Recently I have been pointed to a blog post regarding HconSTF,
The main point being that, prebuilt frameworks based on browsers are useless and some arguments/reasons provided to that regard are,
From the blog post:
The major issues that faced Hcon STF are the following:
1. Is not frequently updated
Project has not been updated for years.
The latest version of Hcon STF has been released in April 2013.
This is the main reason that it can be hacked as shown earlier.
2. Plugins are not its latest version
Since project is not well-updated, plugins are also not in its latest version.
3. Project is full of unneeded additions
There are many additions are that these projects provide,
Which are not necessary at all, and is not being used in real-life penetration tests.
Now let’s talk about the real insights, shall we ? Above all, first and foremost it’s NOT 'Hcon STF' but it is 'HconSTF'
Now let’s start with understanding the concept behind HconSTF and why it exists
The whole idea is same as having a penetration testing oriented custom linux distribution like kali linux, In short a base OS, tools, repository, themeing, scripts, modifications, and branding. Why? Because everything is readily available and prepared so you don’t have to! Plethora of tools, more focus on the penetration testing aspect then other. The same goes with HconSTF a base browser, tools = extensions, repository = updates database, themeing, scripts = greasemonky+imacros+js, modifications and branding.
Why? Everything readily available and prepacked, plethora of tools, modifications for enhancement.
It’s more than just a penetration testing browser or just a browser with some extensions added. As it has search aggregator, IDB - plethora of attack payloads, custom enhancements for security related tasks and much more.
HconSTF is far more feature rich and powerful then other projects/products in same category.
Now let’s come to the points by the blog post regarding HconSTF
1. Is not frequently updated
Yes, I agree on that as the base browser is bit old as firefox 17 some reasons being,
On my side:
Its huge project to maintain when you see the amount of things HconSTF 0.5 provides out of the box.
There is progress for the new 0.6 XLR8 but it’s slow as I am "the only one running the show"
On Firefox side:
The new rapid development model of Firefox, which changes more of the core each release
The australis user interface, very limited when it comes to customizations and Firefox menu
So what’s the solution to speed up the HconSTF releases? Contribute back to the project by ideas, testing and giving feedback, suggest tools/scripts/ and more that you use which can be useful to the community.
2. Plugins are not its latest version
First this are not plugins as plugins are external components from other system installed applications such as adobe flash, java etc
This are extensions/add-ons of the browser to add a functionality or feature
We can categorize the available add-ons in HconSTF in 3 categories
1. Maintained and available in the official add-ons site addons.mozilla.org
2. Un-maintained and available in the official add-ons site addons.mozilla.org
3. External not available on the add-ons site and separately maintained by me
So to make this very clear, all the add-ons which are maintained and updated by the authors on addons.mozilla.org are automatically updated so when there is a new update available on the official site you get the same on HconSTF same as getting tools updates on kali linux
As HconSTF uses the same add-ons updates repository as Firefox, addons.mozilla.org
So the 1st and 2nd category add-ons are covered by official add-ons site of Firefox
The 3rd category has only 2-3 add-ons which are not available on official add-ons site and are updated with each new release of HconSTF.
So in contrary to what the blog says the addons in HconSTF are always updated
On a side note this same has been covered in the HconSTF Help Manual, so what you really need is to read and test before writing
3. Project is full of unneeded additions
One should understand that HconSTF is not only limited to webapp pentesting or bug hunting but it’s an all in one tool to aid in many phases of penetration testing assignment. Like web malware analysis, OSINT, and more. So the idea is same kali linux as having all the tools available on a single platform and if you don’t need certain set of tools you can remove them from HconSTF it is very simple.
Just open up ‘H menu’ -> settings -> add-ons and remove the one that you don’t need. But as a project we will continue to add more add-ons/tools/scripts to make it more feature rich and the end user have full control of what he/she wants to remove from or add to HconSTF.
So it is totally WRONG to say that HconSTF is full of unneeded additions or as such.
