The Mozilla security team is developing a new proposed standard that will make it easier for researchers to integrate some of their tools with Firefox and other browsers. The standard, known as Plug-n-Hack, is an open project that Mozilla hopes will be adopted by researchers and tool makers.
A lot of security research is done via the browser these days and integrating custom testing tools with various browsers can be a time-consuming task. So the Mozilla team was looking for a way to make this process simpler and faster and came up with the concept of Plug-n-Hack, which serves as a go-between for browsers and security tools.
“Without integration between security tools and browsers, a user must often switch between the tool and their browser several times to perform a simple task, such as intercepting an HTTP(S) request. PnH allows security tools to declare the functionality that they support which is suitable for invoking directly from the browser,” Simon Bennetts of Mozilla said in a blog post.
“A browser that supports PnH can then allow the user to invoke such functionality without having to switch to and from the tool. While some of the PnH capabilities do have a fixed meaning, particularly around proxy configuration, most of the capabilities are completely generic, allowing tools to expose whatever functionality they want.”
The current version of the Plug-n-Hack protocol has been implemented in Firefox, but Bennetts said that the company hopes other browser vendors and security researchers will incorporate it into their tools and applications. The protocol already has been integrated with the OWASP Zed Attack Proxy, a pen-testing framework.
“The next phase of PnH is still being planned but is intended to allow browsers to advertise their capabilities to security tools. This will allow the tools to obtain information directly from the browser, and even use the browser as an extension of the tool,” Bennetts said.
“While this project has been started by the Mozilla Security Team and has been validated with Firefox and OWASP ZAP, this is an open project and we welcome involvement from anyone, especially people working on other browsers and security tools.”
Image from Flickr photos of Paul Schultz.
