In this post, I will be discussing why a professional penetration tester should not use OWASP Mantra nor HconSTF. I will also introduce “Firefox Security Toolkit”, a simple tool I have built that can be a very good replacement of these two projects, and provides a better security for the penetration tester too.

What are OWASP Mantra and HconSTF?
OWASP Mantra & HconSTF are browsers that is made specifically for penetration testers. It provides a large number of extensions that can help a penetration testers doing his/her daily work. It's focused on the testing of web-applications. The concept of the project seems decent, but there are many issues that face those browsers.

Built on Outdated Browsers:
These two projects are built on Firefox. The problem is, these two projects are built on Firefox v17-v18, which are both extremely old. From a simple security awareness point of view, no one should use a very critical vector such as browsers that are out-dated to interact with the public Internet.

Outdated Plugins:
The main purpose of using OWASP Mantra or HconSTF is due to it's large amount of provided plugins. Since those two projects are prebuilt browsers, it is expected that the browsers and plugins should be updated very frequently, to ensure the best results for penetration testers. Unfortunately, they are not being updated.

If those two projects are disconnected, and no updates would be released, they should announce this to prevent damages and issues.

Security Issues: 
Since the latest version of OWASP Mantra is built on Firefox v18, there is a numerous exploits that are publicly available. There is no need to even tweak a public exploit or dig deeper. Some of exploits are included in Metasploit project.


for more details:
Blockchain digital advertising




You need to be a member of OWASP to add comments!


Email me when people reply –