Download and/or Install the FSTK v3.1 now

Additionally to the new version compatibility changes, I replaced the Extension “User Agent Switcher” with “Modify Headers“. All other extensions are the same as described here.

Download and/or Install the FSTK v3.0 now

By installing it to your Firefox, you’ll get all of the following extensions:

allcookies
Version: 1.2
By: Bernard Maison
dumps ALL cookies to cookies.txt file
For Firefox versions 1.5 to 2.0.0.*
Homepage: http://allcookies.mozdev.org

Cert Viewer Plus
Version: 1.2
By: Kaspar Brand
Certificate viewer enhancements: PEM format view, file export
For Firefox versions 1.5.0.4 to 3.0.0.*
Homepage: https://addons.mozilla.org/addon/1964/

Firebug
Version: 1.05
By: Joe Hewitt
Web Development Evolved
For Firefox versions 1.5 to 2.0.0.*
Homepage: http://www.getfirebug.com/

Firecookie
Version: 0.0.5
By: Jan Odvarko
Cookie manager for Firebug. Firebug has to be installed in order to use this extension.
For Firefox versions 2.0 to 3.0b5pre
Homepage: http://www.janodvarko.cz/firecookie

Fire Encrypter
Version: 3.0
By: Ronald van den heetkamp
Encryption, Decryption, and Hashing program.
For Firefox versions 1.5 to 2.0.0.*
Homepage: http://www.jungsonnstudios.com/Mozilla/

FoxyProxy
Version: 2.7.1
By: LeahScape, Inc.
Premier proxy management for Firefox
For Firefox versions 1.5 to 3.0b4pre
Homepage: http://foxyproxy.mozdev.org

Live HTTP Headers
Version: 0.13.1
By: Daniel Savard
View HTTP headers of a page and while browsing.
For Firefox versions 0.8 to 2.0.0.*
Homepage: http://livehttpheaders.mozdev.org/

Selenium IDE
Version: 1.0b1
By: Shinya Kasatani
Record, edit and play Selenium tests
For Firefox versions 1.5 to 3.0b3
Homepage: http://www.openqa.org/selenium-ide/

Smart Middle Click
Version: 0.5
By: spiers
Middle click for javascript links.
For Firefox versions 1.5 to 2.0.0.*
Homepage: http://spiers.free.fr/

Tamper Data
Version: 9.8.1
By: Adam Judson
View and modify HTTP/HTTPS headers etc.
For Firefox versions 1.0 to 2.0.0.*
Homepage: http://tamperdata.mozdev.org

User Agent Switcher
Version: 0.6.10
By: Chris Pederick
Adds a menu and a toolbar button to switch the user agent of the browser.
For Firefox versions 1.0 to 2.0.0.*
Homepage: http://chrispederick.com/work/user-agent-switcher/

Web Developer
Version: 1.1.4
By: Chris Pederick
Adds a menu and a toolbar with various web developer tools.
For Firefox versions 1.0 to 2.0.0.*
Homepage: http://chrispederick.com/work/web-developer/

Hope you enjoy it

Selenium Remote Control (RC) is a test tool that allows you to write automated web application UI tests in any programming language against any HTTP website using any mainstream JavaScript-enabled browser.

This is exactly what Selenium is/does

I can especially recommend the Selenium IDE, which’s a Firefox extension that can record all actions of your browser, replay them and also export the whole thing into HTML, Java, C#, Perl, PHP, Python and Ruby.

This is, how the Selenium IDE looks like:

I don’t want to say more on this, just give it a try and have fun

What is it not about?
This blog posting will not show you for example how to fix all vulnerabilities you can expect in your PHP code nor is the described technique working against every kind of security problem. If you have the possibility to change the existing code, this is for sure the way to go and not what I’m writing in this posting. This is really only a technique which you can use when you can’t change the existing code.

Please also be aware, that I don’t give you any guarantee, that your PHP web applications are secure after you’ve done what’s written in this posting.

Skills you need
I tried to write everything as clear as possible but it’s good if you’ve got some basic knowledge of the PHP programming language because I won’t describe my simple code examples.

So let’s start with the main content

The php.ini
First we should talk about the so called php.ini, which will be our interface between the fixes and the already existing source code. The php.ini is the configuration file for PHP and you can see it’s actual configuration by simply have a look at the file or by creating a PHP script like the following:

<?php
phpinfo();
?>

Get your own php.ini on shared Servers
(If you’ve got your own dedicated server, this might not be relevant to you)
This subsection now shows you, how you can work with the php.ini even if you’re application is hosted on a shared server and you don’t have access to the main php.ini file. As a first step, you have to create a file with the name .htaccess, which means that it’s a htaccess file. Under Unix like systems this is not a problem at all but under Windows systems you’ll get an error when you try to rename a file to “.htaccess”, so with the following two steps, you can also create such a file under Windows:

1. Open Notepad or any other text editor.
2. Go to Save As, and chose “.htaccess” for the file name including the quotes.

Now you can upload the file into your wwwroot directory and add the following line to the .htaccess file, when your php.ini file can be found at /home/disenchant/php.ini:

suPHP_ConfigPath /home/disenchant

Now, the new defined php.ini will be used instead of the one, your web hoster has set up globally.

The auto_prepend_file Option
So let’s go into the part of the php.ini which is interesting for us, it’s the auto_prepend_file option. Just add a line to your php.ini like the following, so that it points for example to the PHP file we made before to display the PHP info page or just create a smaller file with just <?= "test" ?> in it.

auto_prepend_file = /abc/xyz.php

As you can see, if you now have a look at any of your PHP scripts in your web browser, the auto_prepend_file option in our php.ini has included our script at the beginning of every file. This is exactly what we need because this way, we can interact with the existing code, even if we never changed something in the original source code. So let’s go on and fix some vulnerable code.

The vulnerable Code
First we need some vulnerable PHP. The following code is vulnerable to an attack type called “Cross-Site Scripting“.

<?php
echo $_GET['var'];
?>

We have now to implement an input encoding functionality for the variable called var (of course this can also be done for all variables or just some pre-defined variables). Let’s have a look at how to write a simple patch for this vulnerability.

The Patch
If we can change the original source code, we would probably use something like the following:

<?php
echo htmlentities($_GET['var'], ENT_QUOTES);
?>

This will replace (all) characters which can be dangerous or better say, can be used for executing malicious script code, with their equivalent HTML entity. This makes this piece of code secure but in our situation, we won’t be able to change the code and that’s why we need the technique I described in this posting, over the php.ini. Instead of modifying the existing source code, we create a new file like this:

<?php
$_GET['var'] = htmlentities($_GET['var'], ENT_QUOTES);
?>

Because of the auto_prepend_file option we set in our php.ini, this code will fix our vulnerability

Final words
As you’ve seen, this technique can become very helpful under some circumstances and of course I showed you just the basic use of it and you can go much further and for example implement login stuff, session management, white listings and so on through this.

Because I’m not sure how much time I’ve got to work on it during the next month(s) I’ll offer also the *.tex documents to everyone who would like to do further work on the paper.

To say a few words about the paper itself, it’s simply a (at the moment) 31 pages long how-to with examples on how to develop your own extensions for Mozilla Firefox and with some additional work, I think it could be also interesting for schools to use it as teaching material.

Download

I hope some of you enjoy the paper, even if it’s not finished