Hacker's garden of Firefox plugins

Dark Reading has a great roundup of "hacker" Firefox extensions, including ones that let you modify your cookies and user-agent string, examine and manipulate web-pages in detail, and debug (and spot vulnerabilities in) Javascript/AJAX.
The Web Developer extension is another must-have. This extension has too many features to list, and I typically find a new one each time I use it. Some of the features include editing practically every aspect of the page (HTML, CSS, cookies), viewing all elements in the page in a sort of WYSIWIG way, and converting form submission methods from POSTs to GETs and vice versa. I use it primarily for dissecting Web pages, but it comes in handy to convert the POSTs to GETs in order to easily manipulate the values in the URL address bar
Link (via Schneier on Security)

6

  1. Please, these are no more hacking tools than a telnet client – you’re not ‘hacking’ just because you use these tools. And just as a word of warning, if you go around trying to SQL inject a bunch of sites, you’ll more than likely be getting a call from your ISP.

    I’m a web developer and I use most of the tools on this list. The only thing I would add is Modify Headers… Tamper Data can do what it does but it’s a little quicker if you just want to change a host header or something. Also, for those times when your JavaScript just won’t work in Internet Explorer and you have no idea why (other than IE’s fucked-up DOM), I recommend checking out DebugBar, an add-on for IE. It’s slightly unstable but it will at least give you AJAX call monitoring and a real-time javascript console

  2. “…if you go around trying to SQL inject a bunch of sites, you’ll more than likely be getting a call from your ISP.”

    I seriously doubt any ISP monitors their customers’ POST data for SQL-like text.

  3. @Jamie Wilkinson: You are correct, but web server admins monitor this stuff (if they are worth a damn) and report abuse to the ISP associated with the IP involved with the abuse. It’s a weekly occurrence at my office.

  4. “I seriously doubt any ISP monitors their customers’ POST data for SQL-like text.”

    A lot of firewall products look for suspicious HTTP traffic (such as SQL injection, and XSS attacks). It’s actually likely that the server hosting the web application has something like this installed (or at least they should).

    Upon detection of such activity, emails to abuse@yourisp.com usually go out indicating that the ISP will be blocked if the activity continues. If it’s a well known site, you can bet that you’ll be hearing from your ISP.

    At any rate, if you’re going to do any “cracking” from your own ISP, you’re an idiot and deserve to get caught.

  5. The Aardvark plugin is a handy way to remove page content either for printing or to get rid of annoying ads – like the one’s from sitepal.

    *It’s also a quick way to remove the transparent gif’s that block the copyright images on Flickr from being copied to your clipboard (assuming you have a Fair Use argument and you don’t view deleting a transparent gif as some kind of illegal DMCA circumvention.)

  6. @Scott Lenger: To get around transparent gifs couldn’t you just look up the image’s location in the page source and type it into your browser directly? I had luck with this technique in at least a couple cases.

Comments are closed.