Firefox extensions for web developers and penetration testers

Written by SkyOut & Veda,

Thursday, 19 June 2008


01010111 01001001 01010010 01000101 01000100 01010011 ->
01000101 01000011 01010101 01010010 01001001 01010100 ->


|| 0x00: ABOUT ME
|| 0x02: TAMPER DATA
|| 0x06: QUICKJAVA
|| 0x09: HACKBAR
|| 0x10: SERVER SPY
|| 0x11: FIREBUG
|| 0x15: XSS ME
|| 0x16: SQL-INJECT ME


|| 0x00: ABOUT ME

Author: SkyOut, Veda
Date: February 2008

|| 0x01: For whom is this information useful?

The following Firefox extensions are sometimes made for web developers and
therefore provide more detailed information about the structure of a website.
This information can also be helpful to a penetration tester, who is analyzing
a website for vulnerabilities. Some extensions are even made for penetrating a
website and are very handy and easy to use. All extensions have been with
Firefox 2.0.0.*!

|| 0x02: Tamper Data by Adam Judson

Use tamperdata to view and modify HTTP/HTTPS headers and post parameters.

Trace and time http response/requests.

Security test web applications by modifying parameters (GET, POST and headers).

|| 0x03: View cookies by Edwin Martin

It adds a tab to the Page Info dialog box, which shows the cookies of the
current webpage. This is interesing for developers, privacy-concious users and

|| 0x04: CookieSafe by Ron Beckman

This extension will allow you to easily control cookie permissions. It will appear
on your statusbar. Just click on the icon to allow, block, or temporarily allow the
site to set cookies. You can also view or clear the cookies and exceptions by right
clicking on the statusbar icon. For safer browsing you may choose to deny cookies
globally and then enable them on a per site basis.

|| 0x05: UserAgentSwitcher by Chris Pederick

The User Agent Switcher extension adds a menu and a toolbar button to switch the user
agent of the browser. It is designed for Firefox, Flock and Seamonkey, and will run on
any platform that these browsers support including Windows, Mac OS X and Linux.

|| 0x06: QuickJava by Doug G

Allows quick enable and disable of Java and Javascript from statusbar.

|| 0x07: Web Developer by Chris Pederick

Adds a menu and a toolbar with various web developer tools.

|| 0x08: XML Developer Toolbar by Scott Root II

The XML Developer's Toolbar!!!

Finally, a toolbar modeled after Chris Pederick's WebDeveloper toolbar, that allows XML
Developer's use of standard tools all from your browser!

Features include:
-Schema Generation
-DTD Generation
-Schema Validation
-XML -> Schema Validation
-Style Manipulation
-XSL Transformations on-the-fly
-DOM Inspector incorporated views
-Document statistics for future Semantic Web purposes
-SOA Module (coming soon)
-Lame scratch pad that does...nothing really useful :p

|| 0x09: HackBar by Johan Adriaans

# New features
- Show / Hide hotkey [F9]
- Tab sensitive
- Auto load, split and focus when pressing hotkey on a new URL.
- Localized ( English and dutch for now )
- Textarea width set to 100% (removed dragbar)
- Complete code revision (OO based instead of functions)

# In general
This toolbar will help you in testing sql injections, XSS holes and site security.
It is NOT a tool for executing standard exploits and it will NOT teach you how to
hack a site. Its main purpose is to help a developer do security audits on his code.
If you know what your doing, this toolbar will help you do it faster. If you want to
learn to find security holes, you can also use this toolbar, but you will probably also
need a book, and a lot of google :)

# The advantages are:
- Even the most complicated urls will be readable
- The focus will stay on the textarea, so after executing the url (ctrl+enter) you can
just go on typing / testing
- The url in textarea is not affected by redirects.
- I tend to use it as a notepad :)
- Usefull tools like on the fly uu/url decoding etc.
- All functions work on the currently selected text.

# Load url ( alt a )
This loads the url of the current page into the textarea.

# Split url ( alt s )
When this button is clicked, the url/text in the textarea will be split into multiple
lines using the ? and & character

# Execute ( alt x, ctrl enter )
This will execute the current url in the textarea, i mostly use ctrl+enter

# INT -1 ( alt - )
First select a number in the textarea and press this button, the number will be lowered
by 1 and the url will be loaded.

# INT +1 ( alt + )
Again first select a number in the textarea and press this button, 1 will be added to the
number and the url will be loaded.

# MD5 Hash ( alt m )
this is a standard hashing method, often used as an encryption method for passwords.
It will MD5 hash the currently selected string.

# MySQL CHAR() ( alt y )
If quotes are escaped but you did find an SQL injection thats exploitable, you can use
this button to convert lets say:
load_file('/etc/passwd') --> load_file(CHAR(47, 101, 116, 99, 47, 112, 97, 115, 115, 119, 100))
Thus omiting the use of quotes to load a file.
You can also use this on
WHERE foo LIKE ('%bar%') --> WHERE foo LIKE (CHAR(37, 98, 97, 114, 37))

# MsSQL CHAR() ( alt q )
Same story as MySQL CHAR(), MsSQL has a slightly different CHAR syntax
--> WHERE foo LIKE ( CHAR(37) + CHAR(98) + CHAR(97) + CHAR(114) + CHAR(37))

# Base64 encode / decode
Base64 encoding ( UU ) is often used to store data (like a return url etc.) This will
help you to read those values.

# URLencode / decode
This will encode or decode the currently selected characters to url safe characters.
I mostly use it to end a query with # (%23) when in a pseudo path where i cant use /* or --

|| 0x10: Server Spy by Christophe Jacquet

Server Spy indicates what brand of HTTP server (e.g. Apache, IIS, etc.)
runs on the visited sites. When a tab is selected, the corresponding server
name is shown on the right-hand side of the browser's status bar.

|| 0x11: Firebug by Joe Hewitt

Firebug integrates with Firefox to put a wealth of development tools at
your fingertips while you browse. You can edit, debug, and monitor CSS,
HTML, and JavaScript live in any web page.

Visit the Firebug website for documentation, screen shots, and discussion forums:

|| 0x12: Live HTTP Headers by Daniel Savard, Nicolas Coukouma

View HTTP headers of a page and while browsing.

|| 0x13: Header Monitor by Alexey Biznya

This is Firefox extension for display on statusbar panel any HTTP response
header of top level document returned by a web server. Example: Server
(by default), Content-Encoding, Content-Type, X-Powered-By and others.

Important: This extension obtains headers from LiveHTTPHeaders. Therefore, in order to use
HeaderMonitor first install extension LiveHTTPHeaders from

|| 0x14: Modify Headers by Gareth Hunt

Add, modify and filter http request headers. You can modify the user
agent string, add headers to spoof a mobile request (e.g.
x-up-calling-line-id) and much more. Take a look at the help tab of the Modify Headers window.

Some people think that 'user-agent' is a custom way of specifying the user agent string.
This is not true, for a guide on this and other HTTP request headers, look at this W3C page:

Please DO NOT post support requests or issues here. To make suggestions or report issues, please go to

|| 0x15: XSS-Me by

XSS-Me is the Exploit-Me tool used to test for reflected Cross-Site Scripting (XSS) vulnerabilities.

|| 0x16: SQL Inject-Me by

SQL Inject-Me is the Exploit-Me tool used to test for SQL Injection vulnerabilities.

<!> Happy Hacking <!>



Share this content:
Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.