Security/Plug-n-hack: Difference between revisions

Latest revision as of 16:42, 7 January 2014

Plug-n-hack is an effort to make your browser play nicely with the security tools you use.

Current Documentation can be found here

Plans

Plug-n-hack is an ongoing effort.

Phase 1 (q2/3 2013):
- Allow a browser to be configured to use a security tool with minimal effort
  - Proxy configuration
  - Proxy certificate import for SSL termination
- Allow tool configurations to be managed
- Allow tool functionality to be exposed via browser UI

Phase 2 (q3/q4 2013):
- Provide some access to the DOM from external security tools via a probe (e.g. injected via bookmarklet or by a security proxy)
  - Document load / reload in place
  - PostMessage interception / replay
    - window.postMessage proxying via javascript for on-origin iframes
    - DOM manipulation for iFrame replacement with postMessage proxying for off-origin iframes
  - Event inspection

Phase 3 (q4 2013):
- Define configurations and interfaces for in-browser versions of the existing probe functionality
- Experiment with event manipulation and replay
- Experiment with ringleader impl of interface and configuration

Phase 4 (q1 2014)
- Fuzzing via event record and replay
- Remote probe configuration
  - Enable / disable monitoring / interception

Tool support

Browser support for PnH is provided by the Ringleader Firefox extension which can be found here.

A (fairly rudimentary) implementation of the DOM probe for external applications exists here

A number of tools make use of Plug-n-hack, notably:

OWASP ZAP (Phase 1 support complete, partial support for phase 2 and 3)
BURP (Phase 1 support)
OWTF (Phase 1 support)

@@ Line 1: / Line 1: @@
+Plug-n-hack is an effort to make your browser play nicely with the security tools you use.
 Current Documentation can be found [https://developer.mozilla.org/en-US/docs/Plug-n-Hack here]
+'''Plans'''
+Plug-n-hack is an ongoing effort.
+* Phase 1 (q2/3 2013):
+** Allow a browser to be configured to use a security tool with minimal effort
+*** Proxy configuration
+*** Proxy certificate import for SSL termination
+** Allow tool configurations to be managed
+** Allow tool functionality to be exposed via browser UI
+* Phase 2 (q3/q4 2013):
+** Provide some access to the DOM from external security tools via a probe (e.g. injected via bookmarklet or by a security proxy)
+*** Document load / reload in place
+*** PostMessage interception / replay
+**** window.postMessage proxying via javascript for on-origin iframes
+**** DOM manipulation for iFrame replacement with postMessage proxying for off-origin iframes
+*** Event inspection
+* Phase 3 (q4 2013):
+** Define configurations and interfaces for in-browser versions of the existing probe functionality
+** Experiment with event manipulation and replay
+** Experiment with ringleader impl of interface and configuration
+* Phase 4 (q1 2014)
+** Fuzzing via event record and replay
+** Remote probe configuration
+*** Enable / disable monitoring / interception
+'''Tool support'''
+Browser support for PnH is provided by the Ringleader Firefox extension which can be found [https://github.com/mozmark/ringleader here].
+A (fairly rudimentary) implementation of the DOM probe for external applications exists [https://github.com/mozmark/Plug-n-Hack here]
+A number of tools make use of Plug-n-hack, notably:
+* [https://www.owasp.org/index.php/OWASP_Zed_Attack_Proxy_Project OWASP ZAP] (Phase 1 support complete, partial support for phase 2 and 3)
+* [http://blog.portswigger.net/2013/09/burp-support-for-firefox-plug-n-hack.html BURP] (Phase 1 support)
+* [http://blog.tunnelshade.in/2013/08/plug-n-hack-support-in-owtf-d.html OWTF] (Phase 1 support)

Security/Plug-n-hack: Difference between revisions

Latest revision as of 16:42, 7 January 2014

Navigation menu

Search