15 March 2012

Configuring Firefox For Web App Pen Testing

You know the routine: you get a gig doing a web app pen test. You break out Burp (or whatever lesser proxy you prefer), and get ready to ruin some developer's day. And then, just as you get ready to load the target URL and start, you see a ton of update requests hit the proxy.

It's annoying. Your logs are polluted, and if you have to turn them over to the client, the extra noise strips some of the professionalism from your image (as a sidenote: Burp's "only save in-scope items" feature helps quite a lot with this).

Here then, is a quick guide on how to tweak Firefox so that it doesn't spew stupid crap in your web app pen test log files. I may come back and explain the "why" behind some of these later, but for now, just the "how" will have to do. (Note: some of these settings reduce the security of the browser. My presumption here is that Firefox will only be used for testing, not for general purpose browsing. The settings below reflect that.)

1) Open about:config
2) Disable Safe Browsing
3) Disable Pipelining
4) Disable Pre-fetching
5) Remove all bookmarks
6) Set homepage to about:blank for startup
7) Make sure history is enabled, but disable search suggestions
8) Disable checking for updates
9) Just say no to helping developers
10) Disable updates for sync

That's it. Now you can go forth, and break all the things, knowing that your log files will be nice and tidy afterwards.

4 comments:

  1. Might be worth mentioning that the XSS filter should also be diabled dor testing reflected XSS http://www.phillips321.co.uk/2012/03/01/xss-browser-filters-disabling-it-for-app-testing/

    ReplyDelete
  2. I ended up using this today. Thanks!

    FWIW, these are the values that are changed in the Pref.js file that's stored for your profile.(I think)

    If you go to create a new profile, save these values into a Pref.js file inside the profile directory, when you open the profile for the first time, these values will be automatically set.

    user_pref("browser.bookmarks.restore_default_bookmarks", false);
    user_pref("browser.safebrowsing.enabled", false);
    user_pref("browser.safebrowsing.malware.enabled", false);
    user_pref("browser.search.suggest.enabled", false);
    user_pref("browser.shell.checkDefaultBrowser", false);
    user_pref("browser.startup.page", 0);
    user_pref("browser.urlbar.filter.javascript", false);
    user_pref("browser.urlbar.trimURLs", false);
    user_pref("extensions.ui.locale.hidden", true);
    user_pref("extensions.update.enabled", false);
    user_pref("network.http.pipelining", true);
    user_pref("network.http.pipelining.ssl", true);
    user_pref("network.prefetch-next", false);

    ReplyDelete
  3. To disable the HTTP Pipelining his values ​​in the image should not be "false"? (In Firefox it does not this disabled by default?)

    ReplyDelete