to encrypt the data is "passwd." After entering the password, click ok. Now the encrypted text will appear in the first field as shown below:

Figure 8: Decrypted text

We can crosscheck the process by decrypting the obtained text with the same password. This is a very useful add-on.

  • Groundspeed: Groundspeed is a security testing software that helps us to modify forms and form elements in the page. It also allows us to manipulate the limitations of web application user interface, which would help in carrying a penetration test. We can change hidden fields into text fields that would help us in editing its contents easily. JavaScript event handlers can be modified with the help of this add-on to bypass client side authorization.
  • Anonymox: This plug-in helps us to browse anonymously through the internet. Some websites keep a record of the users by analyzing their activities which later are sometimes sold to third parties for various reasons. Certain websites are banned due to various reasons like terrorism, child safety, etc. These could be avoided by using this plug-in. With anonymox we can create a virtual identity which would help us in bypassing such blocks in the internet. We can customize the settings for each websites according to our need. It also helps us to change our default IP. This add-on also bypass GeoIP-Blocks and make our origin from another country giving us access to websites which are banned in our country. The anonymox window is as shown below:

image02                                               

                                                 Figure 9: Anonymox window

While accessing a website our computer connects to the web service subscribed by us and sends a copy of requested webpage. At the same time the website host will get the information about our IP address. When are using anonymox, our request is sent to the anonymox network and from there it’s sent to the requested website network. Now they won’t be able to track our identity, since we are logging from another network. We can select the available proxy identities from the anonymox window as shown in the above image.

  • ipFlood: This add-on also helps us to browse anonymously through the internet. Basically ipFlood creates a spoofed IP and makes us invisible. While making a request to a server, they identify us mainly using the application layer and transport layer details. This particular add-on modifies the application layer details giving us full freedom to browse anonymously. The three headers in the application layer give the details about the real IP of the user. When we enable ipFlood the website gets a spoofed IP and believes that it is the real IP of the user browsing the website. Most of the websites check the application layer headers to identify a users real address. The details gets modified every time you enter a webpage. After installing the add-on, just click on the ipFlood icon on the right corner of the browser to enable it and you are good to go.
  • SQL Inject Me: SQL inject me is a penetration testing tool used to find SQL injection vulnerabilities of a website. The tool basically substitutes HTML form values that are representative of an SQL injection attack. It sends database escape strings through the form fields and looks for database error messages and looks for a possible point to carry out an attack. The add-on displays all the fields and options on the left hand side of the page to find the vulnerability. After carrying out various test, the page produces a results showing the errors and other options as shown below:

image13

                                               Figure 10 : SQL Inject me result

  • Certificate Patrol: It monitors all SSL connections and checks if the certificates has changed during the exchange or not. It helps to identify man-in-the-middle attacks. This add-on pops up a message every time you visit a website showing the certificate details, weather to save it or not. Once saved, it cross checks with the saved certificate to ensure that no trick has been played in between. By default the expiry period is about 98 days. There are some websites who updates their certificates regularly. You must be bit cautious under such conditions, while verifying such certificates. When these kinds of changes are made, you will be displayed old and new certificates to compare them. If you find any irregularity there is option to reject the certificate. This could be done by clicking the reject button on the right bottom of the window. It also has a threat level indicator with colors green, yellow and red. The window below display the information on a webpage:

image06                     Figure 11: Certificate Patrol details on "facebook.com"

  • FoxySpider: FoxySpider is a web crawler add-on which displays contents like videos, images, music, files etc in a well structured format. It creates a gallery according to the file type from the website. Is a simple add-on which could be used to collect details from a website. After installing this tool a icon will be displayed on the left side of the address bar. There are mainly 3 types of settings for this tool. If we left click on the icon, it starts searching the page and collects the files and displays it in a  organized format. If we middle click the icon, an advanced filter window will pop up to specify our requirements like specified URL, or files with keywords etc. When we right click the icon a preference window will be displayed, where we can configure the search of the add-on. The three functions is displayed in the image below:

image12

                                 Figure 12: Left click Display on Google.com

image04

image07

Figure 13: Middle Click - Advanced Filter      Figure 14: Right Click Settings

Firefox Vulnerabilities

Mozilla Firefox is one of the best browsers out in the market. It offers better speed, performance and ease of use to the customers. Every day researches and tests are carried out on these products to assess their performance under various conditions. During this process the unknown flaws and vulnerabilities are discovered which could be used by hackers to launch an attack. Recently Firefox 39 was launched fixing 13 vulnerabilities including 4 critical ones. They release patched versions like after finding new vulnerabilities. Even some add-ons might create vulnerabilities causing problems. There are open forums under Mozilla to report such kind of bugs to update their frequent users.

Conclusion

Firefox is an excellent tool browser for testing webpages and with the right tools and knowledge; we can extend the range to various areas. These plug-ins help a security engineer to carry out the security task much easier than before. Moreover, gathering information and testing has become much more effective with these add-ons. Readers of this article are encouraged to download these plugins, install it in a virtual lab to reap the full benefit out of it.

For more on Security Plug-ins, download our free e-book:

[download]

Reference

  • Steve Lynch
    Steve Lynch

    Steve has 9 yrs of experience in cyber security space. He worked as a cyber journalist to collect news from various geographic locations associated with cyber security. He has a great experience with linux and holds many technology certificates.