pen testing the web with firefox: add-ons

8/14/2019 Pen Testing the Web With Firefox: Add-Ons

1/69

Pen Testing the Webwith Firefox: Add-ons

Michael theprez98 Schearer


2/69

Penetration testing add-ons

n Display capabilities

n Information gathering

n (Mostly) anonymous browsing

n Vulnerability assessment


3/69

Display capabilities

n IETab

n User Agent Switcher


4/69

IE Tab

n Embeds of Internet Explorer in Firefoxtabs

n Allows viewing of pages in differentbrowser without having to start/restart IE

n Switch rendering engine option allows

quick comparison of page viewsn Safari View, Opera View, Chrome View


5/69

javascript:SnapshotWin()

client.html


6/69

javascript:SnapshotWin()client.html

setup/config.html


7/69

User Agent Switcher

n Allows viewing of pages in differentbrowser configurations

n Allows comparison of page views indifferent formats without having to pre-load multiple conditions

n

Caveat: does not necessarily make thebrowser render a page like anotherbrowser

n


8/69


9/69


10/69


11/69

Information gathering

n Information gathering is the process ofcollecting as much information about a

target as possiblen Passive

n Active


12/69

Passive information gathering

n PassiveRecon

n Passive Cache


13/69

PassiveRecon

n Provides information securityprofessionals with the ability to perform

"packetless" discovery of targetresources utilizing publicly availableinformation

n

Executes 20+ pre-configured searchesregarding IP, DNS, mail serverinformation, and Google searches

n Demo


14/69

Passive Cache

n Uses Google's text-only cache service andArchive.org Wayback Machine to display

historical versions of a specified web linkn Allows for the viewing of a page, or site,

while avoiding active connections to a

target site


15/69


16/69


17/69


18/69


19/69

Active information gathering

n ShowIP

n Asnumber

n Server Spy / Header Spyn Host Spy

n WorldIP


20/69


21/69


22/69


23/69


24/69


25/69


26/69


27/69

(Mostly)* anonymous browsing

n Third party website tools

n Public internet terminals

n Web-based HTTP proxiesn Proxy add-ons


28/69

Third party website tools

n Allows you to view content through a thirdparty so as to not alert the target

n Content may be datedn Allows gathering of:

Metadata (i.e., centralops.net)

Context (Google cache, WaybackMachine)


29/69


30/69


31/69

Public internet terminals

n Provides a degree of anonymity due tothird party location, multiple users, and

lack of authentication mechanismsn Some (i.e., libraries) are free, but many

cost (airports, hotels, etc.)

n

Ability to install or add functionality may belimited


32/69

Web-based HTTP proxies

n Hides IP address from target by using athird party (proxy)

n Works best if the third party is trusted notto reveal the attackers information

n Some proxies may be blocked depending

upon your source location


33/69


34/69


35/69

Anonymouse.org add-on

n Creates an entry in right click (context)menu to open links anonymously using

Anonymouse.orgn Does not appear to work correctly

(yet?)


36/69


37/69


38/69

Proxy add-ons

n Browser-based proxy configuration

n Permits tunneling through open proxies

n Provides plausible deniability duringpenetration tests by obscuring thesource of your traffic


39/69

Torbutton

n Simple on-off button that switches yourproxy settings between the default (off)

and Tors settings (on)n Requires Tor to be installed

n Does not work with other proxy

configurations


40/69

FoxyProxy

n Supports multiple proxy configurations

n Supports Tor (when installed); otherwise

no additional software requiredn Initial setup can be a little confusing

n


41/69

See also

n SwitchProxy

n QuickProxy

n AutoProxyn Toggle Proxy

n


42/69

*Caveats

n Some proxy servers (i.e., Squid) use theX-Forwarded-For tag which can reveal

the originating IP addressn Owners of proxy servers may be subject

to court orders to reveal log information


43/69

Vulnerability assessment

n Discover and assess potentialvulnerabilities associated with a

particular targetPassive

Active


44/69

Passive assessment: SHODAN

n Server metadata is collected by a thirdparty so searching via SHODAN does

not reveal any intent to the targetn In many ways this is just like using a

combination of cached data and a proxyserver


45/69

Active assessment (1)

n Generally speaking, the most accuratemethods of vulnerability assessments

are active in nature and thus will alertthe target in some way

n Depending on the tool and technique, thismay appear to be normal activity or thesignature of a major attack


46/69

Active assessment (2)

n Exploit-Me

n SQL Injection

n HackBarn Firebug

n Key-logger

n Tamper Datan


47/69

47

Exploit-Me

n Suite of lightweight security testing toolsn Introduced at SecTor 07 by Nishchal Bhalla and

Rohit Sethi of Security Compass

n XSS-Me to test for Cross-Site Scriptingvulnerabilities (www.xssed.com)

n SQL Inject-Me to test for SQL injectionvulnerabilities

n

Access-Me tests access vulnerabilitiesn Future: Web Service-Me, Overflow-Me,Enumerate-Me, BruteForce-Me
http://www.xssed.com/http://www.xssed.com/


48/69


49/69


50/69


51/69


52/69

HackBar

n Web developer tool designed to help withsecurity audits on code

n Assists in testing SQL injections, XSSholes and general site security

n Test security with obfuscation and de-

obfuscation


53/69


54/69

Firebug

n Edit, debug, and monitor CSS, HTML, andJavaScript live in any web page

n Includes a powerful JavaScript debuggerthat lets you pause execution at anytime

n

Gives detailed and useful informationabout errors in JavaScript, CSS, andXML


55/69


56/69

Key-logger

n Advertised as never lose a messageboard post or email again

n If you have physical access to the targetmachine

n Records all keystrokes typed in web

pagesn Icon can be hidden from status bar


57/69

Tamper Data

n Acts like a proxy server

n Allows you to view and modify HTTP/HTTPS

headers and post parametersn Trace and time http response/requests

n Popular for hacking e-commerce sites thatdont do server-side validation (i.e., ofprice)

n Changing high scores on flash-based games


58/69


59/69


60/69


61/69


62/69


63/69


64/69


65/69


66/69


67/69

Authors and add-ons (1)

n Johann Adriaans (HackBar)n Alrond (WorldIP)n arrumi (Key-logger)

n ASNumber (ASnumber)n chrispederick (User Agent Switcher)n Brian Baskin (Passive Cache)n danielneto (SQL Injection)n

Jan Dittmer (ShowIP)n erginbulut (Host Spy)n FirebugWorkingGroup (Firebug)


68/69

Authors and add-ons (2)

n IronNem (Header Spy)n Christophe Jacquet (Server Spy)n Adam Judson (Tamper Data)n Eric H. Jung (FoxyProxy)n PC Man (IE Tab)n Justin Morehouse (PassiveRecon)n Mike Perry (Torbutton)n Security Compass (XSS Me, SQL Me, Access Me)n TechRaga (Anonymouse.org)n


69/69

Pen Testing the Webwith Firefox: Add-ons

Michael theprez98 Schearer

pen testing the web with firefox: add-ons

Documents