Index
Accept header, fingerprinting and, 250–252
ActionScript, 401
ActiveFax exploitation
IPE (Inter-protocol Exploitation), 574–579
ActiveX, 372
plugins, 403
VLC, media plugin attacks, 410–413
addEventListener( ) function, 188
add-ons, versus extensions, 313
Adobe Flash, SOP, bypassing, 141–142
Adobe Reader, SOP, bypassing, 140–141
AJAX
MitB (Man-in-the-Browser) techniques, 104–110
non-AJAX requests, hijacking, 107–110
Allow-Access-From-Origin:, 596
Android phones, scheme abuse, 281–283
Android Web Market XSS flaw, 33
anonymization, bypassing, 231–234
anonymous functions, 83
applets
Java
ARP (Address Resolution Protocol), spoofing, 64–70
attachApplet( ) function, 530
attachEvent( ) function, 188
extensions, 19
rate of change, 18
attacks
extensions, 26
networks, 27
plugins, 27
users, 26
web applications, 27
XSS (Cross-Site Scripting), 32–33
Attempt Change button, 269–270
authentication
pre-authentication RCe, 503–504
authentication detection, web app attacks, 436–440
AVM (ActionScript Virtual Machine), 401
avpop( ) function, 215
B
background page, extensions, 325
baiting for phishing attacks, 57–58
Base64 encoding, detection evasion, 111–113
BeEF (Browser Exploitation Framework), 46
changeFavicon( ) method, 186
Get System Info, 517
Tunneling Proxy, 152
ActiveFax exploitation, 590–592
beef.browser.changeFavicon( ) function, 198–199
beef.browser.hoodChildFrames( ) function, 196–197
beef.logger.keypress( ) function, 190
beef.logger.push_stream( ) function, 191
beef.logger.submit( ) function, 195–196
beef.net.send( ) function, 191
beef.net.send( ) method, 184–185
begin_countdown function, 198–199
BHOs (Browser Helper Objects), 330–331
bind shell communications, IPC and, 554–558
Blink, 7
Bracket Expansion feature, IPE (Inter-protocol Exploitation), 569
browser APIs, 372
Browser Autopwn (Metasploit), 300–301
browser bugs, 249
browser events, persistence and, 98–101
browser hacking methodology, 22–28
browser history
SOP bypassing
browsers
attacking, 26
bug bounties, 248
bugs, fingerprinting and, 258
bypassing Click to Play, 382–388
bypassing cookie protections, 260
attributes
Expires, 263
path attribute restrictions, 265–267
Set-Cookie response header, 261–262
tracking with cookies, 270–271
bypassing HTTPS
certificates
fake, 276
JavaScript
bypassing port banning, 532–537
bypassing sandbox, Java plugins, 395
bypassing SOP
browser history and
Silverlight, 142
UI redressing attacks and, 153–154
C
caching
exploiting, 72
timing, SOP bypass and, 172–175
calling plugins, Click to Play, 374–376
CAPTCHA, fake windows, 206–208
CBC (Cipher-Block-Chaining) encryption mode, 227–278
CDNs (Content Delivery Networks), 239
CERT/CC (Computer Emergency Response Team Coordination Center), 33
certificates
fake, 276
changeFavicon( ) method, 186
checkComplete( ) function, 463, 522
Chrome
AdBlock extension, 353
Developer mode, 322
background page, 325
CSP (Content Security Policy), 329–330
Isolated Worlds, 327
match patterns, 327
NPAPI plugins, 326
UI pages, 325
Web Store, 328
modeless dialogs and, 205
Web Store, extensions, 328
Chrome Developer Tools window, 322
chrome:// scheme, 5
_c.killClippy( ) function, 222
Clickjacking
clickLink( ) function, 103
client-server model, 4
closures, 81
cloud, SOP, bypassing, 149–150
commands
netstat, 590
communication techniques, 79–80
CORS (cross-origin resource sharing), 83–84
DNS tunnel communication, 89–95
XMLHttpRequest object, polling and, 80–83
compromised web applications, 46
concurrency, web workers and, 11
Connection header, fingerprinting and, 250
contact harvesting, 54
content
retrieving from cross-origin, 136
Content-Type header, 373
control
encrypted communication, 20–21
surrenduring, 20
TCP protocol control, 20
