pen testing the web with firefox: add-on management

8/14/2019 Pen Testing the Web with Firefox: Add-on Management

http://slidepdf.com/reader/full/pen-testing-the-web-with-firefox-add-on-management 1/44

Pen Testing the Web

with Firefox: Add-onManagement

Michael “theprez98” Schearer



Add-on management

n Experimental add-onsn Version checksn

Ignoring version checksn Override compatibility checkingn Disabling compatibility checkingn Manual compatibility forcingn

Add-on utilities (CLEO/FEBE/OPIE)n Other useful add-ons (Xmarks)n Profiles



Experimental add-ons

n Use at your own risk

n Newer add-ons which have not yet

undergone the public review processn May be alpha, beta or pre-production in

quality, performance and features

n You may have to explicitly select to viewexperimental add-ons



Version checks

n By default, Firefox will not show you add-onsthat are not compatible with your currentinstalled version

n By default, Firefox will not allow you todownload or install add-ons that are for older versions

n Manually changing these settings will enable

you to view more add-ons (although thereis no guarantee that they will work)



Ignoring version checks

n Creating a Firefox account will allow youto sign in and ignore version checks; or

n Viewing the source will enable you to findthe direct link to the add-on (.xpi) todownload manually

n

These methods will allow you to downloadbut Firefox still won’t install incompatibleversions



Override compatibility checking

1.Install Nightly Tester Tools add-on

2.Right-click on disabled add-ons and select

Override compatibility3.Override all compatibility option is

available but use with caution



If NTT is already installed



Disable compatibility checking

1.Type about:config in the browser bar

2.Right-click and select New > Boolean

3.Enter preference nameextensions.checkCompatibility

4.Select false

5.Restart Firefox



Caveats to manual forcing

n This method works for many but not allincompatible add-ons; there is no

guarantee that this method will workn The more recent the add-on, the more

likely it will work

n

These steps are specific to using 7-Zipwith Windows; other programs may workbut you may have to modify the steps



Add-on utilities

n Concerns:Add-on portability

Time consuming to manually install multipleadd-ons for multiple locations and devices

n Fixes:FEBE (Firefox Environment Backup

Extension)CLEO (Compact Library Extension Organizer)

OPIE (Ordered Preference Import/Export)



OPIE

n Ordered Preference Import/Export allowsyou to import and export your installed

extension preferencesn Useful when installing extensions in a new

profile, or synchronizing multiple Firefoxinstallations



Other useful add-ons (1)

n Xmarks provides seamless bookmarksynchronization between your

computers and browsersn Adblock Plus blocks ads and banners

n NoScript allows active content to run only

from sites you trust, and protect yourself against XSS and clickjacking attacks



Profiles (1)

n Concerns:Too many add-ons!Duplicate tasksMemory use/time to load

n Fixes:Profile Manager

n “Default”

n “Pen Testing” Install/load only those you use regularly



If you uncheck “Don’t ask at startup” the

profile manager will load every time



Authors and add-ons

n Edward Ackroyd (SearchPreview)n Chuck Baker (FEBE/CLEO/OPIE)

n Mime Cuvalo (FireFTP)n Giorgio Maone (NoScript)n Mossop (Nightly Tester Tools)n

Xmarks Inc. (Xmarks)n Wladimir Palant (Adblock Plus)



Pen Testing the Webwith Firefox: Add-onManagement

Michael “theprez98” Schearer

pen testing the web with firefox: add-on management

Documents