Information gathering

• Whois and geo-location
  • ShowIP
    : Show the IP address of the current page in the status bar. It also
    allows querying custom services by IP (right mouse button) and Hostname
    (left mouse button), like whois, netcraft.
  • Shazou
    : The product called Shazou (pronounced Shazoo it is Japanese for
    mapping) enables the user with one-click to map and geo-locate any
    website they are currently viewing.
  • HostIP.info Geolocation : Displays Geolocation information for a website using hostip.info data. Works with all versions of Firefox.
  • Active Whois : Starting Active Whois to get details about any Web site owner and its host server.
  • Bibirmer Toolbar
    : An all-in-one extension. But auditors need to play with the toolbox.
    It includes ( WhoIs, DNS Report, Geolocation , Traceroute , Ping ).
    Very useful for information gathering phase

• Enumeration / fingerprinting
  • Header Spy: Shows HTTP headers on statusbar
  • Header Monitor
    : This is Firefox extension for display on statusbar panel any HTTP
    response header of top level document returned by a web server.
    Example: Server (by default), Content-Encoding, Content-Type,
    X-Powered-By and others.

• Social engineering
  • People Search and Public Record:
    This Firefox extension is a handy menu tool for investigators,
    reporters, legal professionals, real estate agents, online researchers
    and anyone interested in doing their own basic people searches and
    public record lookups as well as background research.

• Googling and spidering
  • Advanced dork
    : Gives quick access to Google’s Advanced Operators directly from the
    context menu. This could be used to scan for hidden files or narrow
    in a target anonymously (via the scroogle.org option) 
  • SpiderZilla : Spiderzilla is an easy-to-use website mirror utility, based on Httrack from www.httrack.com.
  • View Dependencies
    : View Dependencies adds a tab to the "page info" window, in which it
    lists all the files which were loaded to show the current page. (useful
    for a spidering technique)

Security Assessment / Code auditing

• Editors
  • JSView
    : The ’view page source’ menu item now opens files based on the
    behavior you choose in the jsview options. This allows you to open the
    source code of any web page in a new tab or in an external editor.
  • Cert Viewer Plus
    : Adds two options to the certificate viewer in Firefox or Thunderbird:
    an X.509 certificate can either be displayed in PEM format (Base64/RFC
    1421, opens in a new window) or saved to a file (in PEM or DER format -
    and PKCS#7 provided that the respective patch has been applied – cf.
  • Firebug
    : Firebug integrates with Firefox to put a wealth of development tools
    at your fingertips while you browse. You can edit, debug, and monitor
    CSS, HTML, and JavaScript live in any web page
  • XML Developer Toolbar:allows XML Developer’s use of standard tools all from your browser.
  • Web developer : Adds a menu and a toolbar with various web developer tools.

• Headers manipulation
  • HeaderMonitor
    : This is Firefox extension for display on statusbar panel any HTTP
    response header of top level document returned by a web server.
    Example: Server (by default), Content-Encoding, Content-Type,
    X-Powered-By and others.
  • RefControl : Control what gets sent as the HTTP Referer on a per-site basis.
  • User Agent Switcher :Adds a menu and a toolbar button to switch the user agent of the browser

• Cookies manipulation
  • Add N Edit Cookies : Cookie Editor that allows you add and edit "session" and saved cookies.
  • CookieSwap
    : CookieSwap is an extension that enables you to maintain numerous sets
    or "profiles" of cookies that you can quickly swap between while
    browsing
  • httpOnly : Adds httpOnly cookie support to Firefox by encrypting cookies marked as httpOnly on the browser side
  • Allcookies : Dumps ALL cookies (including session cookies) to Firefox standard cookies.txt file

• Security auditing
  • HackBar
    : This toolbar will help you in testing sql injections, XSS holes and
    site security. It is NOT a tool for executing standard exploits and it
    will NOT learn you how to hack a site. Its main purpose is to help a
    developer do security audits on his code.
  • Tamper Data : Use tamperdata to view and modify HTTP/HTTPS headers and post
    parameters.
  • Chickenfoot
    : Chickenfoot is a Firefox extension that puts a programming
    environment in the browser’s sidebar so you can write scripts to
    manipulate web pages and automate web browsing. In Chickenfoot, scripts
    are written in a superset of Javascript that includes special functions
    specific to web tasks.

