Why Prebuilt Browsers are Bad: Introducing Firefox Security Toolkit


#1

In this post, I will be discussing why a professional penetration tester should not use OWASP Mantra nor HconSTF. I will also introduce “Firefox Security Toolkit”, a simple tool I have built that can be a very good replacement of these two projects, and provides a better security for the penetration tester too.

What are OWASP Mantra and HconSTF?
OWASP Mantra & HconSTF are browsers that is made specifically for penetration testers. It provides a large number of extensions that can help a penetration testers doing his/her daily work. It’s focused on the testing of web-applications. The concept of the project seems decent, but there are many issues that face those browsers.

Built on Outdated Browsers:
These two projects are built on Firefox. The problem is, these two projects are built on Firefox v17-v18, which are both extremely old. From a simple security awareness point of view, no one should use a very critical vector such as browsers that are out-dated to interact with the public Internet.

Outdated Plugins:
The main purpose of using OWASP Mantra or HconSTF is due to it’s large amount of provided plugins. Since those two projects are prebuilt browsers, it is expected that the browsers and plugins should be updated very frequently, to ensure the best results for penetration testers. Unfortunately, they are not being updated.

If those two projects are disconnected, and no updates would be released, they should announce this to prevent damages and issues.

Security Issues:
Since the latest version of OWASP Mantra is built on Firefox v18, there is a numerous exploits that are publicly available. There is no need to even tweak a public exploit or dig deeper. Some of exploits are included in Metasploit project.

In this section, I will be demonstrating how to “hack” any penetration tester that is using the latest version of OWASP Mantra or the latest version of HconSTF.

In 2013, a public exploit in Firefox core has been publicly disclosed that uses two different security issues, CVE-2013-1710 and CVE-2013-1670, in order to inject malicious Javascript code into a context running with chrome:// privileges, which eventually leads to arbitrary code execution into the target’s system.

As mentioned earlier, this exploit is publicly published in the Metasploit framework. You can find the module here.

What’s also great about this module is that it uses the Javascript XPCOM Shell, which is compatible with all systems that Firefox run on. OWASP Mantra, and Hkon STF are both available on Windows, Linux, and Mac. Using this Metasploit module, OWASP Mantra and HconSTF can be hacked on all these environments.

Example:

Now, once the victim (aka the penetration tester) load this page via either one of those security projects, the victim (the penetration tester) will be compromised.

When a penetration tester that using the latest version of OWASP Mantra, v0.92 to load the page, he/she would compromised.

The same would occur when the penetration teseter loads the page using the latest version of HconSTF, v0.5.

You can imagine how bad would it be if you have been compromised using a public exploit from 2013, while being a penetration tester/hacker. It’s also worth noting that this is the first public discussion regarding how OWASP Mantra and HconSTF are vulnerable.

The major issues that faced OWASP Mantra and HconSTF are the following:

Both are not frequently updated
Both projects have not been updated for years. The latest version of OWASP Mantra has been released in January 2013, while the latest release of HconSTF has been released in April 2013. This is the main reason the that it can been hacked as shown earlier.

Plugins are not it’s latest version
Since both projects are not well-updated, plugins are also not in it’s latest version.

Both projects are full of unneeded additions
There are many additions are that these projects provide, which are not necessary at all, and is not being used in real-life penetration tests.

Introducing Firefox Security Toolkit

After analyzing the issues that faces prebuilt browsers that is made for penetration testers, I came to conclusion that the best way to solve the issues would be by transforming a browser that is fully-updated into a browser that is made specifically for penetration testing.

Firefox Security Toolkit is a project that changes a normal Firefox browser into a penetration testing suite. This is done by downloading and installing the latest versions of the most popular extensions, it also provides few additions to enhance the testing experience of a penetration tester. The project is focuses on web-application security testing, as it provides all the essential additions for providing the a successful penetration testing.

Why Firefox Security Toolkit would be better than OWASP Mantra or HconSTF?

  • You are responsible for the browser’s security: You are able to use
    Firefox Security Toolkit on the latest version of Mozilla Firefox, to
    insure a better security of the penetration tester.
  • It does not include additional unwanted plugins: Firefox Security
    Toolkit only installs the most essential plugins that is known to
    provide the maximum efficiency. It also downloads the latest versions
    of these plugins.
  • Flexible method to download and install plugins: You are able to
    modify the default plugins, and add additional plugins to be
    downloaded automatically.
  • Very simple code: The code is very simple, you can easily modify it
    to meet your needs.

