Internet users seeking seamless integration between their security tools and browsers will have a new way to experience the web when Plug-n-Hack is released with Firefox 24 this month.
The goal is to eventually make the feature available to other web browsers, in addition to Mozilla's Firefox. Plug-n-Hack – designed with security professionals in mind – will enable security testing tools to exist within the web browser through the graphical command-line interface, which is a part of the Firefox Developer Toolbar.
One of the security tools that the Firefox Plug-n-Hack will support right out of the gate is OWASP ZAP, a penetration testing program used to find vulnerabilities in web applications. Burp Suite – a Java application used to secure or crack web applications – will be supported soon.
“The benefit to this is that the security professional can work within the browser at all times,” Michael Coates, director of security assurance with Mozilla, told SCMagazine.com on Friday. “They don't have to go outside the browser to do configuration.”
As it stands, the configuration process can be needlessly daunting, Coates said. He added that he hopes the streamlined process offered by Plug-n-Hack will encourage more people to take advantage of the feature.
Currently, if a user wanted to, for example, configure a browser to use an intercepting proxy that can handle HTTPS traffic, that person must configure their browser to proxy via the tool, configure the tool to proxy via their corporate proxy, and import the tool's SSL certificate into their browser, according to a blog post by Simon Bennetts, a security automation engineer at Mozilla.
“If any of these steps are carried out incorrectly then the browser will typically fail to connect to any website – debugging such problems can be frustrating and time-consuming,” Bennetts wrote.
Coates explained that shifting to Plug-n-Hack will be a simple transition for the seasoned security professional already familiar with the current process.
The Plug-n-Hack concept has been explored by Mozilla security professionals for a couple of years and only finally started gaining momentum in January, Coates said, adding that the team plans to introduce more advanced functionality in the future.
“Implementing the above features in Firefox – and the tools that we work on and support – gives our team an advantage,” Bennetts post said. "However, we believe that opening up such capabilities to all browsers and all security tools is much more useful for security researchers and application developers and testers.