Saturday, 27 April 2013

Testing with Firefox Add-ons

Open Source Firefox Web Browser offers free and purchasable add-ons - Install and use it for Testing the Web Applications and do more with it. 

Image Courtesy:

1) Tamper Data
Used for web security/penetration testing.
Install this feature and tamper the data/request/cookies being sent to the server.
Check for client side and server side validation. Validate input fields with valid and invalid data and posted messages.

2) DoNotTrackMe
Many sites are tracking user's web activity, if you had like to obscure your activity on the web. Go for this.
DoNotTrackMe does not ensure to obscure your web activity wholly. It checks against a list of sites and blocks them for you.

Who will track your web activity?
Hosts of tracking companies and social networking sites.
What would they do with this data?
Use it to provide you suggestions/recommendations.
Misuse it to sell you something or sell the data.

3) Ghostery
Provides the user with the option to block or unblock the tracking sites.
You would want a tracker to track your web activity on a website and not track you on another.
You could white list websites that which you had frequently visit and trust.

The above two add-ons identifies the web trackers and blocks/unblocks them.

4) HTTPS Everywhere
Install this for an extra layer of privacy and security. Those sites that have implemented HTTPS [HTTP over secure socket layer] are eligible.
Anyone listening at port 80 can receive the requests made using HTTP and which could be altered.
Consider having HTTPS everywhere, HTTPS provides encryption and listens at a different port 443.
HTTPS Everywhere blocks IFRAMES. does not permit cross-origin framing.

5) NoScript
You would want to have this add-on installed. It is nice in a way that it would block all scripts from running. Unless allowed on a page.
Consider having it installed and doing the initial research on allowing temporarily, disallowing or forbidding a site from running scripts.
Set up the list of web pages that you wish to allow/disallow from running the scripts.

NoScript provides the user with Warning on potential click jacking/UI redressing attempt.

Disallow IFRAMES with NoScript Options.

Add your list of white listed web sites.

6) FireShot
An add-on for Firefox and compatible with other browsers, that helps the users  to capture the whole of the webpage, edit, save and share it.

7) Memonic
Install this to capture and clip a certain section in a webpage. Clip it, save and share it via Email, Facebook and/or Twitter.
The above two add-ons can be used for bug reporting for web applications.
Will have to login to start using this add-on.
With Memonic, cannot capture a popped up window.

8) iMacros
iMacros can be used for Automating, for checking and for security testing and to create load on a web server, for the purpose of load testing.
Record the actions of a webpage and run it in loops for creating users, subscribing for newsletters, adding friends, sending invites and other actions that you want to perform on a daily basis like firing up all the bookmarked webpage’s.

9) Firebug
For Rapid software testing:
When testing if you would want to edit html, CSS and view how the website would look, work without the hassle of firing up a different app to view and edit the html code and style sheet. Test the website better with Firebug for usability, performance and user experience testing.

10) Yslow
The add-on Yslow provides the user with a host of guidance to enhance the performance of a webpage.
Run this for blogs, small or large website and improve the performance of the website.
Prior to installing/adding any of the add-ons to the browser check if it is compatible to your browser and its version.

For hassle free and safe browsing log on to Look for and update the latest available add-on.  
Happy and safe Browsing :)

Firefox add-ons can be used in a variety of ways. Readers, let me know how you use the above and other add-ons to test.

Sunday, 14 April 2013

Sit Down Series: On Web Security - 1

We web security enthusiasts got together to learn and share about Computer and Web Security.

Started by testing a few Table Top Applications ;)
Sympathetic, Exploratory, Usability and User Experience testing.

Eventually the below topics formed the basis of our learning. 

Types of Security threats:

1) SQL Injection
Injecting data into the database using SQL Queries.
Upon execution of the query:

Those error messages that give away sensitive information to the attacker qualifies for a STANDARD Injection.
Those error messages that do not give away sensitive information to the attacker qualifies for a BLIND Injection.

2) Code Injection 

Is carried out by injecting code into an application using HTML scripting, JavaScript which will be executed when the same information is sent to the server. 

Testers: Test, if the data base is yielding results readily by forging such attacks.

3) XSS
Cross Site Scripting
Injecting malicious data/executable scripts using HTML Scripting, JavaScript into a webpage.

Test for server and client side vulnerabilities.
Disable JavaScript support on the browser.
Enable private browsing in Firefox, in-private browsing in IE and incognito browsing in Google chrome browser.

4) LFI - Local File Inclusion
Attack planted by using Hypertext PreProcessor(PHP) scripting to get an access to the readable files on the server.

5) RFI - Remote File Inclusion
Attack planted by using PHP Scripting to inject files to a server.

The above two attacks are caused due to unvalidated input data.

Test with valid and invalid input data and test for validation checks on the input fields.

6) CSRF - Cross Site Request Forgery
In this type of attack, Forged HTTP requests are sent to a vulnerable server disguised as valid client requests.

When testing, test for client side input request validation and server side validation.

7) Unvalidated Redirects
Redirection is carried out by using JavaScript, meta refresh or a hyperlink to a malware/ any other site the attacker intends to send the victim to.

8) Security Misconfiguration
An attack caused when the servers are misconfigured. Misusing this information leads to an attack or a compromising situation on the server. 

Test against a checklist of Server Vulnerabilities. (If any of you readers, have this list please share it).

9) Sensitive Data Exposure
Protect server and client side sensitive data from being exposed to unintended users. Provide appropriate roles and responsibilities to server admin users and others.

10) Known Vulnerabilities 

Exploiting Server, OS and applications using the known vulnerabilities with several search results (based on the user 's query) giving away the attacker with full fledged details on how to plant an attack coupled with other ideas are readily available on YouTube.

Protect by upgrading the system(under threat) against known threats.

The above aren't a sundry selection but forms the top web security threats.

(Top 10 2013 - OWASP)

The other discussions that followed are listed below:

  1. Battery types - Laptop battery , power supply and CMOS battery.
  2. Bypassing the BIOS password by removing the CMOS battery.
  3. RJ45 (Registered jack 45)
  4. Understanding Network address translation(NAT) and Domain name system(DNS)
  5. NAT - Translates the IP address provided by the Internet Service Provider(ISP) to System specific IP address.
  6. DNS - Domain Name System Server.
                                                        [Image - DNS]

           7. Difference between hub,switch and routers.

If you readers wish to be a part of the 'Sit Down Series' on Web Security. Do leave a
comment here. Care to share your learning's, would love to learn from you. 

Challenge yourself, your learning methods and you will love IT.
Here 's a picture of one of the Table Top Application's 'Scribble Pad' that CCD provides its valuable customers. Thank you CCD.