Proxy/web utilities

• FoxyProxy
  : FoxyProxy is an advanced proxy management tool that completely
  replaces Firefox’s proxy configuration. It offers more features than
  SwitchProxy, ProxyButton, QuickProxy, xyzproxy, ProxyTex, etc
• SwitchProxy:
  SwitchProxy lets you manage and switch between multiple proxy
  configurations quickly and easily. You can also use it as an anonymizer
  to protect your computer from prying eyes
• POW (Plain Old WebServer)
  : The Plain Old Webserver uses Server-side Javascript (SJS) to run a
  server inside your browser. Use it to distribute files from your
  browser. It supports Server-side JS, GET, POST, uploads, Cookies,
  SQLite and AJAX. It has security features to password-protect your
  site. Users have created a wiki, chat room and search engine using SJS.
• Torbutton : Torbutton provides a button to securely and easily enable or disable
  the browser’s use of Tor. It is currently the only addon that will
  safely manage your Tor browsing to prevent IP address leakage, cookie
  leakage, and general privacy attacks.

Misc

• Hacks for fun
  • Greasemonkey : Allows you to customize the way a webpage displays using small bits of JavaScript (scripts could be download here)

• Encryption
  • Fire Encrypter
    : FireEncrypter is an Firefox extension which gives you
    encryption/decryption and hashing functionalities right from your
    Firefox browser, mostly useful for developers or for education &
    fun.

• Malware scanner
  • QArchive.org web files checker
    : llowing people to check web files for any malware (viruses, trojans,
    worms, adware, spyware and other unwanted things) inclusions.
  • Dr.Web anti-virus link checker : This plugin allows you to check any file you are about to download, any page you are about to visit
  • ClamWin Antivirus Glue for Firefox : This extension scans every downloaded file automatically with ClamWin.

• Anti Spoof
  • refspoof
    : Easy to pretend to origin from a site by overriding the url referrer
    (in a http request). — it incorporates this feature by using the
    pseudo-protocol spoof:// .. thus it’s possible to store the information
    in a "hyperlink" – that can be used in any context .. like html pages
    or bookmarks

• How to create Firefox extensions
• Useful Firefox Security Extensions
• Mozilla port banning
• Must Have SEO Firefox Extensions

Cert issued a
Vulnerability Note VU#476267
for a "Cross-Protocol" scripting attack, known as the HTML
Form Protocol Attack which allowed sending arbitrary data to most TCP ports.
A simple exploit of this hole allows an attacker to send forged unsigned mail through
a mail server behind your firewall: A really nasty hole.

I found the list of ports blocked by Mozilla here: http://www.mozilla.org/projects/netlib/PortBanning.html

• A browser as web hacking platform
• How to create Firefox extensions
• Useful Firefox Security Extensions

• Creating Firefox extensions
• How to create Firefox extensions
• Extend Firefox: Your Guide to Writing Firefox Extensions
• Firefox Extension Tutorial
• How to build a Firefox extension
• Developing a Firefox Extension That People Actually Use: 32 Essential Tools and Tutorials
• Firefox Extension: Firefox Statusbar Tutorial – How to add stuff to the statusbar in Firefox/Mozilla
• Firefox 2.0 extension development
• Packaging Firefox/Thunderbird Extensions
• Captain’s Mozilla XUL LOG – read local files and write local files

• Useful Firefox Security Extensions
• A browser as web hacking platform
• Mozilla port banning
• Must Have SEO Firefox Extensions

• Add n’ Edit Cookies This might be more of a web developer tool, but being able to view in detail the cookies that various sites set on your visits can be an eye-opening experience. This extension not only shows you all the details, but lets you modify them too. You’ll be surprised at how many web apps do foolish things like saving your password in the cookie.
• Dr. Web Anti-Virus Link Checker
  This is an interesting idea — scanning files for viruses before
  you download them. Basically, this extension adds an option to the link
  context menu that allows you to pass the link to the Dr. Web AV
  service. I haven’t rigorously tested this or anything, but it’s an
  interesting concept that could be part of an effective multilayer
  personal security model.
  
