Now shift into the application security mindset and voila, there's Firefox Web Developer: an unlikely "security testing" tool but one that serves the purpose very well. It's not only handy via this quick download -- it's also free. Originally a tool for tweaking and troubleshooting Web pages, Web Developer (shown in Figure 1) has evolved over the past six years as a formidable tool for manually uncovering security flaws.Click to enlarge
Figure 1: Firefox Web Developer shows up as a standard browser toolbar
2. Under the Cookies menu, you have the option to disable cookies and view cookie information for session manipulation to see what the user can see and do.
3. Under the Forms menu, there are lots of options for form manipulation (one of my favorite things to do and one of the biggest areas of exploitation) by populating form fields and analyzing the responses and even removing maximum field lengths to see how much junk the application can accept before it starts to croak.
Figure 2: Link information helps uncover forgotten links and related sites to test
On a related note, there's also an outline links function (via the Outline menu) that highlights page links that are hosted elsewhere. This comes in handy when you want to visually ensure you're not leaving the site/application you're testing.
5. Finally, under the Miscellaneous menu, you can do things such as show comments that often reveal more than they should and view hidden form elements that are easily manipulated using a Web proxy.
On a side note: If the Firefox browser is not your cup of tea, there's somewhat of an equivalent of Web Developer on the Internet Explorer (IE) side. It's called the Internet Explorer Developer Toolbar and works on IE 6 and IE 7, as shown in Figure 3.Click to enlarge
Figure 3: Internet Explorer Developer Toolbar shows up as a pin-able browser window
The Developer Toolbar is not nearly as extensive and useful for security testing, but it can be used for a few things along this line, such as disabling scripts and viewing cookies. Moving forward, IE 8 will have its own developer tools built right in.
Although the Firefox Web Developer extension is only part of what you need to test an application in-depth, it's an important tool nonetheless and one you shouldn't be without.
About the author: Kevin Beaver, CISSP, is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments and information security career counseling for up-and-coming IT pros. Kevin has authored or co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Kevin can be reached at kbeaver [at] principlelogic.com.