October 19, 2009

Samurai Web Testing Framework (WTF) Firefox Add-ons Collection

On June 2009 Mozilla released the add-ons collections feature on their add-ons web site. As a member and contributor to the SamuraiWTF project, I would like to announce the release of the SamuraiWTF Firefox add-ons collection!

The Samurai Web Testing Framework (WTF) is a LiveCD focused on web application testing. It contains a pre-installed collection of the top web application penetration testing tools, becoming the perfect environment for testing applications.

The goal of this Firefox collection is to include the best add-ons for web application penetration testing and offensive security analysis, to convert your browser in the ultimate pen-testing tool. It is aligned with the Samurai Web Testing Framework (WTK) LiveCD distribution. I plan to keep the collection updated with new web-app pen-testing add-ons, but I would like to carefully evaluate new additions (or replacements) so that the list doesn't grow to limits where it becomes unmanageable. It includes 19 add-ons at this time.

As of today, it seems it is not possible to install all add-ons from a collection with a single click. The current SamuraiWTF add-ons collection can be installed on the latest Firefox version, v3.5, with the exception of the "Add N Edit Cookies" add-on. Although this add-on works in Firefox 3.5.*, it cannot be directly installed. There is a quick hack you can apply to install it on Firefox 3.5 until the official version is updated by its developer:
  • Go to the "Add N Edit Cookies" add-on webpage with a compatible old Firefox version, or with a different browser like Internet Explorer, and download the add-on (XPI file).
  • Change the XPI extension on the file to ZIP.
  • Extract the "install.rdf" file from the ZIP archive.
  • Edit the "install.rdf" file and replace the following line (maximum version):
  •         <em:maxversion>3.0.*</em:maxversion>
  • by:
  •         <em:maxversion>3.5.*</em:maxversion>
  • Put (drag & drop) the new "install.rdf" file back into the ZIP archive, and it will automatically replace the old version of the file.
  • Change back the ZIP extension on the file to XPI.
  • At this point, you can install the recently modified XPI add-on in Firefox 3.5.
Once you install all the add-ons within the SamuraiWTF collection, one by one, the look and feel of your Firefox browser will notably change. I recommend you to hide the add-ons toolbars visible by default. You can individually enable them at any time, such as when you are going to use each specific add-on:
  • Go to the "View" menu and select "Toolbars".
  • Deselect "Access Me Toolbar", "Web Developer Toolbar", and (specially) "HackBar".
Finally, the "DOM Inspector" add-on has been added to the collection as it is a requirement to enable all the capabilities of the "Web Developer" add-on.

Please, take a look at the collection, feel free to share your thoughts/comments (send me an e-mail), vote for this collection if you find it useful, and enjoy it!



Blogger Scott said...

Great work guys!

I only have a couple suggestions of FF tools to add to the kit:

Tamper Data - quick and dirty way to manipulate GET & POST requests

Live HTTP Headers -

maybe FireFtp for those servers that have FTP open

4:12 PM  
Blogger Raul Siles said...

Hi Scott,
Thanks for your comments!

Tamper Data is on the collection ;) I know it is difficult to see them all ;)

I didn't add Live HTTP headers as it does not allow to intercept requests, but to re-submit them after they were sent at least once. Tamper Data definitely replaces it.

Finally, we didn't add add-ons for other protocols as we are just focused on web testing, but FireFTP is a great add-on for FTP analysis.

8:59 PM  

Post a Comment

<< Home