Firebug is an essential tool for every web developer. It allows to do many things such as script debugging, DOM manipulation etc. What happens though when it get’s to the hand of an experienced attacker? Then it could be used to exploit your site very easily!

How can you prevent that? Well, you can’t actually (or you can if you write secure code) because the source is already downloaded to the browser and anyone can do anything with that. But there is a way to make that process a little bit more trickier (attention: it’s still overridable but I won’t say how ?).

Just put the following code in your page and try to active firebug’s console

$(window).load(function() {setInterval(chkh, 5000);});
function chkh() {
    if (window.console && window.console.firebug) {
            var path = window.location.pathname;
            if(path!='/DenyAccess.html')
                window.location = '/DenyAccess.html';
    }
}

What the above script does is that it checks every five (5) seconds and if Firebug’s console is enabled, redirects the user to a page that perhaps prompts the user to disable Firebug’s console or what ever you think. Checking if a variable is defined every five or ten seconds isn’t a heavy process so the overhead is not big.

Do you think the above code can prevent anything? Then use it wisely!

I ‘m saying again that this code checks only for Firebug’s console. Other tabs like HTML, Dom, Script are active and functional.