Plug-n-Hack

Simon Bennetts

Plug-n-Hack Overview

Plug-n-Hack (PnH) is a proposed standard from the Mozilla security team for defining how security tools can interact with browsers in a more useful and usable way.

Security researchers commonly use security tools in conjunction with browsers, but until now direct integration has required writing platform and browser specific extensions.

Configuring a browser to work with a security tool can be a non-trivial process, and this can discourage people with less experience from using such tools. This can include application developers and testers, exactly the sort of people we would like to use these tools more!

For example, to configure a browser to use an intercepting proxy that can handle HTTPS traffic, the user must typically:

  • Configure their browser to proxy via the tool
  • Configure the tool to proxy via their corporate proxy
  • Import the tool’s SSL certificate into their browser

If any of these steps are carried out incorrectly then the browser will typically fail to connect to any website – debugging such problems can be frustrating and time-consuming.

Without integration between security tools and browsers, a user must often switch between the tool and their browser several times to perform a simple task, such as intercepting an HTTP(S) request.

PnH allows security tools to declare the functionality that they support which is suitable for invoking directly from the browser.

A browser that supports PnH can then allow the user to invoke such functionality without having to switch to and from the tool.

While some of the PnH capabilities do have a fixed meaning, particularly around proxy configuration, most of the capabilities are completely generic, allowing tools to expose whatever functionality they want.

Implementing the above features in Firefox and the tools that we work on and support gives our team an advantage, however we believe that opening up such capabilities to all browsers and all security tools is much more useful for security researchers and application developers and testers.

As a result we have designed and developed the PnH protocol to be both browser and tool independent. The current protocol and Firefox implementation are released under the Mozilla Public License 2.0 which means it can be incorporated in commercial tools without charge.

Phase 1

PnH phase 1 allows easier integration and defines how security tools can advertise their capabilities to browsers.

To support PnH-1 security tools provide a manifest over HTTP(S) which defines the capabilities that the browser can make use of.

It is up to the tool authors to decide how the URL of the manifest is publicised.

An example manifest (for OWASP ZAP) is:

{
  "toolName":"OWASP ZAP",
  "protocolVersion":"0.2",
  "features":{
    "proxy":{
      "PAC":"http://localhost:8080/proxy.pac",
      "CACert":"http://localhost:8080/OTHER/core/other/rootcert/"
    },
    "commands":{
      "prefix":"zap",
      "manifest":"http://localhost:8080/OTHER/mitm/other/service/"
    }
  }
}

The top level manifest includes optional links to a proxy PAC and a root CA certificate.

It also optionally links to another manifest which describes the commands the browser can invoke.

An example commands manifest (for OWASP ZAP) is: https://code.google.com/p/zap-extensions/source/browse/branches/beta/src/org/zaproxy/zap/extension/plugnhack/resource/service.json

In Firefox the tool commands will be made available via the Developer Toolbar (GCLI) https://developer.mozilla.org/en-US/docs/Tools/GCLI

A example of how the ZAP commands are currently displayed is:

Note that user specified parameters can be specified for commands, which can either be free text, a static pull down list of options or a dynamic list of options obtained from the tool on demand.

So if you select the “zap scan” command then you will be prompted to select a site from the list of sites currently known to ZAP.

PnH does not specify how tool commands should be displayed, so other browsers are free to display them in different ways.

Phase 2

The next phase of PnH is still being planned but is intended to allow browsers to advertise their capabilities to security tools.

This will allow the tools to obtain information directly from the browser, and even use the browser as an extension of the tool.

If you are interested in working on this aspect then please get in touch.

Get involved

While this project has been started by the Mozilla Security Team and has been validated with Firefox and OWASP ZAP, this is an open project and we welcome involvement from anyone, especially people working on other browsers and security tools.

If you would like to add PnH support to a browser or tool, or even get involved in onward PnH development,  then please get in touch and we will give you whatever assistance we can.

Tools supporting PnH

  • OWASP ZAP 2.2.0: via MITM-conf add-on
    Source code available from: zap-extensions
  • Burp Suite: support coming soon