This is firefox extension which parses the requests before forwarding to the DNS server to scan for vulnerable URLs which occur due to Headers.
The extension currently detects URLs which are vulnerable to
- CORS Misconfiguration
- Host Header Injection
- Missing X-XSS-Protection headers (commented in the code due to its low severity)
- Clickjacking support
Submitted vulnerabilities to websites like #signup.com , #Chargify, #Hotstar, #Medium, etc using this tool. Got listed in #Chargify HOF and other organisaitons are resolving the issues.
- Clone the repo or fork it.
- Open Firefox and load
about:debuggingin the URL bar. - Click the Load Temporary Add-on button and select the
manifest.jsonfile in your cloned repo. - Now the vuln-headers-extension is installed.
- Clone the repo or fork it.
- Install the web-ext tool, a npm package.
- Change into the directory where you cloned the repo.
- Type
web-ext run. This will launch Firefox and install the extension.
- Once you install the extension you can see an icon in the tool bar.
- Click on the icon and a new tab gets opened.
- Leave it open and do your browsing/work.
- The extension automatically logs all the vulnerable URLs to the new tab.
- Now you can submit a report to the respective organisaiton and make it more secure.
Want to add more features to it? Fork the repo and create a Pull Request. Like this tool, STAR it and click on Watch to get more updates on this tool.
https://medium.com/@rewanthcool/firefox-vuln-headers-extension-e848b6d80d14