I am not against criticism but a one without testing HconSTF or having the idea clear enough is not at all accepted.
have questions ? comments ? write it in the comments below
The main point being that, prebuilt frameworks based on browsers are useless and some arguments/reasons provided to that regard are,
From the blog post:
The major issues that faced Hcon STF are the following:
1. Is not frequently updated
Project has not been updated for years.
The latest version of Hcon STF has been released in April 2013.
This is the main reason that it can be hacked as shown earlier.
2. Plugins are not its latest version
Since project is not well-updated, plugins are also not in its latest version.
3. Project is full of unneeded additions
There are many additions are that these projects provide,
Which are not necessary at all, and is not being used in real-life penetration tests.
Now let’s talk about the real insights, shall we ? Above all, first and foremost it’s NOT 'Hcon STF' but it is 'HconSTF'
Now let’s start with understanding the concept behind HconSTF and why it exists
The whole idea is same as having a penetration testing oriented custom linux distribution like kali linux, In short a base OS, tools, repository, themeing, scripts, modifications, and branding. Why? Because everything is readily available and prepared so you don’t have to! Plethora of tools, more focus on the penetration testing aspect then other. The same goes with HconSTF a base browser, tools = extensions, repository = updates database, themeing, scripts = greasemonky+imacros+js, modifications and branding.
Why? Everything readily available and prepacked, plethora of tools, modifications for enhancement.
It’s more than just a penetration testing browser or just a browser with some extensions added. As it has search aggregator, IDB - plethora of attack payloads, custom enhancements for security related tasks and much more.
HconSTF is far more feature rich and powerful then other projects/products in same category.
Now let’s come to the points by the blog post regarding HconSTF
1. Is not frequently updated
Yes, I agree on that as the base browser is bit old as firefox 17 some reasons being,
On my side:
Its huge project to maintain when you see the amount of things HconSTF 0.5 provides out of the box.
There is progress for the new 0.6 XLR8 but it’s slow as I am "the only one running the show"
On Firefox side:
The new rapid development model of Firefox, which changes more of the core each release
The australis user interface, very limited when it comes to customizations and Firefox menu
So what’s the solution to speed up the HconSTF releases? Contribute back to the project by ideas, testing and giving feedback, suggest tools/scripts/ and more that you use which can be useful to the community.
2. Plugins are not its latest version
First this are not plugins as plugins are external components from other system installed applications such as adobe flash, java etc
This are extensions/add-ons of the browser to add a functionality or feature
We can categorize the available add-ons in HconSTF in 3 categories
1. Maintained and available in the official add-ons site addons.mozilla.org
2. Un-maintained and available in the official add-ons site addons.mozilla.org
3. External not available on the add-ons site and separately maintained by me
So to make this very clear, all the add-ons which are maintained and updated by the authors on addons.mozilla.org are automatically updated so when there is a new update available on the official site you get the same on HconSTF same as getting tools updates on kali linux
As HconSTF uses the same add-ons updates repository as Firefox, addons.mozilla.org
So the 1st and 2nd category add-ons are covered by official add-ons site of Firefox
The 3rd category has only 2-3 add-ons which are not available on official add-ons site and are updated with each new release of HconSTF.
So in contrary to what the blog says the addons in HconSTF are always updated
On a side note this same has been covered in the HconSTF Help Manual, so what you really need is to read and test before writing
3. Project is full of unneeded additions
One should understand that HconSTF is not only limited to webapp pentesting or bug hunting but it’s an all in one tool to aid in many phases of penetration testing assignment. Like web malware analysis, OSINT, and more. So the idea is same kali linux as having all the tools available on a single platform and if you don’t need certain set of tools you can remove them from HconSTF it is very simple.
Just open up ‘H menu’ -> settings -> add-ons and remove the one that you don’t need. But as a project we will continue to add more add-ons/tools/scripts to make it more feature rich and the end user have full control of what he/she wants to remove from or add to HconSTF.
So it is totally WRONG to say that HconSTF is full of unneeded additions or as such.
I am not against criticism but a one without testing HconSTF or having the idea clear enough is not at all accepted.
have questions ? comments ? write it in the comments below