Using the Firefox Web Developer extension to find security flaws

Now shift into the application security mindset and voila, there's Firefox Web Developer: an unlikely "security testing" tool but one that serves the purpose very well. It's not only handy via this quick download -- it's also free. Originally a tool for tweaking and troubleshooting Web pages, Web Developer (shown in Figure 1) has evolved over the past six years as a formidable tool for manually uncovering security flaws.

Figure 1: Firefox Web Developer shows up as a standard browser toolbar

From cookie analysis to form manipulation to JavaScript parsing, Firefox Web Developer helps fill the Web security gap that's left behind by using only standard Web vulnerability scanners. The following are ways you can use the Firefox Web Developer extension to check for Web security vulnerabilities:

1. Under the Disable menu, you can disable the browser cache, JavaScript and URL referrers for manipulating application behavior and assessing responses to see what can be exploited.

2. Under the Cookies menu, you have the option to disable cookies and view cookie information for session manipulation to see what the user can see and do.

3. Under the Forms menu, there are lots of options for form manipulation (one of my favo...

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Application Security Strategies Rich Internet applications security testing checklist The lowdown on PCI compliance Web 2.0 application security troubleshooting, testing tutorial Expert resolves issues plaguing OpenSTA users Fixing four Web 2.0 input validation security mistakes Social engineering training could disrupt botnet growth Web security problems: Five ways to stop login weaknesses Preparing for testing applications in the cloud The role of quality assurance (QA) pros in software security Common software security risks and oversights Software security testing tools How to make your software tamperproof How can I tell if my software security has been breached? Lesser-known free software testing tools testers should try Demo: Using WebGoat, a free software testing tool Rich Internet applications security testing checklist Finding cross-site scripting (XSS) application flaws checklist Webgoat Tutorial Retaking command of your hacked software Identifying whether or not your site or software has been hacked Selecting the best tool for stress and load testing Software security testing and techniques Web application security best practices: Tips on implementation Testing strategies for complex environments How to make your software tamperproof Ways to approach application performance testing on a tight budget How can I tell if my software security has been breached? Is online application testing for smartphones different from other software testing? Software testers facing six big challenges today, StarWest keynoter says Lesser-known free software testing tools testers should try Is manually testing a software project for flaws too risky? Affordable automated testing tools for securing websites

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary penetration testing  (SearchSoftwareQuality.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

rite things to do and one of the biggest areas of exploitation) by populating form fields and analyzing the responses and even removing maximum field lengths to see how much junk the application can accept before it starts to croak.

4. Under the Information menu, you have options to view HTTP response headers, JavaScript and page information to show whether or not SSL is in use on the current page (a common oversight I see: not using SSL everywhere). There's also a link viewer to uncover parts of the site/app you may not have originally thought about testing, as shown in Figure 2.

Figure 2: Link information helps uncover forgotten links and related sites to test

On a related note, there's also an outline links function (via the Outline menu) that highlights page links that are hosted elsewhere. This comes in handy when you want to visually ensure you're not leaving the site/application you're testing.

5. Finally, under the Miscellaneous menu, you can do things such as show comments that often reveal more than they should and view hidden form elements that are easily manipulated using a Web proxy.

On a side note: If the Firefox browser is not your cup of tea, there's somewhat of an equivalent of Web Developer on the Internet Explorer (IE) side. It's called the Internet Explorer Developer Toolbar and works on IE 6 and IE 7, as shown in Figure 3.

Figure 3: Internet Explorer Developer Toolbar shows up as a pin-able browser window

The Developer Toolbar is not nearly as extensive and useful for security testing, but it can be used for a few things along this line, such as disabling scripts and viewing cookies. Moving forward, IE 8 will have its own developer tools built right in.

Although the Firefox Web Developer extension is only part of what you need to test an application in-depth, it's an important tool nonetheless and one you shouldn't be without.

About the author: Kevin Beaver, CISSP, is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments and information security career counseling for up-and-coming IT pros. Kevin has authored or co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Kevin can be reached at kbeaver [at] principlelogic.com.