converting, variables to strings, 184
cookiejar file, 262
cookies
non-cookie session tracking, 230–231
protection bypass, 260
path attribute restrictions, 265–267
Set-Cookie response header, 261–262
tracking with cookies, 270–271
secure cookie flag, 13
theft, XSS and, 475
_c.openBubble( ) function, 222
CORS (cross-origin Resource sharing), 9–10, 83–84
cr-gpg Chrome extension, 360–361
cross-origin requests, web app attacks, 422
preflight requests, 425
Cross-site Scripting, 6
Reflected Cross-site Scripting, 15
CSP (Content Security Policy), 13, 329–330
CSS (cascading style sheets), 6
colors, SOP bypass and, 170–171
D
DDoS (Distributed Denial-of-Service) attacks, hooked browsers, 489–493
decode_whitespace function, 114
default deny, 606
detachApplet( ) function, 530
detection
internal domain name enumeration, 427–429
intranet device IP addresses, web app attacks and, 426–427
plugins
resources, 447
detection evasion
encoding
non-alphanumeric JavaScript, 115–116
obfuscation, 116
JavaScript engine quirks, 124–125
object notation mixing, 119–120
Developer mode, Chrome, 322
Diminutive XSS Worm Replication Contest, 42–43
DirBuster, 446
displayPhishingSite( ) function, 212
distributed port scanning, 539–542
<div> elements, invisible, 333
DNS requests, forcing, 233
DNS tunnel communication, 89–95
document.domain property, 131
documents, embedding, overlay IFrame, 98
DOM (document object model), 7
event handlers, XCS and, 354–355
domain names, internal, enumeration, 427–429
DoS (Denial-of-Service) attacks
parseDouble( ) function, 488–489
web app attacks, pinch points, 487–489
drag&drop, SOP bypassing and, 167–170
E
EFF (Electronic Frontier Foundation), 230
embedded device command execution
pre-authentication RCE, 502–504
embedding documents, overlay IFrame, 98
EM-WebSocket, 85
encoding, detection evasion
non-alphanumeric JavaScript, 115–116
encrypted communication, 20–21
encryption, JavaScript attacks, 283–286
event flows
events
attachEvent( ) function, 188
focus, input capture and, 188–189
keyboard, input capture and, 190–192
keydown, 190
keypress, 190
keyup, 190
mousedown, 194
mouseenter, 194
mouseleave, 194
mousemove, 194
mouseout, 194
mouseover, 194
mouseup, 194
pointer, input capture, 192–195
HTTP headers
CSP (Content Security Policy), 13
HttpOnly flag, 13
secure cookie flag, 13
strict-transport-security, 14
X-content-type-options, 14
X-Frame-Options, 14
execute_commands( ) function, 82–83
exec_wrapper( ), 81
Expires attribute, 263
exploiting
caching, 72
Extended HTML Form attack, 533–534
extension attacks, 26
background page, 325
CSP (Content Security Policy), 329–330
Isolated Worlds, 327
match patterns, 327
NPAPI plugins, 326
UI pages, 325
Web Store, 328
fingerprinting
XBL and, 317
XUL and, 317
XCS (Cross-context Scripting), 339–355
extensions, 311
versus add-ons, 313
IE (Internet Explorer), 330–331
Internet zone, 314
privileged browser zone, 314
external security
perimeter, 22
EXTRACT exploitation, IPE (Inter-protocol Exploitation), 569
F
fake software updates, 213–221
fetch function, 109
fetchOnclick function, 109
field testing, 606
FIFO (Fast In First Out), 83
file formats, plugins, 373
file:// scheme, 5
filters, evasion, XSS and, 468–469
findClass( ) method, 395
bugs, 258
extensions
plugins
finish( ) function, 463
fireAppletSSV Validation( ) method, 385–386
Firebug, fingerprinting extensions, 334–335
Firefox
XBL and, 317
XUL and, 317
jemalloc, heap exploitation and, 287–288
JRE (Java Runtime Environment), 375
memory, heap exploitation and, 288–289
remote command execution, 356–359
Firefox Extension Dropper, 219
firewalls, WAF (Web Application Firewalls), 44
Firmware Modification Kit, 506
firmware replacement RCe, 504–508
Flash
Clickjacking, 241
plugins
