Ethical hacking: Top 10 browser extensions for hacking
When it comes to ethical hacking, one of the critical skills you need to succeed is the usage of various tools to start your penetration testing process. While browser extensions may not be the most popular, they can actually help you achieve a variety of objectives, ranging from crawling an entire website to hijacking protected test sessions.
Below, we take a look at 10 browser extensions that are capable of making every ethical hacker’s life easier.
What should you learn next?
Note: Because Google Chrome and Mozilla Firefox are the most popular web browsers around, we’ve kept our picks to extensions that specifically run on these platforms.
Let’s take a look at the extensions, shall we?
Top 10 extensions
1. HackBar
When pentesting a web application, it’s necessary to use your browser’s address bar in order to change or add parameters or modify the URL. When doing this, the server may respond with redirects and reloads — which can be time-consuming if you want to try various values for a single variable.
HackBar is a security audit tool that will enable you to pentest websites more easily. This plugin acts like an address bar, but it’s immune to server changes such as redirects and reloads. This means you can easily send many different versions of a single request.
You can use it to check site security by performing SQL injections, XSS holes and more. It also has a user-friendly interface that makes it easy for you to do fuzz testing, hash generation, encoding and more. What’s more, it helps you to easily copy and request URLs, and it makes even the most complicated URLs readable.
Download: HackBar Chrome Extension
2. Wappalyzer
Gathering information is a crucial part of ethical hacking. By gathering enough data, you can exploit common vulnerabilities and exposures (CVE). Wappalyzer is the ideal tool for this, as it allows you to uncover details about the domain, hardware and software of the web application you’re pentesting.
Once you’ve installed this extension, you’ll see the Wappalyzer icon in the address bar of any site you visit. By clicking on it, you access a list of technologies used on that website, such as server software, web frameworks and analytics tools. Not only will it identify the tools that are being used on the page, but it will also show you which version of software is installed.
You can then conduct a search to determine whether the latest versions of these tools are being used and identify plugins that may have vulnerabilities. These findings can be included in your report, and you can urge your client to upgrade to the latest updated software.
Download: Wappalyzer for Google Chrome or Wappalyzer for Mozilla Firefox
3. d3coder
As an ethical hacker, you’ll need to encode and decode a lot of keys and hashes. This can be quite time-consuming if you constantly need to look up values. This plugin saves you time by allowing you to encode and decode selected text via the context menu. In addition to that, the context menu can also be customized.
The following functions can be performed with this extension:
- UNIX timestamp decoding
- ROT13 encoding/decoding
- Base64 encoding/decoding
- CRC32, MD5 and SHA-1 hashing
- Bin2Hex encoding/decoding
- Bin2Txt encoding/decoding
- HTML entity encoding/decoding
- htmlspecialchars encoding/decoding
- URI encoding/decoding
- Quoted printable encoding/decoding
- escapeshellarg
- (PHP) Unserialize
- Leetspeak
- Reverse
Download: d3coder for Google Chrome
4. Site Spider, Mark II
This is an updated version of Neil Fraser’s Site Spider Extension. It equips you with a web spider that has the ability to crawl an entire website and follow every link within it. It uses all the data it collects during its crawling expedition to build a table listing every URL it found, along with their HTTP status code and MIME type. It runs client-side within the user’s browser, using the user’s authentication to gain access to all pages. You can restrict its depth via regular expressions, and you can also pause or stop the spider.
With this plugin, you can easily identify any broken links within a website and report them to your client. You can also use this web crawler to determine whether there is any confidential or sensitive information within the target site that could be exploited.
Download: Site Spider, Mark II by cliff.kilby for Google Chrome
5. Cache killer
Ethical hackers often have many tabs open at the same time. As you probably already know, this will fill up your browser cache pretty quickly and may even cause issues when viewing a webpage.
By installing this extension, you can work much faster because it automatically clears the browser cache before loading a new page. You can also easily enable or disable the plugin with a single click.
Download: Cache Killer Chrome Extension
6. Open port check tool
In the same way an open window or door is tempting for house burglars, unused open ports are a goldmine for cybercriminals. These ports are a huge security threat, as they can be used to gain access to any personal information on the target’s computer.
With the Open Port Check Tool, you can easily identify open ports that are not in use. This plugin even allows you to do this remotely — just enter your client’s IP address and you’ll be able to check the port statuses of their computer without needing to have physical access to the hardware. By doing this, you can identify port vulnerabilities that need to be addressed.
Download: Open Port Check Tool for Google Chrome
7. Request maker
You will find this tool very helpful when performing fuzz tests to identify coding errors and other security vulnerabilities. When using the fuzzing method, you’ll often need to alter inputs and requests. That is where Request Maker can make your job much easier.
This core penetration testing tool enables you to capture or create web page requests, modify the URL and create new headers with the POST data. It can only capture requests made via HTML forms and XMLHttpRequests, but you can bookmark the requests.
Download: Request Maker for Google Chrome
8. Proxy SwitchyOmega
This extension is a successor to SwitchySharp, SwitchyPlus and Proxy Switchy. You can use this tool to hide your IP address while performing pentesting tasks. It enables you to manage and switch between multiple proxies quickly and effortlessly.
It also has an Auto Switch feature which allows you to set up automatic proxy-switching based on the URL. This means you can use multiple proxies for various websites simultaneously.
Download: Proxy SwitchyOmega Chrome Extension or Proxy SwitchyOmega Firefox Extension
9. iMacros for chrome
This extension is the perfect solution for users who wish to automate repetitive tasks that need to be completed when conducting a wide range of webpage testing, such as filling out web forms and recalling passwords.
You can use it to record macros that can be kept for their own use or shared with others. This plugin is generally used for regression texting, performance testing and web transaction monitoring. It can also be combined with various web development and testing tools.
10. Note anywhere
As an ethical hacker, you’ll probably be making a lot of notes about where you’ve found vulnerabilities, the information you want to include in your report and more. Using the good old-fashioned pen-and-paper method may not be very efficient during pentesting.
Luckily, this extension allows you to make notes anywhere on any website. You can also save all your notes to ensure that they load automatically whenever you revisit the same page.
Download: Note Anywhere Chrome Extension
Conclusion
After going through the list, you will come to realize that Chrome and Firefox are more than just web browsers. With these handy extensions, they can help you gather information, analyze web pages and more. Feel free to test them at your will and don’t forget to share your experience with us!
FREE role-guided training plans
Sources
- Start hacking with browser extension, Information Security Newspaper
- Firefox and FireCAT as a Platform for Ethical Hacking, Mozilla Hacks
- Web App Security Testing With Browsers, DZone