Faraday Add-On

Faraday Add-On

Faraday Addon is a simple add-on for automatically reporting vulnerabilities from the browser to your own Faraday instance. It intercepts every single request from the browser, adding a functionality for accessing each one of them and treating them as a vulnerability. This way, a pentester only has to use the add-on to send potential vulnerable requests to Faraday, instead of copy-pasting them into the Server.

Compatibility

For the moment, Faraday Addon is only available for Firefox Quantum. We are working on a stable Chrome release.

Installation

For Users

Download and install the latest release from the Firefox add-ons repository:

Faraday Addon

For Developers

$ git clone https://github.com/infobyte/faraday_addon.git

  • On Firefox searchbox, write about:debugging.
  • Click this button: Load Temporary Add-on
  • Select the manifest.json file within the directory you cloned Faraday Addon.

Getting Started!

First, authenticate to your Faraday Server.

Once logged in, go to Faraday Addon settings by clicking on its button and then on the settings button.

Now add Faraday Server's URL and click on Connect. The URL must have this format: [protocol]://[ip/domain]:[port]. If your settings are right, you should see your Workspaces. Click the Workspace you want and save your settings.

Faraday Addon also allows you to set scopes using regular expressions, thus allowing you to capture certain requests. For example, if you only want to capture every faradaysec.com subdomains:

*.faradaysec.com

Now you are ready to capture requests with Faraday Addon.

Adding a vulnerability to Faraday

If you have configured everything right, you will see every request going through Faraday Addon. Imagine that you found an XSS and you want to send it to Faraday. To create a new issue, click on the icon next to the vulnerable request:

A form will pop up for you to fill with all the information about the issue. If you have Vulnerability Templates previously uploaded to Faraday, this process will be faster.

Once completed, send it to Faraday.


    Still looking for answers? You can try opening a ticket.
      • Related Articles

      • Faraday Manage

        Faraday Manage is a backend tool that helps us administrate Faraday's configuration. To use Faraday Manage, you can run it as follow: $ faraday-manage COMMAND If you run only faraday-manage, it will list all the available commands. . . . . Available ...
      • Faraday Client

        GTK To access Faraday GTK, run faraday-client in the instance where you installed your Faraday Client .deb or .rpm (or .pkg, in Mac). You will be presented with a special version of your own ZSH terminal . Just as with GTK, Faraday intercepts every ...
      • Faraday Plugin

        Intro In order to manage, add, and list information stored in faraday, we created fplugin, a simple plugin that allows you to interact directly with our Python API from the command line. It gives Faraday powerful scripting features and allows you to ...
      • Import CSV using faraday_csv Plugin

        With faraday_csv Plugin, you can upload data to Faraday by using CSV files.  Main header: The main headers for faraday_csv Plugin are target or ip. Both columns contain the same information (host's IP). Without any of them, Faraday won't recognize ...
      • Report a security vulnerability in Faraday

        If you've found a security vulnerability in Faraday, please send us an email with all relevant information about your discovery to: security@faradaysec.com To encrypt your communications or to verify signed messages you receive from us you can use ...