ActionScript, 401
fuzzing, 403
FlexPolicyServer.java class, 484–485
focus events, input capture and, 188–189
form events, input capturing, 195–196
functions
addEventListener( ), 188
anonymous, 83
attachApplet( ), 530
attachEvent( ), 188
avpop( ), 215
beef.browser.changeFavicon( ), 198–199
beef.browser.hoodChild Frames( ), 196–197
beef.logger.keypress( ), 190
beef.logger.push_stream( ), 191
beef.logger.submit( ), 195–196
beef.net.send( ), 191
_c.killClippy( ), 222
clickLink( ), 103
_c.openBubble( ), 222
decode_whitespace, 114
detachApplet( ), 530
displayPhishing Site( ), 212
DoS (Denial-of-Service) attacks
fetch, 109
fetchOnclick, 109
finish( ), 463
getAliveHosts( ), 530
getComputedStyle, 230
grayOut( ), 214
isSameOrigin( ), 447
loadpopunder( ), 206
log( ), 485
logoutGoogle( ), 212
onBeforeSend Headers, 332
overriding, JavaScript, 285–286
parseFromString( ), 449
performComplicated Background Function( ), 198–199
poll( ), 81
pop( ), 81
populate_global_vectors( ), 454–455
post_msg( ), 87
receiveMessage( ), 87
redirect_to_malware( ), 117
redirect_to_site( ), 117
sendAsBinary( ), 500–501, 553–554
setInterval( ), 111–113, 120–121
setRequestHeader, 332
setTimeout( ), 111–113, 120–121
stopPropagation( ), 100
swfobject.embedSWF( ), 236–237
timer( ), 121
whitespace_encode( ), 113
window.stop( ), 522
fuzzing, Flash, 403
G
geolocation, 9
Get Physical Location module, 233–234
Get Stored Credentials module, 236
getAliveHosts( ) function, 530
getAllLogins( ) method, 318
getComputedStyle function, 230
getFormActions( ) function, 448–450
getHostAddress( ) method, 515–516
getHostName( ) method, 515–516
getInfo( ) method, 135
getLinks( ) function, 447, 448–450
getLocalAddress( ) method, 515–516
Golden Hour of Phishing Attacks, 58
Google, Safe Browsing API, 58–59
Google Analytics Opt-out Browser, 313
grayOut( ) function, 214
Groovy Shell Server exploitation, 568–569
H
handshake, SDP (Session Discovery Protocol) and, 518
heap exploitation, JavaScript
heap spraying, 289
Hidden Service Protocol, 231
history manipulation, 11
DDoS (Distributed Denial-of-Service) attackas, 489–493
internal IP, network attacks and, 514–519
subnet, network attacks and, 520–523
HTAs (HTML Applications), tricks, 215–216
HTML (HyperText Markup Language), 5
HTML5, 10
HTTP (Hypertext Transport Protocol), downgrading to, 272–276
HTTP headers, 5
CSP (Content Security Policy), 13
HttpOnly flag, 13
secure cookie flag, 13
size calculation, IPE and, 565–567
strict-transport-security, 14
X-content-type-options, 14
X-Frame-Options, 14
HTTPS, bypassing
certificate validation flaws, 276–227
fake certificates, 276
I
ICE (Interactive Connectivity Establishment) framework, 518–519
IE (Internet Explorer), extensions, 330–331
IFrames
sandboxing, 16
IMAP exploitation
IPE (Inter-protocol Exploitation), 569–574
IMEI (International Mobile Station Equipment Identity), 281–283
IMG tags, port scanning and, 537–539
Immunity/WinDBG debugger plugin, 577
impersonating extensions, 336–339
initAppletAdapter( ) method, 385
Initiating Control phase, 31
compromised web applications, 46
hooking, 32
MitM (Man-in-the-Middle) attacks, 59–60
exploiting caching, 72
MitB (Man-in-the-Browser) attack, 60–61
social engineering attacks, 47–48
XSS (Cross-Site Scripting) attacks, 32–33
Stored (Persistent) XSS, 33, 35–37
innerHTML property, 184
internal domain name enumeration, 427–429
Internet Explorer
addEventListener( ) function, 188
modeless dialogs and, 205
Internet zone, 314
intranets, device IP address detection, 426–427
IP addresses
internal, hooked browsers, 514–519
intranet devices, detection, 426–427
IPC (Inter-protocol Communication), 513
data encapsulation and, 553–554
error tolerance, 552
fingerprinting non-HTTP services, 544
