beef.b10g-2.0.0

Most anyone will tell you, for web application developers, Firefox is the way to go.  As many white hat or black hat security guys will tell you, the same is true for web application hackers. This being said, and after extensive time spent evaluation security related plug-ins for Firefox, I have compiled a list of the plugins that I use on a day to day basis for evaluating site security.

Access Me
Although it doesn’t find 90% of what it says it will, this plugin can be somewhat useful for determining whether a server configuration is vulnerable to certain attacks that can me made with different request methods such as DELETE.

SQL Inject Me
I have seen this plugin succesfully detect several *easy-to-find* SQL Injection vulnerable form fields. But it doesn’t really do a whole lot of checking beyond the simple obvious ones.

XSS Me
Of all of the Security Compass plug-in’s this one is by far the most useful and does most of what it says it will. However, just because the plug-in says a site is not vulnerable to XSS doesn’t mean it truly isn’t. This plugin, like SQL Inject Me, simply checks for the simplest XSS vectors.

Web Developer
Of every plugin I use, I probably use the functionality of this one more than any other. This is an entire suite of tools aimed at assisting web developers with things like local validation, src highlighting, form modifications, etc. That being said, the same functionality is invaluable to web application hackers to break your forms, discover XSS vectors, and analyze your code for other problems.

FireBug
Like Web Developer, this plugin was designed and built with the developer in mind. However, with enhanced JS debugging capabilities, and arguably the best DOM browser there is, this plugin has singlehandedly been responsible for more XSS powered CSRF exploits in my audits than every tool in my toolkit combined. This is a must-have.

Passive Recon
This is an entire suite of tools that allow you to pseudo anonymously get a pretty detailed domain recon report from a single click, or parts of that report individually. This can come in very handy when performing an audit on a site or app that you know very little about to begin with and often gives insight into the system and server architecture of the target that can prove invaluable to finding holes.

TorButton
If you haven’t heard of TOR you probably have no idea what I am talking about in most of the above plugins. While it is by no means perfect, and can never replace a good proxy chain, TOR provides basic anonymization of your internet traffic. This button allows you to switch in and out of TOR mode in firefox with a single click.

FireCookie
Firecookie is actually an extension to the FireBug plugin, and thus requires that FireBug be running and installed. However, it provides a means to view and edit cookies in real-time.

Modify Headers
This plugin can prove invaluable when used correctly, for everything from spoofing user-agent to spoofing client ip, this is a must have for any hackers toolbox.

Tamper Data
Like Modify Headers, the Tamper Data plugin allows you to modify headers and cookies. The difference is, it does so on a Per-Request policy, meaning that if you are enumerating manually to isolate a bug, this plug-in will prove to be your best friend. I have broken many a webservice with this tool.

This is by no means an extensive list of plugin’s that are security related for firefox, and I am sure there are probably some that I don’t know about yet that are just as valuable as the others listed here; so if you have one that you feel belongs on this list, leave a comment and let the people know about it!

One of the things I always forget to do when working on something in PHP is “require” or “include” my class definition files, it`s kind of like remembering to import classes in Java — which I always forget to do, thus the reason I use an IDE with the auto-import feature! However, no PHP IDE I have seen has this ability, but, PHP does provide you with a method to write your own auto-import functionality write into your application. Say for example you have the following code:
(more…)

When I am working in Java, I code in IntelliJ which has this nice little macro to create all my getters and setters for the Bean object that I am working on at that point in time. It is a huge time saver. I recently started a new project in PHP and found myself desiring the same functionality in my PHP IDE, which didn`t exist. After a little bit of research, I decided I could do one of two things, either hack together a little macro to do it for me, or just create some function that would do it dynamically, on the fly… Here is what I came up with, it is likely that this will end up as part of a bigger PHP Framework that I will work on when I have some spare time (notice how long it has been between blog entries to get a clue how much spare time I have had lately) that will be some port of the JavaBeans API for PHP… Anyhow, I hope you enjoy!
(more…)

So it seems like everyone has there little voodoo algorithms on how to calculate how relevant a search result is to the term that was being searched, and I personally, do not think it should be thus. So I am going to share my rough draft for a simple relevancy calculation between a String, hereafter reffered to as query, and a search result, hereafter referred to as SearchResultVO.

(more…)

I have started a new project on SourceForge called RevverJ, however, it is pending approval still (just created today), so in the meantime, I thought I would share how I finally (after about a week of fighting) was able to communicate with the Revver API from Java.

(more…)

So this week I had an enhancement at work which required me to write some new Ajax functionality for the website. The enhancement was rather trivial really, essentially I needed to drop something on the session real-time so that I could get at it later.

So I wrote myself a quick `n` dirty little servlet to handle the back end, and a JavaScript function which acted as a client-side version of HttpSession.setAttribute().

(more…)

Like a billion other people on the web, I spend some time on MySpace.Com for various reasons. I maintain a blog over there as well where I post lyrics for songs and such stuff that I have written. I have a couple of band profiles for a few of my projects, and blah, blah, blah.

Anyhow, I thought I would share 5 quick and easy customizations you can make to your myspace profile to make it a little more unique, without having to use some self-proclaimed myspace guru`s ad laden codes.

(more…)

Somewhat recently an enhancement came the wire at work for text input fields that auto-completed based off of a static set of data, specifically, e-mail domain names. The enhancement came to me and it was a fun thing to create, and something that could be potentially very useful for alot of different pieces of the application, so I thought that I would share the pattern that we came up with to solve this problem.

(more…)