• Donald Ashdown

3 Firefox add on's for website enumeration

Mozilla Firefox browser add-ons that can really help when it comes to initial website enumeration.



Quite often when participating in Cyber Security CTF's I encounter scenarios where I need to scan a website, and have no idea about any existing vulnerabilities so I like to keep it simple with my initial scans using these Firefox add-ons.




1. Web-Developer

https://addons.mozilla.org/en-US/firefox/addon/web-developer/


Web-developer is a very straight forward and powerful tool that allows the user to quickly access certain information on a website, that would otherwise require manual page inspection and navigation. One of the options is to display form details on the page, which I find particularly handy if I am investigating for any unsecured form input.



This fantastic tool also allows for quick access to viewing the cookies, response headers, and java script, with the ability to beautify that java script on the fly. It even has an option to remove form validation, allowing you to test client side form security.


2. HackBar Quantum

https://addons.mozilla.org/en-US/firefox/addon/hackbar-free/


This is another great tool, that allows for the generation of website vulnerability payloads such as XSS, SQL, CMD injection, and remote file inclusion.















This tool also allows for on the fly encryption/decryption, and encoding/decoding functions for saving the time. I find this tool particularly helpful for security CTF's.


HackBar also offers the ability to modify cookies, user agents, and post data from within the inspection console. This is particularly helpful, for configuring and repeating SQL attacks with speed.


3. Web Securify

https://addons.mozilla.org/en-us/firefox/addon/websecurify/


One of the more comprehensive add on's is Web Securify. This tool is designed for scanning websites, and performing deep investigations, with built in tools that allow for packet inspection, http traffic logging, geo location based get requests, and auto scanning for page vulnerabilities just to name a few. Every tool in this suite has a nice bite size summary of how to use the tool.


Below is a screen shot of the available tools from the dashboard.



Below is a result of running the "scanner" tool which has found a banner disclosure and XSS vulnerability.

You will also find some more aggressive tools in this suite such as "unfold" which allows for directory brute forcing and webpage url crawling with the spider function. This can be a very fast and effective way to find hidden directories without the need for any external tools.



29 views0 comments