Faraday Addon is a simple add-on for automatically reporting vulnerabilities from the browser to your own Faraday instance. It intercepts every single request from the browser, adding a functionality for accessing each one of them and treating them as a vulnerability. This way, a pentester only has to use the add-on to send potential vulnerable requests to Faraday, instead of copy-pasting them into the Server.
For the moment, Faraday Addon is only available for Firefox Quantum. We are working on a stable Chrome release.
Download and install the latest release from the Firefox add-ons repository:
$ git clone https://github.com/infobyte/faraday_addon.git
- On Firefox searchbox, write about:debugging.
- Click this button: Load Temporary Add-on
- Select the manifest.json file within the directory you cloned Faraday Addon.
First, authenticate to your Faraday Server.
Once logged in, go to Faraday Addon settings by clicking on its button and then on the settings button.
Now add Faraday Server's URL and click on Connect. The URL must have this format: [protocol]://[ip/domain]:[port]. If your settings are right, you should see your Workspaces. Click the Workspace you want and save your settings.
Faraday Addon also allows you to set scopes using regular expressions, thus allowing you to capture certain requests. For example, if you only want to capture every faradaysec.com subdomains:
Now you are ready to capture requests with Faraday Addon.
Adding a vulnerability to Faraday
If you have configured everything right, you will see every request going through Faraday Addon. Imagine that you found an XSS and you want to send it to Faraday. To create a new issue, click on the icon next to the vulnerable request:
A form will pop up for you to fill with all the information about the issue. If you have Vulnerability Templates previously uploaded to Faraday, this process will be faster.
Once completed, send it to Faraday.