• FormFox
  This extension doesn’t do a whole lot, but what it does is
  important — showing a tooltip when you roll over a form submission
  button of the form action URL. Extending this further to visually
  differentiate submission buttons that submit to SSL URLs would be
  really nice
  
• FlashBlock
  Flash hasn’t been quite as popular an attack vector as Javascript,
  but it still potentially could be a threat, and it’s often an
  annoyance. This extension disables all embedded Flash elements by
  default (score one for securing things by default), allowing
  you to click to activate a particular one if you like. It lacks the
  flexibility I’d like (things like whitelists would be very handy), and
  doesn’t give you much (any?) info about the Flash element before you
  run it, but it’s still a handy tool.
• LiveHTTPHeaders & Header Monitor
  LiveHTTPHeaders is an incredibly useful too for web developers,
  displaying all of the header traffic between the client and server.
  Header Monitor is basically an add-on for LiveHTTPHeaders that displays
  a chosen header in Firefox’s status bar. They’re not really
  specifically security tools, but they do offer a lot of info on what’s
  really going on when you’re browsing, and an educated user is a safer
  user.
• JavaScript Option
  This restores some of the granularity Firefox users used
  to have over what Javascript can and cannot do. I’d like to see this
  idea taken farther (see below), but it’s handy regardless.
• NoScript
  This extension is pretty smooth. Of all the addons for Firefox covered here, this is the
  one to get. NoScript is a powerful javascript execution whitelisting
  tool, allowing full user control over what domains allow scripts to
  run. Notifications of blocked execution and the allowed domain
  interface are nearly identical to the built-in Firefox popup blocker,
  so users should find it comfortable to work with. NoScript can also
  block Flash, Java, and “other plugins;” forbid bookmarklets block or allow the ping attribute of the tag; and attempt to rewrite links that execute javascript to go
  to their intended donation without triggering the script code.

  The one thing I’d really like to see from this extension would be
  more ganularity over what the Javascript engine can access. Now it’s
  only “on” or “off,” but being able to disable things like cookie access
  would eliminate a lot of potential security issues while still letting
  JS power rich web app interfaces. Also read Pascal Meunier’s take on NoScript.

• QuickJava
  Places handy little buttons in the status bar that let you quickly
  enable or disable Java or Javascript support. Note that this will not work with the latest stable Firefox (1.5.0.1). Hopefully a new version will be available soon.
• ShowIP
  This is another tool that isn’t aimed at security per se,
  but offers a lot of useful information. ShowIP drops the IP address of
  the current site in your status bar. Clicking on it brings up a menu of
  lookup options for the IP, like whois and DNS info. You can add
  additional web lookups if you like, as well as passing the IP to a
  local program. Handy stuff.
  
• SpoofStick
  The idea with this extension is to make it easier to catch
  spoofing attempts by displaying a very large, brightly colored “You’re
  on ” in the toolbar. For folks who know what they’re doing this isn’t
  wildly useful, but it could be just the ticket for less savvy users. It
  requires a bit too much setup for them, though, and in the end I think
  this is something the browser itself should be handling.
  
