Problem solve Get help with specific problems with your technologies, process and projects.

Using the Firefox Web Developer extension to find security flaws

Originally a tool for tweaking and troubleshooting Web pages, Firefox Web Developer has evolved over the years into a formidable tool for manually uncovering security flaws.

Kevin Beaver
Kevin Beaver
Have you ever come across a situation where you've needed a tool but didn't think you had the right one to get the job done? Like when you're trying to change a smoke detector battery or tighten a loose door knob -- it seems as if the tool you need is never handy, and you might even have to go out and buy it. What we tend to forget is that we can often solve our project needs with ordinary household items like a butter knife or nail clippers -- things that you wouldn't expect to use but can get the job done.

Now shift into the application security mindset and voila, there's Firefox Web Developer: an unlikely "security testing" tool but one that serves the purpose very well. It's not only handy via this quick download -- it's also free. Originally a tool for tweaking and troubleshooting Web pages, Web Developer (shown in Figure 1) has evolved over the past six years as a formidable tool for manually uncovering security flaws.

Firefox Web Developer toolbarClick to enlarge

Figure 1: Firefox Web Developer shows up as a standard browser toolbar

From cookie analysis to form manipulation to JavaScript parsing, Firefox Web Developer helps fill the Web security gap that's left behind by using only standard Web vulnerability scanners. The following are ways you can use the Firefox Web Developer extension to check for Web security vulnerabilities:

1. Under the Disable menu, you can disable the browser cache, JavaScript and URL referrers for manipulating application behavior and assessing responses to see what can be exploited.

2. Under the Cookies menu, you have the option to disable cookies and view cookie information for session manipulation to see what the user can see and do.

3. Under the Forms menu, there are lots of options for form manipulation (one of my favorite things to do and one of the biggest areas of exploitation) by populating form fields and analyzing the responses and even removing maximum field lengths to see how much junk the application can accept before it starts to croak.

4. Under the Information menu, you have options to view HTTP response headers, JavaScript and page information to show whether or not SSL is in use on the current page (a common oversight I see: not using SSL everywhere). There's also a link viewer to uncover parts of the site/app you may not have originally thought about testing, as shown in Figure 2.

Firefox Web Developer link informationClick to enlarge

Figure 2: Link information helps uncover forgotten links and related sites to test

On a related note, there's also an outline links function (via the Outline menu) that highlights page links that are hosted elsewhere. This comes in handy when you want to visually ensure you're not leaving the site/application you're testing.

5. Finally, under the Miscellaneous menu, you can do things such as show comments that often reveal more than they should and view hidden form elements that are easily manipulated using a Web proxy.

On a side note: If the Firefox browser is not your cup of tea, there's somewhat of an equivalent of Web Developer on the Internet Explorer (IE) side. It's called the Internet Explorer Developer Toolbar and works on IE 6 and IE 7, as shown in Figure 3.

Internet Explorer Developer ToolbarClick to enlarge

Figure 3: Internet Explorer Developer Toolbar shows up as a pin-able browser window

The Developer Toolbar is not nearly as extensive and useful for security testing, but it can be used for a few things along this line, such as disabling scripts and viewing cookies. Moving forward, IE 8 will have its own developer tools built right in.

Although the Firefox Web Developer extension is only part of what you need to test an application in-depth, it's an important tool nonetheless and one you shouldn't be without.

About the author: Kevin Beaver, CISSP, is an independent information security consultant, keynote speaker and expert witness with Atlanta-based Principle Logic LLC, where he specializes in performing independent security assessments and information security career counseling for up-and-coming IT pros. Kevin has authored or co-authored seven books on information security, including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). He's also the creator of the Security On Wheels information security audio books and blog, providing security learning for IT professionals on the go. Kevin can be reached at kbeaver [at]

Dig Deeper on Topics Archive

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.