HconSTF team has published few comments in their blog and their Twitter account. In this post, I will be responding to HconSTF developers’ comments.
I will start with their blog post: http://www.hcon.in/blog/hconstf-and-some-misconceptions-around-it
Above all, first and foremost it’s NOT ‘Hcon STF’ but it is ‘HconSTF’
Apoligize for that, I have updated the post to include “HconSTF” instead of “Hcon STF”.
Is not frequently updated: Its huge project to maintain
Exactly, that’s the problem. The project is not frequently because it would take a lot of efforts to maintain it. I have mentioned that in the [README.md][1] file.
“OWASP Mantra and Hcon STF are not regularly updated, and needs a lot of work in order to develop and maintain. Meanwhile, Firefox Security Toolkit does not need a additional maintaining”
all the add-ons which are maintained and updated by the authors on addons.mozilla.org are automatically updated so when there is a new update available on the official site you get the same on HconSTF same as getting tools updates on kali linux.
This is totally not the point of writing the blog post. I have explained it further at the end of this post.
I have not released the blog post to simply say “You should not use prebuilt security browsers because it has outdated addons”, I released it to say “You should not use current prebuilt security browsers because you can get compromised by using it”. The current versions of HconSTF and OWASP Mantra are vulnerable to a number of RCE vulnerabilities, and some of these vulnerabilities has been known since 2013. It wouldn’t be decent if a penetration tester has been hacked while pentesting a service, and using a two-year-old public exploit.
it is totally WRONG to say that HconSTF is full of unneeded additions or as such.
That’s not my opinion alone, this is the same opinion of many security researchers. And it’s actually true, the browsers are full of unneened additions to the average penetration tester. You can create a poll among the information security community, and you will find that I have stated is true.
This is the response for the blog post. The following is the response of their HconSTF twitter comments:
https://twitter.com/HconSTF/status/662098821187567616
Response: This blog post is not created to promote my project. This is made specifically made to explain how the latest version of OWASP Mantra and HconSTF are vulnerable. My project is a simple code that does the same of OWASP Mantra and HconSTF, while eliminating the security factors of using these two projects.
https://twitter.com/HconSTF/status/662102391181979648
Response: Again, it’s not about promoting a tool. The tool is mainly written as a secure alternative to OWASP Mantra and HconSTF.
without real insights is shady
“without real insights is shady”?. I have literally demonstrated how to compromise any user that uses HconSTF and OWASP Mantra using a browser exploit that has been published in 2013. Isn’t that enough details?
In the last tweets, Hcon STF contacted Mr. Casey Ellis, the CEO of Bugcrowd, requesting to remove the blog post because “it spreads incorrect information about HconSTF”.
https://twitter.com/HconSTF/status/662208351363801088
Response: Can you provide me the “incorrect information” that you indicated in your tweets?
The only point that I believe there is a misunderstanding regarding it would be “full of outdated plugins”. Although this is not the main point of the blog post as I have stated earlier, I would like to further explain this point:
When first using HconSTF, plugins with pending updates will be updated to the latest version. So technically, the HconSTF build v0.5 does not hold the latest updates of the used plugins, but it would be updated when used.
Also, I don’t believe that when the plugins is updated to the latest version, all of them would be compatible with Firefox v18 (a two-year-old build of Firefox).
Unless the current prebuilt browsers get updated, whether it’s HconSTF or OWASP Mantra, penetration testers should not risk themselves by using a vulnerable browser that could lead to compromising their work.
I would like to thank HconSTF team for their comments.
Best regards,
Mazin
[1]: https://github.com/mazen160/Firefox-Security-Toolkit/blob/master/README.md