Hacking with your Browser

Today I rebuilt my Windows 7 partition. Amidst flurry of backing up I forgot to save my Firefox profiles. I figured this was a good time to review what I use addons-wise for all my day to day hacking needs.

First things first, most of these addons will have compatibility issues. To update a Firefox addon:

download xpi (right click “save target as” from the download button on addons.mozilla.com)
Open with with winrar
Open install.rdf with a text editor
Change the 3.xxx.xxx line to your current Firefox build
open the xpi file with Firefox
Now, here is what I use regularly:

MultiProxySwitch or FoxyProxy – for fast switching to Burp or Tor

PassiveRecon – for OSINT style gathering

ShowIP – show server IP and additional possible IPs if load balanced, also can right click to get netcraft info

Live HTTP Headers – for checking for load balancing et al

Wappalyzer and Backend Software Information – To identify platforms, frameworks, and common apps

Hackbar – for fast submission of post requests without firing up Burp, also has great encoding support. I love Hackbar.

Add n Edit Cookies – invaluable for cookie inspection and testing

Firebug or WiderBug (thanks Andre!) – because its awesome

Lazarus – So i never accidentally forget an injection string i already tried

FxIF – Usually used for metadata analysis in CTF’s

Fireforce – I usually use Burp Intruder to bruteforce forms based auth, but fireforce is still neat

Although i don’t really use them much greasemonkey with Whiteacid’s XSS assistant (careful with this one), XSSme, SQLinjectME, and SQL Injection! are all good addons for testing injection. They also have good injection regex’s to steal for use in other tools.

For general browsery I use Readitlater and xmarks to keep up a good reading list across all my boxes

For Browser Scripting I use iMacros for Firefox


There was a presentation by Michael Schearer “theprez98” called “Pen Testing the Web with Firefox” , check that out. Also there is a huge mozilla collection called FireCAT by Securitydatabase.com. I like some of the tools but i feel installing the whole collection bloats my browser too much.

Anyways, that’s all for now. Happy hacking!

Leave a Reply

Your email address will not be published. Required fields are marked *