Plain Old Webserver

POW is a fully-functional Web Server that works inside your Firefox/Mozilla Browser. It uses Server Side Javascript (SJS) to deliver dynamic content. If you are unsure why this Firefox Extension is relevant to web security people like me and most of the GNUCITIZEN readers, go grab it and I will walk you thorough some of main the features of this wonderful piece of software.

After installing POW, the server is automatically instantiated on port 6670 without the need of performing any sort of configuration. It just works! You can access its default content from http://localhost:6670. There is a link in that page that points you to POW document root. This folder is inside your Firefox profile, which is really good since we can use any of the backup extensions available in the wild.

As I mentioned earlier, POW uses SJS (Server Side JavaScript). You can start creating files right on the file system. One of the coolest aspects of POW is the built in functions that it comes with. As a developer you can do almost everything from creating simple SJS “Hello World” to interacting with Firefox XPCOM. POW comes with a Cron server as well, which is really cool, I must say. You can do database stuff with the sqlite support in Firefox and interact with the file system. Creating AJAX applications is a piece of cake.

If you start messing around with POW, you will see that there is a feature called Infinilink, which is something like Dynamic DNS. Basically, everybody will be able to find your server even if your ISP changes your IP address. Similar effect can be achieved with Dynamic DNS and a few lines in GreaseMonkey or Technika.

This tool is particularly interesting when playing with various Web attacks, especially Cross-site scripting and Cross-request forgeries. With a few lines of SJS you can create bi-directional attack channels, remote shells (password protected if you like), redirectors, converters, schedulers, collection points… almost everything you can think of. With the help of Infinilink or Dynamic DNS you can always get back to your server.

Long gone are the days when attackers need to host their malicious scripts on a remote server. All they need is Firefox, POW and Internet facing IP.

Firefox has always been my number one tool, but now it has become irreplaceable.

Comments

riahmatic responds:

Indeed, POW is awesome. Here’s the bit of code that makes it all possible: http://www.xulplanet.com/tutor.....erpush.php (server sockets). You could design your own specialized tool with it.

pdp responds:

I cannot wait for Firefox to go mobile. Then we will start talking about some real mobile toolkits.

GNUCITIZEN Products

Blogsecurify is a division of GNUCITIZEN. The initiative was established to provide social media security services through our free automated testing engine. The Blogsecurify team is also engaged to deliver quality content on issues concerning social media technologies.

Netsecurify is a division of GNUCITIZEN. The initiative was established to provide network security services through our free automated testing engine. The service is still in private-beta.

Websecurify is a division of GNUCITIZEN. The initiative was established to provide a free web application security framework for automated and manual penetration testing. The service is still in private-beta.

Secapps serves as an application directory of all online tools which the GNUCITIZEN team has built over the years.

Securls serves as an information security intelligence tool, combining news and articles from the best information security resources online.

Visit the GNUCITIZEN Network for a complete listing of all GNUCITIZEN initiatives, products and partnering organizations.

GNUCITIZEN

Navigation

Comments

Respond

The Others

GNUCITIZEN Products

Recent Posts

Random Posts

From The Cutting-edge Network