• Tamper Data
  Much like LiveHTTPHeaders, Tamper Data is a very useful
  extension for web devs that lets the user view HTTP headers and POST
  data passed between the client and server. In addition, Tamper Data
  makes it easy for the user to alter the data being sent to the server,
  which is enormously useful for doing security testing against web apps.
  I also like how the data is presented in TD a bit better than
  LiveHTTPHeaders: it’s easier to see at a glance all of the traffic and
  get an overall feel of what’s going on, but you can still drill down
  and get as much detail as you like.
• All-in-One Gestures
  - merges the popular following extensions for management of mouse
  gestures, scrolling and power navigation. (Mix of Mouse Gestures,
  Rocker navigation, Tab scroller, History scroller, Link tooltip and
  Autoscrolling extensions)
• Tabbrowser Preferences
  - a comprehensive UI for changing a number of the hidden tabbed
  browsing preferences in Firefox. It also provides the ability to
  control how internal and external links are opened in the browser and
  how the browser will react when links are sent to it.
• Tab Mix Plus – More tweaks
  added to tabs. Ability to select and open muliple links in tabs, open
  link in a duplicated tab, merge tabs and close tabs from similar domain…
• Duplicate Tab – allows you to clone a tab with its history and place the duplicate tab in a new window or in the current window.
• Colorful Tabs
  - Colors every tab in a different color and makes them easy to
  distinguish while beautifying the overall appeal of the interface.
• Viamatic foXpose – Click on the icon in the status bar to view all the browser windows with a single click.
• Firefox Showcase – easily locate and select any open browser window in Firefox.
• Separe – Helps you keeping tabs tidy by introducing a new kind of tab.
• Permatabs – turn tabs of your choice into permanent tabs that can’t be closed, and stick around between sessions.
• FaviconizeTab – resizes the width of the tab to display the favicon only (and back again).
• Linky – Lets you open or download all or selected links, image links and even web addresses found in the text in separate or different tabs or windows.
• WebMailCompose – Makes mailto: links load your webmail’s compose page and adds a Compose link to the context menu.
• Linkification – Allows Firefox (0.9+) to view plain-text URLs and e-mail addresses as actual links
• IE Tab – can open the
  current page or a selected link embedding Internet Explorer in tabs of
  Mozilla/Firefox. Very useful for those IE only pages.
• FirefoxView
  - Open Firefox with the current page or a selected link displayed in
  Internet Explorer. Adds “View in Firefox” menu items to the content and
  link context menus.
• Paste and Go – lets you
  paste an URL from the clipboard into the address bar and load it as a
  single step, either via the adress bar’s context menu or by pressing
  Ctrl-Shift-V
• ErrorZilla
  - changes the default 404 error page with following choices: a google
  cache, an archival snapshot from the wayback machine, a ping, a trace
  route, and a whois lookup.
• FlashGot – handles single and massive downloads with several external Download Managers.
• PDF Download – Every
  time you click on a link, checks if the target is a pdf file and in
  this case let you choose what you want to do (open pdf file inside a
  new tab, download it to the filesystem or view it as HTML).
• ScrapBook – helps you to save Web pages and easily manage collections.
• DownThemAll! – adds
  new advanced downloading capabilities to your browser. It lets you
  download in just one click all the links or images contained in a
  webpage or refine your preferences using fully customizable filters.
• TargetAlert -
  provides visual cues for the destinations of hyperlinks. If a hyperlink
  points to a something that is not a web page (in cases of pdf, doc, zip
  files etc.), then TargetAlert will try to append an icon to the
  hyperlink that represents its destination
• Download Manager Tweak – modifies the default appearance of the firefox download manager and allows it to be opened in a separate window, the sidebar, or a tab.
• Download Statusbar – is a browser extension that allows you to keep track of ongoing and completed downloads in a hide-away statusbar
• Disable Targets For Downloads – Prevents sites spawning blank windows when clicking binary downloads.
• FireFTP – is a free, secure, cross-platform FTP client for Mozilla Firefox which provides easy and intuitive access to FTP servers
• GreaseMonkey – Install user scripts and change the behavior of any web page
• Image Zoom -
  Right click on an image and select a zoom option from the popup menu,
  or, hold down the right mouse button in combination with the mouse
  wheel to zoom in or out on an image.
• Fasterfox – Speed up Firefox. Dynamic speed increases can be obtained with Fasterfox’s unique prefetching mechanism, which recycles idle bandwidth by silently loading and caching all of the links on the page you are browsing. Also tweaks many network and rendering settings.
• SpellBound -
  enables spell checking in web forms such as html textarea / input
  elements (html input password elements are not checked by SpellBound)
  and rich text form elements. This allows you to spell check forms before submitting them.
• BugMeNot
  - Bypasses compulsory web registration using the BugMeNot without the
  hassle of surfing to it and querying its database everytime.
• AutoCopy – Select text on any web page and it will be automatically copied to the clipboard. Middle click to Paste.
• Copy Plain Text
  - Copies text without formatting. Have you ever copied something and
