At least once per two weeks someone ask me, how to do webapplication security testings and as you probably know, it’s impossible to describe something like that in just a few sentences. So if this is my answer to these people, the next question follows immediately: What tools do you think do I need for doing such tests? Well, this question is much easier to answer and I always try to list some useful tools I use in most audits. At this point I’ve to say, that I’m a real Firefox Fan for years now and so I focused myself on Firefox extensions which can help me doing my job during a webapplication security test. In this process I’ve found out, that there exist extensions for nearly anything you need for doing a standard audit in this field. So, my answer to the people I wrote above was mostly a list of some useful extensions but at this point they have to get every single one and install it and mostly they’re not willing to do that because they just want to have a first look at the topic “webapplication security”. So I thougt it would be cool if I can offer a package of the extensions I prefer so that beginners, experts and any other kind of people can work with the tools just as I do.

So here it is, a package with my preferred webapp security related Firefox extensions. I’ll call the package FSTK which stands for “Firefox Security Tool Kit”, for having a short name which I can use to talk about it. Please remind, that this is just a package of tools and it would not do any automated security testings for you and it also don’t have all tools which you can use for such kind of testing because there just isn’t an extension for it yet or I don’t know it.

Download and/or Install the FSTK now

Now I think you’re interested in what’s included in this package, so here’s a short overview:

• CookieCuller
• NoScript
• Add N Edit Cookies
• SwitchProxy Tool
• Firebug
• Tamper Data
• Greasemonkey
• User Agent Switcher
• Web Developer
• Xforms Buddy
• Live HTTP Headers
• XML Developer Toolbar

When I’ve got some time left I’ll also post some small HowTo’s for the extensions.

For your information, I only had the time yet to test my FSTK on my Xubuntu Linux machine and a Windows XP with Firefox 2.0.0.1 and some of the extensions were patched to work on the 2.0.0.1 version so it could be that there are some problems in older Firefox versions. If you have a version which doesn’t support my FSTK, please update to the newest version of Firefox and if you still have any problems, don’t hesitate to contact me

Also if you think there are one or more extensions missing, please get in contact with me (or just post a comment) and then I can have a look on it.

Last but not least, a huge thankyou to all the developers of the different extensions, you made and still make Firefox a swiss army knife for webapplication security testing