I have a pet hate. This is something that really annoys me when I get a new laptop, which if you ask my girlfriend is much too often.
Above is a screenshot of Mantra and FireFox. Notice all of the plugins on the left, in the status bar and in the address bar.
Setting up all my tools.
Now, if you ask a lot of hackers/information security consultants they get really excited about this – but I just want to get on with the work I have to do!
BackTrack (or my preference, NodeZero Linux) has this covered from a distribution standpoint – that is, if Linux is your cup of tea. Nothing however was available to me on a browser point of view. .
I thought I would give making my own application security testing browser a go myself. I installed a bunch of different plugins in a vanilla Firefox installation, and guess what? It was far to slow! I got really disheartened; there were a number of different plugins that would completely slow down my browser to a point where it was unusable. So I just didn’t use them, and I found manual ways to do the processes that the plugins helped with, i.e. pinging / finding a website that would show me the IP address of a hostname.
Enter the Mantra team. I was searching through Twitter and I found references to something called Mantra. Essentially it’s a browser with some tools pre-installed.
It sounded like what I was looking for, so I decided to give it a try… WOW!
Every single tool I could have hoped for was there. I could do anything I wanted in the browser and the speed was not affected whatsoever. The best thing about the browser, in my opinion anyway, is that there were add-ons included that I didn’t even know existed such as Wappalyzer (http://wappalyzer.com/) – it “uncovers the technologies used” on the web application you are currently on (see the image below).
This came in handy on an assessment I did recently, where the add-on recognized Joomla! Needless to say, a few default credentials and administrator configuration changes later I was able to use a nice reverse PHP shell.
So Mantra was sweet.
Then I started using Burp Suite with it, and I saw some crazy things goings on. I was in the middle of an assessment and Burp kept producing some requests that I had never seen before. I was trying to inject some SQL statements into a parameter and other similar attacks, and I was getting requests that were directed toward Google! After some digging around (and yes, asking my team at work about it) I uncovered a number of options that I thought were not really something that should be included in your application-testing suite.
browser.safebrowsing.enabled = “Firefox 2.0 incorporates the Google Safe Browsing extension in its own Phishing Protection feature to detect and warn users of phishy sites.” (http://kb.mozillazine.org/Browser.safebrowsing.enabled)
browser.safebrowsing.malware.enabled = “As part of its Safe Browsing feature, Mozilla Firefox keeps track of a list of malware to compare data the user downloads. In the event the user downloads known malware, a warning can be displayed.” (http://kb.mozillazine.org/Browser.safebrowsing.malware.enabled)
browser.search.suggest.enabled = “In Firefox 2.0, search plugins can offer ‘search suggestions’ of similar search queries as the user enters a query in the search bar.” (http://kb.mozillazine.org/Browser.search.suggest.enabled)
The above options can be found within the about:config file in Firefox. Now written down they may look harmless but in reality they do two things.
- If you use an intercepting proxy i.e. Burp, ZAP – they annoy the heck out of you. Every time you make a request in the browser it felt like you had to click one thousand times to get the response.
- Data seemed to be sent to external parties.
Point two is obviously what I was worried about, but let me state, I don’t know if this is what was happening. I didn’t really care to find out what was going on, I just didn’t like the look if it, so I got rid of it. After doing a little bit of research, as I said before, I found the information above.
I got in touch with the Mantra guys and they implemented this into their latest release, Mantra Armada, and I have now become part of Mantra team.
If you are adamant about continuing to use Firefox and want to turn these features off go into about:config and change each of the settings to those depicted below.
You can find more information by visiting the website – www.getmantra.com. If you don’t like Firefox or don’t use a Mac don’t worry, they have versions for Windows and Linux and also a smaller, but useable, Chrome version too.
I have told you about Mantra now and how it has helped me, but I also want to provide an example on how it can help you.
We are going to exploit this vulnerability in an application that was created to be vulnerable, a testing ground if you like, called Mutillidae (http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10).
To know what is going on here you need to understand exactly what the application is doing.
The server is receiving a request which holds pieces of data i.e., time, date, request path and user agent. It is then taking that exact data string and reflecting it back on the application in a formatted layout.
This happens because the plugin that is preinstalled within Mantra has allowed us to change our ‘User Agent’ string and execute arbitrary code in the victim’s browser.
This article has discussed the added value plugins and add-ons can have when added to FireFox, while also addressing the difficulty of finding the perfect balance between browser speed and operability. Mantra is a browser that is open-source and uses Mozilla’s FireFox as a baseline to include some great extensions like the one shown about. The tools and plugins can be used to simpify the job of an application security consultant and significantly speed up the process of exploitation.