IRC example, 559
printer service example, 559–562
ipc_posix_window, 556
IPE (Inter-protocol Exploitation), 513
HTTP header size calculation, 565–567
Isolated Worlds (Chrome), 327
isSameOrigin( ) function, 447
J
Java
cross-origin requests, 134–137
plugins
sandbox bypass, 395
JavaScript, 6
closures, 81
heap exploitation
non-alphanumeric, detection evasion and, 115–116
obfuscation and engine quirks, 124–125
PDFs
JBoss, JMX remote command execution, 495–497
JD-GUI, 391
jemalloc heap (Firefox), 287–288
Jikto, 42
JMX (Java Management Extensions Console), remote command execution, 495–497
JNLP (Java Network Launching Protocol), 386
jQuery, event handling, 188–189
JRE (Java Runtime Environment), 375
JVM (Java Virtual Machine), 389
K
KARMA suite, 64
key values, W3C specifications, 191
keyboard events, input capture and, 190–192
keydown event, 190
keypress event, 190
keyup event, 190
kill bits, ActiveX plugins, 376
L
LastPass password manager, 333–334
impersonating extension, 337–339
layout engines, 7. See also rendering engines; web browser engines
LIFO (Last In First Out), 83
Linux, DNS poisoning, 71
loadpopunder( ) function, 206
local storage, 9
log( ) function, 485
login manager, Firefox, 318–320
logoutGoogle( ) function, 212
M
m0n0wall, remote command execution, 501–502
MAC address filtering, wireless attacks, 62
makeFile( ) method, 320
Malicious.class applet, 375
malware, 16
manifest.json file
fingerprinting extensions, 335–336
markup languages
HTML (HyperText Markup Language), 5
SGML (Standard Generalized Markup Language), 5
XML (eXtensible Markup Language), 6
match patterns, Chrome, 327
MC-WorX ActiveX plugin, 404
media plugins
resource scanning, VLC and, 410–413
memory management, JavaScript, heap exploitation, 286–287
ActiveX exploit, 405
methodology, browser hacking, 22–28
methods
changeFavicon( ), 186
findClass( ), 395
fireApplet SSVValidation( ), 385–386
getAllLogins( ), 318
getInfo( ), 135
initAppletAdapter( ), 385
makeFile( ), 320
performSSV Validation( ), 386–387
toString( ), 184
window.open( ), 102
microphone
MitB (Man-in-the-Browser) attack, 60–61
versus MitM (Man-in-the-Middle) attacks, 105
MitM (Man-in-the-Middle) attacks, 59–60
exploiting caching, 72
MitB (Man-in-the-Browser) attack, 60–61
versus MitB (Man-in-the-Browser) attacks, 105
XCS (Cross-context Scripting), 339–344
mixed content, 17
modal notifications, user attacks and, 204–223
mouse events, input capture, 192–195
mousedown event, 194
mouseenter event, 194
mouseleave event, 194
mousemove event, 194
mouseout event, 194
mouseover event, 194
mouseup event, 194
N
netstat command, 590
NetStream class, 402
ActiveFAX exploitation, 590–592
Extended HTML Form attack, 533–534
IPE (Inter-protocol Exploitation), 564–565
HTTP header size calculation, 565–567
non-HTTP services
ping sweeping
target identification
internal IP of hooked browser, 514–519
subnet of hooked browser, 520–523
non-cookie session tracking, 230–231
notation, mixing, obfuscation and, 119–120
NPAPI (Netscape Plugin Application Programming Interface), 372
Chrome extensions and, 326
nsIFileOutputStream interface, 319
nsILocalFile interface, 320
nsILoginManager interface, 318
nsIProcess interface, 320
O
Oberheide, Jon, 33
obfuscation
detection evasion, 116
JavaScript engine quirks, 124–125
object notation mixing, 119–120
onBeforeSendHeaders function, 332
Opera, SOP, bypassing, 145–149
Oracle, padding attacks, 278
OS, commands
OS X, DNS poisoning, 71
OSI model, Application Layer, 513
P
PacketFu library, 68
padding Oracle attacks, 278
parseDouble( ) function, 488–489
parseFromString( ) function, 449
password manager attacks, 234–236
impersonating extension, 337–339
passwords, reset, XSRF, 443–444
