We have seen several types of web application attacks. In almost all the cases, we are using browsers. Now I want to show you a little advancement on our browsers which can be used for different types of attacks and testing.
We have some beautiful Firefox add-ons every hacking aspirant should know about. Here I will give detailed explanation and functionality of few add-ons.
Firefox addons:
- Hack bar
- Advanced cookie manager
- Tamper Data
- Fire Bug
- SQL inject me
- Live http headers
1. Hack bar:
You needed to spend couple of needless minutes for counting. It will display all the columns in our union statement automatically. This is just an example of what we can do with hack bar. It has many wonderful features like MD5, SHA1 encryption, encoding the data etc.
Here I am showing some screen shots of sample usage of hack bar.
Wireshark Packet Sniffer
First install hack bar add on to your Mozilla Firefox browser.
Then, open it by doing the following.You can go to tools a show/hide hack bar.
Now after launching our hack bar, I am going to create an MD5 hash for the text admin.
After following the above shown steps, I got my 32-bit MD5 hash for the text admin (Look below picture).
2. Advanced Cookie Manager:
It is a nice add-on with which we can edit and add sessions. This tool allows us to grab the cookies of one session and to add them to another session, if we want.
This is a nice tool to use the cookies stolen in an XSS attack.
Here I am showing a screenshot of how we can edit the cookies.
Open the advanced cookie manager add-on by doing the following.
Now select the website you want to set the cookie. Select the cookie name and replace.
3. Tamper Data:
Tamper data is one more beautiful add on which allows us to view, modify the HTTP requests and parameters. Using tamper data we can change the online game scores.
Earlier, I used this add-on for sms spoofing on a well known free sms website. (Now it is fixed).
As we did with our previous add-ons we need to install it first.
I will first start tamper data add-on by doing the following. Firefox->tools->tamper data
It opens a new browser window, when you click on start tamper. We can take it as a reference and use it on any website you want. It looks like the following.
In my case, I have used example below. Our add-on opens a new window as shown below.
Well, what should I do now?
As I want to view and modify the data, I will click 'tamper' button.
It opens all the intercepted data which we can modify and then submit it to the server.
In precise, before submitting the data to the server from the browser, we are intercepting and modifying the data. This is very useful in hacking game scores, uploading shells etc.
4. Fire Bug:
In many cases, when we browse websites and enter details into forms, we may find some annoying message boxes saying please enter correct details.
If it is because of client side validation using JavaScript, then we can bypass that validation very easily using fire bug.
Fire bug is a nice add-on for modifying the content of the page (HTML and JavaScript). We can easily modify the source.
Try if website having client side validation. To open firebug, just press F12. Now, you can see the following figure to understand, how I bypass the JavaScript validation using fire bug.
In the above figure, we have onclick=”validate()” for validation when we click purchase button. So just by removing that line we can bypass the validation.
5. SQL inject me:
This is also a nice tool, which can be used to test for SQL injection vulnerabilities on web applications. It reduces the manual efforts by automating the testing process. This tool automatically submits the forms by substituting the form values with SQL strings.
Just select the form where you need to check for SQL injection and in the browser tools SQL inject me àopen SQL inject me slide bar.
6. Live http headers:
Live http headers is one more beautiful add-on we need to know about. This is also similar to tamper data. We can view all the headers of http requests and even responses.
We can also modify the content before submitting it to the server. It can be used to upload shells when extension is blocked by the administrator of the website.
Credit: Sai Satish (Indian Servers CEO)
0 Comments