18 October, 2018

Silencing Firefox's Chattiness for Web App Testing

Silencing Firefox's Chattiness for Web App Testing
Nathan Sweaney
Author: Nathan Sweaney
Share:
 

Firefox is one chatty browser! Even if you don’t actually use it for anything, it’s constantly making requests out to the internet for things like updates, checking network status, and sending telemetry data back to Mozilla. When using Firefox for web app testing, I’ve often noticed the constant stream of additional requests that get in the way. It’s possible to ignore them, but it turns out that it’s also really easy to disable most of that traffic.

Just for fun, I started Firefox with nothing but a blank page open and the proxy settings configure to pass through Burp Suite Pro. With absolutely no user interaction, the browser averages 200-300 requests per day. But that pales in comparison to the number of requests when you’re actually using the browser. If you regularly test with Firefox and Burp, then you’re familiar with the constant barrage of unwanted requests. Even if you’ve learned to use the scope limiting tools in Burp, that doesn’t help with proxy interception. The unwanted requests also greatly increase the size of the Burp project files.

After a recent test, I deleted all of customer-specific URLs that had been requested in Burp and then listed all of the Mozilla/Firefox-specific URLs. The following lists the domain requests that were found.

meme
So let’s do something about this. I did some searching on the listed URLs and perused through Firefox’s help section. It turns out that most, if not all, of these requests can be disabled.  With a few quick tweaks of the Firefox preferences & configuration, you can simplify your testing in the future.

Before we get to that though, there are a few important things to remember.

  • When you disable automatic updates, you have to update stuff on your own!
  • Remember that some flaws you find may be partially or wholly mitigated by the browser controls that you have disabled. Take that into consideration when determining actual risk.
  • Don’t use the browser for regular browsing. This is like taking the safety bracket off of your chainsaw. It makes things more efficient, but it’s much more dangerous.

One other thing, most of these settings are either part of the preferences or the hidden Firefox configurations.  You can access either by entering “about:preferences” or “about:config” into the URL bar at the top of Firefox. With that, here are the steps to clamp down on Firefox’s chattiness. These settings were verified in version 62.0.3. 

  1. Disable the “Firefox Home” page.
    • This will prevent the browser from loading informational tiles and links of interest when you open a new tab.
    • about:preferences -> Home tab -> New Windows and Tabs
      • Set both “Homepage and new Windows” and “New tabs” to “Blank Page.”

example 1

    • Alternatively, you can just disable the “Snippets” content on the default Firefox Home page.
      • about:config -> search for “browser.aboutHomeSnippets.updateUrl”
      • Double-click the setting and set the URL to a blank string.
  1. Disable Network Detection
    • This is the infamous DetectPortal url.  Disabling this will prevent the browser from trying to automatically detect whether the network connection requires you to login, like on a public WiFi hotspot.
    • about:config -> search for “network.captive-portal-service.enabled”
      • Double-click and set the value false
  2. Disable Automatic Browser Updates
    • This will prevent the browser from updating.
    • about:preferences -> General tab -> Firefox Updates
      • Select “Never check for updates”
      • Uncheck “Automatically update search engines”example 2
    • Note: I generally prefer to have the browser check for updates, so I usually leave it set to “Automatically install updates” but I do disable the search engine updates.
  3. Disable Automatic Add-on Updates
    • This will prevent add-ons you’ve installed from updating.
    • about:addons -> Click the gear menu icon on the top right.
      • Uncheck “Update Add-ons Automatically” if it’s checked.
      • Click “Reset All Add-ons to Update Manually”example 3
  4. Disable Blocklist Updates
    • This will prevent the browser from updating its list of malicious extensions, known vulnerable plugins, certificates that have been revoked, and graphics drivers with known issues.  
    • about:config -> search for “extensions.blocklist.enabled”
      • Double-click to set it to false.example 4
  5. Disable Malware Protection
    • This will prevent the browser from verifying the signature of applications before downloading a file and from downloading updates to the list of malware signatures.
    • about:preferences -> Privacy & Security tab -> Security
      • Uncheck “Block dangerous and deceptive content.”
    • about:config -> search for “browser.safebrowsing.downloads.remote.enabled”
      • Double-click to set it to false.example 5
  6. Disable Tracking Protection
    • Firefox monitors requests for known trackers and allows you to block them. Disabling this will prevent the browser from maintaining a list of known trackers to block.
    • about:preferences -> Privacy & Security tab -> Tracking Protection
      • Set to “Never” to disable.example 6
  7. Disable TLS/SSL Certificate Revocation Check
    • This will cause the browser to not check whether certificates have been revoked.
    • about:preferences -> Privacy & Security tab -> Certificates
      • Uncheck “Query OCSP responder servers to confirm the current validity of certificates”example 7
  8. Disable Link Prefetching
    • This will prevent the browser from prefetching resources that are linked on pages you’ve already loaded.
    • about:config -> search for “network.prefetch-next”
      • Double-click to set it to false.
  9. Disable DNS Prefetching
    • This will prevent the browser from prefetching DNS name resolution for domain names that it thinks you might request.
    • about:config -> search for “network.dns.disablePrefetch”
      • Double-click to set it to true.
  10. Disable Speculative Pre-Connections
    • This will prevent the browser from guessing what links you might click and pre-loading those resources.
    • about:config -> search for “network.http.speculative-parallel-limit
      • Double-click and set the value to 0.
  11. Disable Firefox Sync
    • This will prevent the browser from syncing your data across browsers. This is not enabled by default.
    • If you have signed into Sync at some point, simply disconnect from the Sync connection.example 8
  12. Disable GeoIP lookup.
    • This will prevent the browser from looking up your geographic location.
    • about:config -> search for “browser.search.geoip.url
      • Double-click and set the value to a blank string
  13. Disable the “What’s New” Page.
    • This will prevent the browser from showing the “What’s New” tab after the browser is restarted after an update.
    • about:config -> search for “browser.startup.homepage_override.mstone
      • Double-click and set the value to a “ignore.”
  14. Disable Add-on Recommendations
    • This will prevent the browser from creating custom recommendations for Add-ons that you might like.
    • about:config -> search for “extensions.getAddons.cache.enabled
      • Double-click and set the value false
  15. Disable Firefox Diagnostic data
    • This will prevent the browser from sending stuff like crash reports and telemetry data to Mozilla.  That’s probably a good idea anyway because 1) we don’t want customer data accidentally being sent, and 2) our usage isn’t standard browser usage anyway.
    • about:preferences -> Privacy & Security tab -> Firefox Data Collection and Use
      • Uncheck everything in this section.example 9
  16. Disable Survey Sampling
    • This will prevent the browser from randomly selecting you to take a user experience survey.
    • about:config -> search for “browser.selfsupport”
      • Double-click and set the value to false

That’s all there is to it.  Hopefully you find this helpful. Let me know in the comments if you have other suggested tweaks or configuration changes to limit these unwanted requests.

Join the professionally evil newsletter

Related Resources