Security/Plug-n-hack

Plug-n-hack is an effort to make your browser play nicely with the security tools you use.

Current Documentation can be found here

Plans

Plug-n-hack is an ongoing effort.

• Phase 1 (q2/3 2013):
  • Allow a browser to be configured to use a security tool with minimal effort
    • Proxy configuration
    • Proxy certificate import for SSL termination
  • Allow tool configurations to be managed
  • Allow tool functionality to be exposed via browser UI

• Phase 2 (q3/q4 2013):
  • Provide some access to the DOM from external security tools via a probe (e.g. injected via bookmarklet or by a security proxy)
    • Document load / reload in place
    • PostMessage interception / replay
      • window.postMessage proxying via javascript for on-origin iframes
      • DOM manipulation for iFrame replacement with postMessage proxying for off-origin iframes
    • Event inspection

• Phase 3 (q4 2013):
  • Define configurations and interfaces for in-browser versions of the existing probe functionality
  • Experiment with event manipulation and replay
  • Experiment with ringleader impl of interface and configuration

• Phase 4 (q1 2014)
  • Fuzzing via event record and replay
  • Remote probe configuration
    • Enable / disable monitoring / interception

Tool support

Browser support for PnH is provided by the Ringleader Firefox extension which can be found here.

A (fairly rudimentary) implementation of the DOM probe for external applications exists here

A number of tools make use of Plug-n-hack, notably:

• OWASP ZAP (Phase 1 support complete, partial support for phase 2 and 3)
• BURP (Phase 1 support)
• OWTF (Phase 1 support)