PDF readers, plugins, JavaScript in PDFs, 408–410
perform Complicated Background Function( ) function, 198–199
performSSVValidation( ) method, 386–387
persistence
detection evasion, 110
MitB (man-in-the-browser) attacks, 104–110
Persistent XSS. See Stored (Persistent) XSS
bouncer phishing kit, 59
definition, 47
Golden Hour of Phishing Attacks, 58
whaling, 48
pinch points, web app attacks, 487–489
ping sweeping
plugin attacks, 27
ActiveX controls, 403
browser API, 372
calling, Click to Play, 374–376
Click to Play, bypassing, 382–388
fingerprinting
Flash
ActionScript, 401
fuzzing, 403
Java
sandbox bypass, 395
kill bits, 376
media
resource scanning, VLC and, 410–413
PDF readers, JavaScript in PDFs, 408–410
script API, 372
Plugin2Manager class, 385
PluginDetect framework, 379–380
plugins, 372
extensions comparison, 372–373
file formats, 373
standard programs comparison, 374
pointer events, input capture, 192–195
poll( ) function, 81
polling, 79
pop( ) function, 81
populate_global_vectors( ) function, 454–455
pop-under windows, 101–104, 205–206
port banning, bypassing, 532–537
Port Scanner module, 540
Postel's Law, 21
postMessage( ) function, 491–492, 527
post_msg( ) function, 87
pre-authentication RCE, 503–504
preflight requests, web app attacks, 425
Presto, 8
non-cookie session tracking, 230–231
private browsing, 229
Internet zone, 314
privileged browser zone, 314
properties, DOM, fingerprinting and, 253–258
proxies
PsyBot, 504
Q
QR (Quick Response) codes, 57–58
quirks
enumerating, web app attacks and, 422–425
R
ranges array, 521
RCE (Remote Command Execution), 493
embedded device
pre-authentication RCE, 503–504
JMX (Java Management Extensions Console), 495–497
receiveMessage( ) function, 87
redirect_to_malware( ) function, 117
redirect_to_site( ) function, 117
Reflected Cross-site Scripting, 15
remote command execution, Firefox example, 356–359
rendering engines, 7. See also layout engines; web browser engines
Presto, 8
WebKit, 7
Replace HREFS (HTTPS) folder, 275
requests
web app attacks, 447
Retaining Control phase
Retaining Communication, 77
communication techniques, 79–95
Retaining Persistence, 77
MitB (man-in-the-browser) attacks, 104–110
Robustness Principle, 21
rogue access points, 64
RTCPeerConnection, 518
S
Safari, SOP, bypassing, 143–144
Samsung Galaxy, scheme abuse, 281–283
sandbox bypass, 15
Java plugins, 395
sandboxing, 15
IFrame sandboxing, 16
script APIs, 372
scripting
Cross-site Scripting, 6
JavaScript, 6
SDP (Session Discovery Protocol), handshake and, 518
secure cookie flag, 13
security
CSP (Content Security Policy), 329–330
security mode, Firefox, 320–321
security model, Chrome extensions, 326–330
sendAsBinary( ) function, 500–501, 553–554
session storage, 9
SET (Social-Engineer Toolkit), 52
setInterval( ) function, 111–113, 120–121
setRequestHeader function, 332
setTimeout( ) function, 111–113, 120–121
SGML (Standard Generalized Markup Language), 5
Shank tool, 68
Shellcoder's Handbook, 12
Sidejacking attacks, cookies, 271–272
signedAppletCmdExec class, 392–393
Silverlight, SOP, bypassing, 142
social engineering attacks, 47–48, 197–198
phishing attacks
spear phishing, 48
whaling, 48
SET (Social-Engineer Toolkit), 52
UI expectations
fake software updates, 213–221
SOE (Standard Operating Environment), 2
software
SOP (Same Origin Policy), 4–5, 21
Silverlight, 142
UI redressing attacks and, 153–170
local storage, 9
overview, 130
purpose, 129
UI redressing and, 133
violation error, 138
SPAM, definition, 47
spawnWorkers( ) function, 463–465
sp_configure( ) stored procedure, 456
spear phishing, 47
spearhead phishing, 48
SPF (Sender Policy Framework), 52
spoofing, ARP Spoofing, 272–273
SQLi (SQL injection vulnerabilities), 450–465
