If you remember, there used to an add-on for Firefox – XSS Me; which unfortunately no longer works out of the box for the latest versions of the browser. It was also a part of the Firefox Addons for helping you with web application penetration testing. We now have something similar to it that works on Google Chrome – XSS Radar. Firefox Plugins Access Me. Access Me is an add-on for security testing professionals. This add-on is developed by the company that works on XSS Me and SQL Inject Me. Access Me is the can Exploit-Me tool used for testing access vulnerabilities in web applications. This tool works by sending several versions of page requests. Nov 14, 2018 There is a Firefox plugin, XSS ME specialized in finding this type of vulnerability. How to avoid getting infected with XSS? Always escape exit to prevent the data provided by the user to add HTML entities, like etc. A quick help method to use here is. Comment on attachment 591286 Patch to add an XSS filter to Firefox Here's some feedback on this patch. I have yet to look at the actual filter implementation or the tests, but I did read through the rest of this patch fairly closely. On a general note, it seems there's a lot of overlap in where we call into CSP and this new XSS filter, would it.
| Firefox Add-ons for Hackers |
11 Firefox Add-ons a Hacker Must Have
1. Tamper Data
Tamper data is a great tool to view and modify HTTP/HTTPS headers and post parameters. We can alter each request going from our machine to the destination host with this. It helps in security testing web applications by modifying POST parameters. It can be used in performing XSS and SQL Injection attacks by modifying header data.
Add Tamper data to Firefox:
https://addons.mozilla.org/en-us/firefox/addon/tamper-data/
2. Firebug
Firebug is a nice add-on that integrates a web development tool inside the browser. With this tool, you can edit and debug HTML, CSS, and JavaScript live on any webpage to see the effect of changes. It helps while analyzing JS files to find XSS vulnerabilities. It’s a very helpful add-on for finding DOM based XSS for security testing professionals.
Add Firebug to your browser:
https://addons.mozilla.org/en-US/firefox/addon/firebug/
3. Hackbar
Hackbar is a simple penetration tool for Firefox. It helps in testing simple SQL injection and XSS holes. You cannot execute standard exploits but you can easily use it to test whether or not vulnerability exists. You can also manually submit form data with GET or POST requests. It also has encryption and encoding tools. Most of the time, this tool helps while testing XSS vulnerability with encoded XSS payloads. It also supports keyboard shortcuts to perform various tasks. I am sure most people in the security field already know about this tool. Hackbar is mostly used in finding POST XSS vulnerabilities because it can send POST data manually to any page you like. With the ability to manually send POST form data, you can easily bypass client side validations. If your payload is being encoded at client side, you can use an encoding tool to encode your payload and then perform the attack. If the application is vulnerable to XSS, I am sure you will find the vulnerability with the help of the Hackbar add-on to Firefox browser.
Add Hackbar to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/hackbar/
4. Cookies Manager
Cookie Manager is one of the greatest tools ever created. Using this tool you can actually play with cookies. You can alter almost every cookie using this tool. You can use Cookies Manager to view, edit, and create new cookies. It also displays extra information about cookies, allowing you to edit multiple cookies at once and backup/restore them.
Add Cookies Manager to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/cookies-manager-plus/
5. NoScript
No Script add-on is greatness beyond imagination. With this tool, you can monitor each and every script running on a website; you can block any of the scripts and see what each script actually does. But this add-on is for experts, newbies will face problems using this. Note: If you are testing XSS, HTTPS header modifications, or Injection attacks on any website, you need to disable this plugin first because it will block your efforts.
Add NoScript to Firefox:
https://addons.mozilla.org/en-us/firefox/addon/noscript/
6. Grease Monkey
Grease Monkey is the counter part to NoScript, its function is the exact opposite of Noscript. We use Noscript to block scripts and GreaseMonkey to run them. It allows you to customize the way a web page displays or behaves by using small bits of JavaScript.
Add Grease Monkey to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/greasemonkey/
7. User Agent Switcher
User Agent Switcher adds a one-click user agent switch to the browser, along with a menu and tool bar button. Whenever you want to switch the user agent, use the browser button. User Agent add-on helps in spoofing the browser while performing an attack.
Add User Agent Switcher to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/
8. CryptoFox
CryptoFox is an encryption or decryption tool for Mozilla Firefox. It supports most of the available encryption algorithms so you can easily encrypt or decrypt data with supported encryption algorithms. This add-on comes with dictionary attack support to crack MD5 cracking passwords. Although it hasn’t always had great reviews, it works satisfactorily.
Add CryptoFox to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/cryptofox/
9. SQL Inject Me
SQL Inject Me is another nice Firefox add-on used to find SQL injection vulnerabilities in web applications. This tool does not exploit vulnerabilities but displays their existence. SQL injection is one of the most harmful web application vulnerabilities, it can allow attackers to view, modify, edit, add, or delete records in a database. This tool sends escape strings through form fields and searches database error messages. If it finds a database error message, it marks the page as vulnerable. Hackers can use this tool for SQL injection testing.
Add SQL Inject Me to Firefox:
https://addons.mozilla.org/en-us/firefox/addon/sql-inject-me/
Xss Me For Firefox Extension
10. XSS ME
Cross Site Scripting is the most common web application vulnerability. This add-on is incredibly useful for detecting XSS vulnerabilities in web applications. XSS-Me is used to find reflected XSS vulnerabilities from a browser. It scans all forms of the page, and then performs an attack on selected pages with pre-defined XSS payloads. After the scan is complete, it lists all the pages that rendered a payload, and may be vulnerable to XSS attack. Then, you can manually test the web page to determine whether or not the vulnerability exists.
Add XSS ME to Firefox:
https://addons.mozilla.org/en-us/firefox/addon/xss-me/
Xss Me Plugin For Firefox
11. Passive Recon
Last but not the least, Passive Recon is an information gathering tool.
Passive Recon provides information security professionals the ability to perform “packetless” discoveries of target resources utilizing publicly available information. It gathers information in the same manner as DnsStuff tool, available on backtrack.
Add PassiveRecon to Firefox:
https://addons.mozilla.org/en-US/firefox/addon/passiverecon/
That’s all for today. I hope you’re enjoying your journey towards becoming a Professional Hacker. Have fun! Keep learning.