hacking with firefox


content:
-----------------------------
1) so why firefox & hacking?
2) settings
* javascript
3) extensions
* web developer
* livehttpheaders
* user agent switcher
4) dom inspector
5) javascript debugging
6) some cool tricks
* view selection source
-----------------------------

1) so why firefox & hacking
------------------
i'm not going to give you any reasons on why you should switch to firefox (if you haven't done so already) because you probably know them already what i am going to do is: take a look into how firefox can aid you in satisfying your everlasting need of exploring the web and solving challenges

i noticed that firefox (+ extensions) can sometimes speed up this proces a lot. you can have greater control over what a website can do with your browser and what your browser can do with a website. in the next chapters i'm going to discuss what the settings, extensions and features are that can help you.

2) settings
------------------
there aren't many settings i can talk about in relation to this article but i still wanted to name a few.

in the options dialog you can find some advanced javascript settings.

windows:
[tools] -> [options] -> [web features] -> [advanced]
linux:
[edit] -> [preferences] -> [web features] -> [advanced]

i suggest you (at least) uncheck the following options:
* disable or replace context menus
now you will be able to always right-click to i.e. view the source of a page (in stead of doing that via the menu) or request the page properties.

* hide the status bar
you need to know where a link is really linking to right?

* status bar text
same as above, don't be fooled by fake link locations.

3) extensions
------------------
mozilla firefox has many extensions that extend (yes, really!) the browser's functionality. i use about 10 extensions and a few of them come in really handy when hacking the web.

the ones that i found useful are the following:

# web developer (v0.8) - url:

http://www.chrispederick.com/work/firefox/webdeveloper/



the web developer extension gives you a toolbar with lots of features for web developers like links to html-validators and a live css editor. some of the features for web developers can help you to get complete control over a website.

here is a list of some features that can help you (description sometimes directly taken from the authors featurelist):
- disable javascript
disables javascript.
- disable cookies
disables cookies.
- disable javascript
disables javascript.
- disable referrer logging
disables referrer logging.
- display form details
displays the form method and action as well as all the form element's ids and names for all forms.
- make form fields writable
makes all form fields that are read-only writable.
- show passwords
shows all passwords as text.
- view cookie information
displays all cookies.
- view response headers
displays the response headers. retrieves the page but only shows the http headers.
- clear http authentication
clears the browser http authentication.
- clear session cookies
clears all session cookies.

as you can see some of these features can replace external tools or can make some tasks a lot easier!

# livehttpheaders (v0.9) - url:

http://livehttpheaders.mozdev.org/

this extension can be a replacement for programs like proxomitron. it let's you view the ingoing and outgoing http headers and you can edit and reproduce them. great for editing cookies and debugging a web application.

to use the livehttpheader-extension you must open the extension window ([tools] -> [live http headers]). check 'capture' in the lower bottom of the window to start capturing the headers. now load the page you want to capture the headers of. to reply a header, select the url of the page you want to retrieve with alternate headers and hit the 'replay' button. the live http replay window pops up where you can edit and resend the headers.

# user agent switcher (v0.6)
sometimes web masters build their sites so that each browser gets a different stylesheet or the pages look different on each browser. some incompetent web designers even block the website if you don't have internet explorer.

normally firefox sends a user agent-string like this one:
mozilla/5.0 (windows; u; windows nt 5.1; en-us; rv:1.7.5) gecko/20041107 firefox/1.0

with the user agent switcher you can switch between these strings the browser sends to see if a website reacts differently to other browsers or user agents like googlebot.

# venkman javascript debugger (v0.9.85) - url:

http://www.hacksrus.com/~ginda/venkman/


with this extension you can debug (step into, step over, breakpoints, the whole list) html pages with javascript. extremely useful for some challenges and for general javascript debugging.

4) dom inspector
------------------
the dom (document object model) inspector is a tool that comes with firefox. you can choose to install this when you install firefox on your computer. when you did that you can find the dom inspector under [tools] -> [dom inspector].

dom is the underlying model of how a webpage is build up. the tool let's you browse and edit all the html-tags and attributes that are parsed on a page by firefox. when a page is generated with javascript (or obfuscated) it is sometimes very hard to debug the page, but not with the dom inspector

5) some cool tricks
------------------
# view selection source
in firefox there is an option to view the selected source. just select some text, and right-mouse-button on it. this can be useful when you want to view the source of a small part of a large page, or if you want to view the html-code generated by javascript.

# javascript debugging
apart from the venkman javascript debugger i wrote about in the extensions section, there are two tricks that can help you when you try to debug a script or solve a javascript challenge:

- javascript console
you probably came across the javascript console when you're a firefox user before. the javascript console is located in [tools] -> [javascript console]. there you can view the javascript errors that occured on the page, but also execute javascript commands (same as typing jcommand(); in the location-bar

- debug() command
not really intended for normal javascript debugging (actually for firefox extension development i think), but it can come in handy maybe. in stead of using alert() to dump messages to the screen you can also you use dump(). in order to use the dump() command you must create a new (true) boolean variable browser.dom.window.dump.enabled. this can be done via about:config (just type about:config in your location bar) or by editing your user.js file in your firefox installation

(check out
http://kb.mozillazine.org/user.js).



next is to run firefox with -console as parameter, like: firefox -console.
just create a short-cut with this command. when you open firefox this way, you can enter jdump(variable) in your location-bar (or without the j in your javascript console), and the output is dumped to the console window. that way you can easily copy the output from the console.

note: another way to be able to copy the output is to use prompt() in stead of alert(). example: when you have alert(password), use prompt("pass:", password). you can leave the first argument empty if you want.
source:

http://kb.mozillazine.org/viewing_dump%28%29_output