SSID (service set identifier), wireless attacks, 61
SSL (Secure Socket Layer), 227
sslstrip tool, 68
SSL/TLS layer attacks, 227–278
static IP filtering, wireless attacks, 62
stopPropagation( ) function, 100
storage, 9
local storage, 9
session storage, 9
Stored (Persistent) XSS, 33, 35–37, 465
strict-transport-security, 14
strings, variables, converting, 184
STUN (Session Traversal Utilities for NAT), 518
swfobject.embedSWF( ) function, 236–237
T
TCP protocol, control, 20
tel: handler, 279
time delays, obfuscation and, 120–121
timer( ) function, 121
TLS (Transport Layer Security), 227
Tor network
toString( ) method, 184
TrixBox exploitation, BeEF bind, 590–592
Tunneling Proxy, 152
TURN (Traversal Using Relays around NAT), 518
U
UA header, 249
UAF (Use After Free) vulnerability, Firefox, 289–293
UI pages, Chome, 325
UI redressing
SOP and, 133
Unix, DNS poisoning, 71
updates, software, fake, 213–221
URIs
chrome:// zone, 321
user attacks, 26
non-cookie session tracking, 230–231
social engineering lure, 197–198
User-Agent header, fingerprinting and, 250
USSD (Unstructured Supplementary Service Data), 281–283
UXSS (Universal XSS), JavaScript in PDFs, 408–409
V
validation, certificates, 276–227
variables
converting to strings, 184
Diminutive XSS Worm Replication Contest, 42–43
Jikto, 42
VLC (ActiveX), media plugin attacks, 410–413
VLC MMS Stream Handling Buffer Overflow, 413–415
detection
SQLi (SQL injection vulnerabilities), 450–465
XSS (cross-site scripting), 465–469
RCE (Remote Command Execution), 493
W
WAF (Web Application Firewalls), 44
authentication detection, 436–440
cross-origin requests, 422
preflight requests, 425
detection
internal domain name enumeration, 427–429
intranet device IP addresses, 426–427
DoS attacks
DDoS (Distributed Denial-of-Service) attack, 489–493
parseDouble( ) function, 488–489
exploit launching
embedded device command execution, 502–508
Glassfish remote command execution, 497–501
JBoss JMX remote command execution, 495–497
m0n0wall remote command execution, 501–502
fingerprinting, 429
requesting known resources, 430–436
vulnerability detection
SQLi (SQL injection vulnerabilities), 450–465
XSS (cross-site scripting), 465–469
XSRF (Cross-site Request Forgery) and, 440–443
password reset attack, 443–444
Web Application
Hacker's Handbook, 4
web applications
attacking, 27
compromised, 46
web browser, client-server model, 4
web browser engines, 7. See also layout engines; rendering engines
web server, application and, 4
web shell, BeEF bind as, 596–599
web workers, 11
webcam
Webcam Permission Check module, 236–237
WebKit, 7
WebRTC, 11
peer-to-peer connections, 517–518
WebRTC (Web Real Time Communications), 239
WEP, wireless attacks, 62
whaling, 48
whitespace_encode( ) function, 113
window.open( ) method, 102
window.stop( ) function, 522
MAC address filtering, 62
rogue access points, 64
SSID hiding, 61
static IP filtering, 62
WEP, 62
WPA/WPA2, 63
WPA/WPA2, wireless attacks, 63
XYZ
XBL (XML Binding Language), Firefox, extensions, 317
XCS (Cross-context Scripting), 339
XSRF (Cross-site Request Forgery), 352–354
X-Frame-Options, 14
XML (eXtensible Markup Language), 6
XMLHttpRequest, 10
sendAsBinary( ) method, 553–554
XMLHttpRequest object, polling and, 80–83
xp_cmdshell( ) stored procedure, 456
XPCOM (Cross Platform Component Object Model) API, Firefox, 317–318
login manager, 318
operating system command execution, 320
reading from filesystem, 319
writing to filesystem, 319–320
XSRF (Cross-site Request Forgery), 352–354
password reset attack, 443–444
XSS (Cross-Site Scripting) attacks, 32–33
cookie theft, 475
Stored (Persistent) XSS, 33, 35–37
vulnerability detection
XSS Tunnel, 152
XUL (XML User Interface Language), Firefox, extensions, 317