Creating Browser Extensions To Hunt Low Hanging Fruits

Abstract

With the recent advancements in technology, more people are aware of the importance of security. More companies started paying huge rewards to protect the sensitive information of their customers.

This Firefox extension is first of its kind and open source product. The Firefox extension is capable of detecting header related vulnerabilities by analyzing the request and response headers. The browser extension requires no special configurations, easy to install, easy to use, low false positives and capable of finding vulnerabilities in all the endpoints the user visits in a fraction of seconds. The web application firewall doesn’t block the requests crafted by the browser extension (due to legit traffic) yielding better results compared to other existing tools.

As of today, the browser extension is capable of detecting CORS misconfiguration, Host Header Injection, Clickjacking and missing secure flags/headers vulnerabilities.

I found vulnerabilities in Bugcrowd, Hotstar, Medium, Signup.com, Chargify etc using this minimal browser extension. People from across the globe (India, Sri Lanka, Taiwan, Philippines, Nepal, Denmark, etc) found this tool to be helpful, https://github.com/rewanthtammana/vuln-headers-extension/stargazers

Date
Mar 1, 2019 12:00 AM
Location
London, United Kingdom
Rewanth Tammana
Rewanth Tammana
Senior Security Architect

Rewanth Tammana is a security ninja, open-source contributor, and Senior Security Architect at Emirates NBD. He is passionate about DevSecOps, Application, and Container Security. He added 17,000+ lines of code to Nmap (famous as Swiss Army knife of network utilities). Holds industry certifications like CKS (Certified Kubernetes Security Specialist), CKA (Certified Kubernetes Administrator), etc. Rewanth speaks and delivers training at multiple international security conferences around the world including Black Hat, Defcon, Hack In The Box (Dubai and Amsterdam), CRESTCon UK, PHDays, Nullcon, Bsides, CISO Platform, null chapters and multiple others. He was recognized as one of the MVP researchers on Bugcrowd (2018) and identified vulnerabilities in several organizations. He also published an IEEE research paper on an offensive attack in Machine Learning and Security. He was also a part of the renowned Google Summer of Code program.

Related