With e-hack around the corner I thought of posting a few amazing Chrome Extensions I use for checking vulnerabilities on Websites. E-hack is a Capture the Flag event which is going to be conducted on 27th July in Chennai. If you haven’t registered already you can still register here.You can find the full coverage about ehack in techzei here .I have collected all those extensions that help us in the penetration testing process. All these extensions are available for free to download from Google Chrome’s Web store. Few extensions are not available unofficially. So, you need to download from their official website.

ehack-chennai-infysec-techzei

Note: Description of tools taken from Official Release Note.

1.Web Developer,is a Google Chrome extension that adds a tool bar with various web development tools in Chrome. With these tools, users can perform various web development tasks. This extension helps analyzing web application elements like HTML and JS.

Add Web Developer Extension in Chrome here: https://chrome.google.com/webstore/detail/web-developer/bfbameneiokkgbdmiekhjnmfkcnldhhm

2.Firebug Lite for Google Chrome, provides a rich visual environment to analyze HTML elements, DOM elements and other Box Model Shading. It also provides live CSS editing. It helps in analyzing how an application is working on the client’s side.

Add Firebug Lite to Google Chrome: https://chrome.google.com/webstore/detail/firebug-lite-for-google-c/bmagokdooijbeehmkpknfglimnifench

3.d3coder, is another nice Google Chrome Extension that helps penetration testers. It enables us to encode and decode selected text via context menu. Thus it reduces the time to encode and decode strings by using separate tools. This extension can perform a wide range of functions. See the list below:

  • Timestamp decoding
  • rot13 en-/decoding
  • base64 encoding
  • base64 decoding
  • CRC32 hashing
  • MD5 hashing
  • SHA1 hashing
  • bin2hex
  • bin2txt
  • HTML entity encoding
  • HTML entity decoding
  • HTML special chars encoding
  • HTML special chars decoding
  • URI encoding
  • URI decoding
  • Quoted printable decoding
  • Quoted printable encoding
  • Escapeshellarg
  • Base64 decode
  • Base64 encode
  • Unserialize
  • L33T-en/decode
  • Reverse

Add d3coder extension to Google Chrome: https://chrome.google.com/webstore/detail/d3coder/gncnbkghencmkfgeepfaonmegemakcol?hl=en-US

4.Site Spider, is an extension that adds a crawler in Chrome. It crawls all pages and reports all broken links. One can also restrict the spider by adding restrictions and regular expressions, it works at the client’s side. It can also use your authentication to access all pages. This extension is opensource. So, you can easily modify it according to your needs.
Add Site Spider to Google Chrome: https://chrome.google.com/webstore/detail/site-spider/ddlodfbcplakmddhdlffebcggbbighda

5.Form Fuzzer, is used to populate predefined characters into different form fields. It can also select checkboxes, radio buttons and select items in forms. It has a configuration menu where you can manage all settings of the extension. It is really helpful in testing forms. You can set payloads for forms and then populate payloads quickly with this nice tool. Really helpful in performing XSS and SQL injection attacks.
Add Form Fuzzer to Google Chrome: https://chrome.google.com/webstore/detail/form-fuzzer/cbpplldpcdcfejdaldmnfhlodoadjhii

6.Session Manager, is a powerful Chrome extension that lets users save, update, restore, and remove sets of tabs. You can create a group of tabs of the same interest and then restore those pages in one click. If you open few specific pages daily, and create groups of those pages and then open with a single click.
Add Session Manager to Google Chrome: https://chrome.google.com/webstore/detail/session-manager/mghenlmbmjcpehccoangkdpagbcbkdpc

7.Request Maker, is a core penetration testing tool. It’s used in creating and capturing requests, tampering the URL, and making new headers with post data. It can capture requests made via forms or XMLHttpRequests. You can see the function of this tool is similar to Burp. It’s also helpful in performing various kind of attacks in a web applications by modifying http requests.

Add Request Maker to Google Chrome: https://chrome.google.com/webstore/detail/request-maker/kajfghlhfkcocafkcjlajldicbikpgnp

8.Proxy SwitchySharp, is a proxy extension that helps in managing and switching between multiple proxies quickly. It also has an option to set auto proxy switching based on URL. You can also import or export data easily. With proxy switcher, we can hide IP addresses and perform penetration testing tasks to check how a person can attack with proxy servers.

Add Proxy SwitchySharp to Google Chrome: https://chrome.google.com/webstore/detail/proxy-switchysharp/dpplabbmogkhghncfbfdeeokoefdjegm/details

9.Cookie Editor, is a nice Chrome extension that lets users edit cookies. This tool is really helpful while hijacking vulnerable test sessions. It lets users delete, edit, add/or search cookies. It also lets users protect, block or export cookies in json. You can play with cookies as you want. This extension is ad-supported and all revenue goes to Unicef to help children worldwide. But Ads are not necessary and you can disable anytime from the extension settings page.

Add Edit This Cookie to Google Chrome: https://chrome.google.com/webstore/detail/edit-this-cookie/fngmhnnpilhplaeedifhccceomclgfbg

10.Cache Killer, is another nice extension that automatically cleans the browser cache before loading pages. It can be easily enabled or disabled with a single mouse click. It’s useful to bypass the browser cache and see the exact website in case it’s changing. This is much useful for web developers.

Add Cache Killer Extension to Google Chrome: https://chrome.google.com/webstore/detail/cache-killer/jpfbieopdmepaolggioebjmedmclkbap

These Google Chrome Extensions will come in handy for the Capture The Flag event. Make sure you add it to Chrome and play around with it before you come to the CTF. It’s going to be 50 Levels of  hardcore hacking .

6 Responses

Leave a Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.