Hackability Inspector presented at AppSec Europe today

A new tool which can expose otherwise hidden vulnerabilities in browser objects was unveiled today at AppSec Europe, held in London.

Dubbed “dev tools for security”, the Hackability Inspector is the brainchild of researcher Gareth Heyes, who presented a talk to delegates on the final day of the show.

Heyes, who works for Burp Suite creator PortSwigger, said the toolkit is to be used in conjunction with the existing Hackability tool, which analyses the web attack surface of connecting clients to detect what technologies it supports.

He explained: “The kind of questions you want to answer are: is the same-origin policy enabled, is JavaScript employed, are there iframes or pdfs? You’ve no idea what this rendering engine does, so you use this Hackability tool to find out.

“The Hackability Inspector is the missing offensive dev toolkit for security researchers.”

While Hackability enables researchers to discover what is supported – for example iframes, JavaScript or Flash – Heyes noted that it can be challenging to view these objects if a site is rendering a page server-side.

Heyes told The Daily Swig: “The Inspector enumerates objects in JavaScript and lets you discover otherwise hidden properties.

“If you don’t have browser dev tools because a site is rendering a page in a different browser server-side, then it can be quite challenging to see what objects you have access to, and if the developer adds custom objects that might contain a vulnerability it can be difficult to discover that without the Inspector.”

In addition to this functionality, Hackability Inspector automatically searches for a number of vulnerabilities based on bugs previously discovered by Heyes.

These flaws include a Safari cross domain bug which allowed remote attackers to bypass the same-origin policy and access data from other domains via JavaScript that overwrites the innerHTML property of a cross origin body element.

Heyes explained: “It’s a lot like taking a magnifying glass and looking at the code. It’s a cool tool that enables you to find cool bugs – the Hackability Inspector is the missing tool focused just on security.

“It will find and show you the interesting stuff first and it will automatically run security tests on each of the objects.”

Users wanting to host the Inspector on their own server should head over to GitHub. A public version of the Inspector is also available.

Heyes concluded: “Before this tool existed it was a lot like life before dev tools – it was like having rocks and banging them against the computer, trying to get it to do what you want.”