I have a pet hate. This is something that really annoys me when I get a new laptop, which if you ask my girlfriend is much too often.

Above is a screenshot of Mantra and FireFox. Notice all of the plugins on the left, in the status bar and in the address bar.

Setting up all my tools.

Now, if you ask a lot of hackers/information security consultants they get really excited about this – but I just want to get on with the work I have to do!

BackTrack (or my preference, NodeZero Linux) has this covered from a distribution standpoint – that is, if Linux is your cup of tea. Nothing however was available to me on a browser point of view. .

I thought I would give making my own application security testing browser a go myself. I installed a bunch of different plugins in a vanilla Firefox installation, and guess what? It was far to slow! I got really disheartened; there were a number of different plugins that would completely slow down my browser to a point where it was unusable. So I just didn’t use them, and I found manual ways to do the processes that the plugins helped with, i.e. pinging / finding a website that would show me the IP address of a hostname.

Enter the Mantra team. I was searching through Twitter and I found references to something called Mantra. Essentially it’s a browser with some tools pre-installed.

It sounded like what I was looking for, so I decided to give it a try… WOW!

Every single tool I could have hoped for was there. I could do anything I wanted in the browser and the speed was not affected whatsoever. The best thing about the browser, in my opinion anyway, is that there were add-ons included that I didn’t even know existed such as Wappalyzer (http://wappalyzer.com/) – it “uncovers the technologies used” on the web application you are currently on (see the image below).

This came in handy on an assessment I did recently, where the add-on recognized Joomla! Needless to say, a few default credentials and administrator configuration changes later I was able to use a nice reverse PHP shell.

So Mantra was sweet.

Then I started using Burp Suite with it, and I saw some crazy things goings on. I was in the middle of an assessment and Burp kept producing some requests that I had never seen before. I was trying to inject some SQL statements into a parameter and other similar attacks, and I was getting requests that were directed toward Google! After some digging around (and yes, asking my team at work about it) I uncovered a number of options that I thought were not really something that should be included in your application-testing suite.

browser.safebrowsing.enabled = “Firefox 2.0 incorporates the Google Safe Browsing extension in its own Phishing Protection feature to detect and warn users of phishy sites.” (http://kb.mozillazine.org/Browser.safebrowsing.enabled)

browser.safebrowsing.malware.enabled = “As part of its Safe Browsing feature, Mozilla Firefox keeps track of a list of malware to compare data the user downloads. In the event the user downloads known malware, a warning can be displayed.” (http://kb.mozillazine.org/Browser.safebrowsing.malware.enabled)

browser.search.suggest.enabled = “In Firefox 2.0, search plugins can offer ‘search suggestions’ of similar search queries as the user enters a query in the search bar.” (http://kb.mozillazine.org/Browser.search.suggest.enabled)

The above options can be found within the about:config file in Firefox. Now written down they may look harmless but in reality they do two things.

  1. If you use an intercepting proxy i.e. Burp, ZAP – they annoy the heck out of you. Every time you make a request in the browser it felt like you had to click one thousand times to get the response.
  2. Data seemed to be sent to external parties.

Point two is obviously what I was worried about, but let me state, I don’t know if this is what was happening. I didn’t really care to find out what was going on, I just didn’t like the look if it, so I got rid of it. After doing a little bit of research, as I said before, I found the information above.

I got in touch with the Mantra guys and they implemented this into their latest release, Mantra Armada, and I have now become part of Mantra team.

If you are adamant about continuing to use Firefox and want to turn these features off go into about:config and change each of the settings to those depicted below.

You can find more information by visiting the website – www.getmantra.com. If you don’t like Firefox or don’t use a Mac don’t worry, they have versions for Windows and Linux and also a smaller, but useable, Chrome version too.

I have told you about Mantra now and how it has helped me, but I also want to provide an example on how it can help you.

Let’s take cross-site scripting (XSS) as our example. This is a very well-known vulnerability in the web application security area. For those of you who don’t know what XSS is, it is simply where an attacker can force a user to execute arbitrary code, i.e., JavaScript, in their browser.

We are going to exploit this vulnerability in an application that was created to be vulnerable, a testing ground if you like, called Mutillidae (http://www.irongeek.com/i.php?page=mutillidae/mutillidae-deliberately-vulnerable-php-owasp-top-10).

The web page above is showing a log of requests being sent to the server. As an attacker exploiting XSS we want to be on the lookout for any output that is a direct copy of an input. In this case the ‘Browser Agent’ is that particular parameter. There are a number of ways that editing our ‘User Agent’ can be done i.e., editing the user agent string using an intercepting proxy, but setting the proxy up takes effort. By using “User Agent Switcher“, an FireFox add-on, we can quickly add some JavaScript to our ‘User Agent’.

To know what is going on here you need to understand exactly what the application is doing.

The server is receiving a request which holds pieces of data i.e., time, date, request path and user agent. It is then taking that exact data string and reflecting it back on the application in a formatted layout.

The next time this page is loaded the JavaScript embedded within the User Agent i.e., <script>alert(1)</script>, will be executed in the browser – as seen below.

This happens because the plugin that is preinstalled within Mantra has allowed us to change our ‘User Agent’ string and execute arbitrary code in the victim’s browser.

Want to learn more?? The InfoSec Institute Web Application Penetration Testing Boot Camp focuses on preparing you for the real world of Web App Pen Testing through extensive lab exercises, thought provoking lectures led by an expert instructor. We review of the entire body of knowledge as it pertains to web application pen testing through a high-energy seminar approach.

The Web Application Penetration Testing course from InfoSec Institute is a totally hands-on learning experience. From the first day to the last day, you will learn the ins and outs of Web App Pen Testing by attending thought provoking lectures led by an expert instructor. Every lecture is directly followed up by a comprehensive lab exercise (we also set up and provide lab workstations so you don't waste valuable class time installing tools and apps). Benefits to you are:

  • Get CWAPT Certified
  • Learn the Secrets of Web App Pen Testing in a totally hands-on classroom environment
  • Learn how to exploit and defend real-world web apps: not just silly sample code
  • Complete the 83 Step "Web App Pen Test Methodology", and bring a copy back to work with you
  • Learn how perform OWASP Top 10 Assessments: for PCI DSS compliance

Conclusion

This article has discussed the added value plugins and add-ons can have when added to FireFox, while also addressing the difficulty of finding the perfect balance between browser speed and operability. Mantra is a browser that is open-source and uses Mozilla’s FireFox as a baseline to include some great extensions like the one shown about. The tools and plugins can be used to simpify the job of an application security consultant and significantly speed up the process of exploitation.