Basically Firefox Security Toolkit provides the same value of OWASP Mantra and HconSTF in a secure, flexible, and clean way. It also does not need upgrading or larger maintaining, such as OWASP Mantra and HconSTF, as it relies on the installed version of Firefox in the system.

The following video demonstrates how Firefox Security Toolkit transforms a normal Firefox browser into a penetration testing suite.

Download Link: https://github.com/mazen160/Firefox-Security-Toolkit

Thanks for reading.


Researcher Project Spotlight - Mazen's Firefox Security Toolkit
#2

Hey @mazen160 one of the HconSTF folks posted a response to this post as it relates to HconSTF: http://www.hcon.in/blog/hconstf-and-some-misconceptions-around-it


#3

HconSTF team has published few comments in their blog and their Twitter account. In this post, I will be responding to HconSTF developers’ comments.

I will start with their blog post: http://www.hcon.in/blog/hconstf-and-some-misconceptions-around-it

Above all, first and foremost it’s NOT ‘Hcon STF’ but it is ‘HconSTF’

Apoligize for that, I have updated the post to include “HconSTF” instead of “Hcon STF”.

Is not frequently updated: Its huge project to maintain

Exactly, that’s the problem. The project is not frequently because it would take a lot of efforts to maintain it. I have mentioned that in the [README.md][1] file.

OWASP Mantra and Hcon STF are not regularly updated, and needs a lot of work in order to develop and maintain. Meanwhile, Firefox Security Toolkit does not need a additional maintaining

all the add-ons which are maintained and updated by the authors on addons.mozilla.org are automatically updated so when there is a new update available on the official site you get the same on HconSTF same as getting tools updates on kali linux.

This is totally not the point of writing the blog post. I have explained it further at the end of this post.

I have not released the blog post to simply say “You should not use prebuilt security browsers because it has outdated addons”, I released it to say “You should not use current prebuilt security browsers because you can get compromised by using it”. The current versions of HconSTF and OWASP Mantra are vulnerable to a number of RCE vulnerabilities, and some of these vulnerabilities has been known since 2013. It wouldn’t be decent if a penetration tester has been hacked while pentesting a service, and using a two-year-old public exploit.

it is totally WRONG to say that HconSTF is full of unneeded additions or as such.

That’s not my opinion alone, this is the same opinion of many security researchers. And it’s actually true, the browsers are full of unneened additions to the average penetration tester. You can create a poll among the information security community, and you will find that I have stated is true.

This is the response for the blog post. The following is the response of their HconSTF twitter comments:

Response: This blog post is not created to promote my project. This is made specifically made to explain how the latest version of OWASP Mantra and HconSTF are vulnerable. My project is a simple code that does the same of OWASP Mantra and HconSTF, while eliminating the security factors of using these two projects.


Response: Again, it’s not about promoting a tool. The tool is mainly written as a secure alternative to OWASP Mantra and HconSTF.

without real insights is shady

“without real insights is shady”?. I have literally demonstrated how to compromise any user that uses HconSTF and OWASP Mantra using a browser exploit that has been published in 2013. Isn’t that enough details?

In the last tweets, Hcon STF contacted Mr. Casey Ellis, the CEO of Bugcrowd, requesting to remove the blog post because “it spreads incorrect information about HconSTF”.

Response: Can you provide me the “incorrect information” that you indicated in your tweets?

The only point that I believe there is a misunderstanding regarding it would be “full of outdated plugins”. Although this is not the main point of the blog post as I have stated earlier, I would like to further explain this point:
When first using HconSTF, plugins with pending updates will be updated to the latest version. So technically, the HconSTF build v0.5 does not hold the latest updates of the used plugins, but it would be updated when used.

Also, I don’t believe that when the plugins is updated to the latest version, all of them would be compatible with Firefox v18 (a two-year-old build of Firefox).

Unless the current prebuilt browsers get updated, whether it’s HconSTF or OWASP Mantra, penetration testers should not risk themselves by using a vulnerable browser that could lead to compromising their work.

I would like to thank HconSTF team for their comments.

Best regards,
Mazin
[1]: https://github.com/mazen160/Firefox-Security-Toolkit/blob/master/README.md