  been annoyed that the text formatting (bold, font size, etc) came with
  it? Don’t you wish you could just copy the text itself, without having
  to copy it, paste it into notepad, then copy it again?
• Google Images Re-Linker
  - This will let you click the thumbnail images on images.google.com,
  skip the referred framed page, and jump straight to the full-size image.
• Stop-or-Reload Button – Makes the Stop and Reload button behave like a single one (as in Safari).
• Extended Statusbar
  - adds an Opera-like statusbar for Firefox that shows number of loaded
  images, bytes downloaded, average download speed, load time and
  percentage of the page loaded.
• Resizeable Textarea – Resize small textareas in forums to your needed size avoiding scrolling.
• Adblock Plus – is an enhanced version of Adblock. Block ads, applets, flash, embedded-media etc.
• Flashblock – blocks all Flash content from loading on a webpage.
• Sage – add a lightweight RSS and Atom feed aggregator which integrates with Firefox’s bookmark storage and Live Bookmarks.
• Cacheout!- lets you try to access articles on servers affected by the Digg Effect /Slashdot Effect through Google’s caching service and CoralCDN.org.
• Pearl Crescent Page Saver – capture screenshots and save full webpages as images easily.
• Reload Every – adds an
  option to the context menu to reload the web page you are viewing every
  so many seconds or minutes. Useful if you keep refreshing some pages
  often.
• Copy URL+ – copy to
  the clipboard the current document’s address along with additional
  information such as the document’s title, the current selection or
  both. Customize it to add your own menu entries.
• InFormEnter – adds a
  small, clickable icon next to every input field in a web form, from
  where you can select the item to be inserted with your frequently used
  information such as name, email, address and whatever else you want to
  be available from the form menu.
• All-in-One Sidebar – is a sidebar control, inspired by Opera that lets you quickly switch between sidebars, view dialog window such as downloads, extensions, and more in the sidebar, or view source code or websites in the sidebar. Can be extensively customized.
• Text size toolbar – Adds buttons to increase or decrease text size or restore default size easily. Useful for those small unreadable font sizes.
• Reveal – allows you to see thumbnails of pages in your session history and quickly find the page you want.
• Mystickies – allows you to place sticky notes all over the web and organize them with tags.
• Clear Cache Button – Adds a clear cache toolbar button that cleans the cache in one click. Very handy for those who have use for it.
• gTranslate – translate any text in a webpage just by selecting and right-clicking over it. Uses the Google translation services.
• Xinha Here! – is a wrapper for the Xinha HTML editor that enables WYSIWYG editing in any textarea and text box on any website.
• Yoono – instantly suggests alternate sites and people who share the same interests while you are surfing.
• BlueOrganizer – It helps you personalize your web experience based on what you already like, helping you discover relevant new information and save time.
• SwitchProxy
  - lets you manage and switch between multiple proxy configurations quickly and easily. You can also use it as an anonymizer to protect your computer from prying eyes.
• NoScript – allows JavaScript, Java (and other plugins) only for trusted domains of your choice. This whitelist based pre-emptive blocking approach prevents exploitation of security vulnerabilities with no loss of functionality
• Always Remember Password – Instructs web sites to always remember your password. Some sites like Yahoo Mail, Hotmail, and banking sites instruct the browser to never allow your password manager to retain your information.
• CookieCuller – Extended Cookie Manager to protect/unprotect selected cookies.
• Stealther – surf the web without leaving a trace in your local computer by *temporarily disabling history (and address bar), cookies, formFill, disk cache and sending of ReferrerHeader. Verify details of what exactly it can work for you.
• Google Toolbar for Firefox – Lets you search google and all its services easily. Also powered by Google Suggest (Get query suggestions as you type in the search box), SpellCheck, AutoFill, Pagerank of webpage, access to gmail, WordTranslator etc.
• CustomizeGoogle – enhances Google search results by adding extra information (like links to Yahoo, Ask Jeeves, MSN etc) and removing unwanted information (like ads and spam).
• NextPlease! – allows you to assign keyboard shortcuts to jump to next and previous links on search results pages, like Google, Yahoo, Ebay, Amazon, and many other sites.
• BetterSearch – enhances Google, MSN Search, Yahoo Search, A9, Answers.com, AllTheWeb, Dogpile.com, del.icio.us and Simpy.com bookmarks by adding previews (thumbnails) and Amazon product images and info etc.
• Answers – Press Alt (or Option on a Mac) and click any word to get a quick, relevant definition or explanation, drawn from a collection of over 100 reference titles.
• dsense Notifier – Displays your Adsense earnings on the statusbar.
• Forecastfox Enhanced
  - Get international weather forecasts and display it in any toolbar or statusbar. Now with improved radar images and allows for pausing, restarting and setting the frequency of automatic updates.
• DictionarySearch – Looks up a user selected word in an online dictionary you selected.
• Web Developer – Adds a menu and a toolbar with various essential web developer tools.

• How to create Firefox extensions
• A browser as web hacking platform
• Mozilla port banning
• Must Have SEO Firefox Extensions