I’ve got a good comment from a guy called dre about my last blog entry. I had a look on the extensions he’s linked and because of there where so many I decided to set up a new blog entry for my statements to the extensions dre suggested, so here it is

PrefBar
Nice extension which I didn’t know before. I replaced NoScript and User Agent Switcher with it

ServerSwitcher
This extension could be interesting for web developers but I don’t think that it really helps security auditors to do their job.

Chickenfoot
I never worked with Chickenfoot, only with Greasemonkey and I really like it. Can someone explain to me, why I should include Chickenfoot in the package when I already have Greasemonkey. If there are some interesting functionalities which Greasemonkey can’t offer, I’ll replace it of course but at the moment I can’t see why Chickenfoot should be a better choice.

MR Tech Local Install, Mozbackup, BugMeNot and TrackMeNot
These are all good extensions but they’re not relevant for what the package is for (webapplication security testing) from my point of view.

“and since you included NoScript, why not: …”
Here, dre’s absolutely right, that I could include some extensions like FlashBlock, AdBlock, Netcraft Anti-Phishing Toolbar and so on because I’ve included NoScript. The answer why I didn’t do that is simple: This extension package is not to make you secure, it’s for doing webapplication security testings and I think having a simple way to disable or enable Javascript will be very helpful (for example if you have some client side authentication and yo don’t want to modify the source with FireBug for example) but why should I care about Advertisement on a webapp I’ve to test or why should I protect myself against such an application? Of course it can be recommended to use such extensions for normal use but from my point of view these extensions don’t matter at all for what this package is made for.

Last but not least, the list dre’s linked at http://www.security-database.com/toolswatch/Turning-Firefox-to-an-auditing.html (a few of these extensions are already in the FSTK).

FoxyProxy
I’m actually thinking about replacing the SwitchProxy Tool with it but first I’ve to have a deeper look on it.

Header Monitor
This extension is not that important from my point of view but good enough to put it in the FSTK

FireEncrypter
Never heard about it before but it’s really helpful and so it will be in the next version of the FSTK.

Shazou
Originaly I thought, that I don’t want to include information gathering tools but this is possibly interesting enough to become a part of the FSTK.

View Cookies
There are already two Cookie related extensions and I think that should be enough.

Spiderzilla
This extension is only a front-end for the open source command line program HTTrack Website Copier and because of that, I think it’s nothing which has to be in the FSTK even if it’s very helpful to have tools with spidering functions. If someone knows a standalone spidering extension for Firefox, please let me know.

HackBar
I like the Encoding-Features and so it also will be included in the FSTK.

The following extensions are not needed, there are already extensions in the FSTK which can do at least the same or these are just not important enough from my point of view:

• People Search and Public Record Toolbar
• refspoof
• RefControl
• Cert Viewer Plus
• JSView
• View Dependencies
• Active Whois plugin for Firefox
• QArchive.org web files checker
• HostIP.info Geolocation Plugin
• Bibirmer Toolbar

If you dre or anyone else don’t agree with any of my statements, please don’t hesitate to write a comment and of course also write a comment if you think, that I’ve forgotten an important extension.

So the following would possibly be what most of you now want to have:
A new version of the Firefox Security Tool Kit (FSTK).

Download/Install the FSTK now

FYI: Even if you’ve already installed the first version, you can install the latest version anyway. The only thing that could happen is, that some outdated extensions will be updated and the new ones will be installed, so don’t worry and just try it out