Hackability Inspector presented at AppSec Europe today
A new tool which can expose otherwise hidden vulnerabilities in browser objects was unveiled today at AppSec Europe, held in London.
Dubbed “dev tools for security”, the Hackability Inspector is the brainchild of researcher Gareth Heyes, who presented a talk to delegates on the final day of the show.
Heyes, who works for Burp Suite creator PortSwigger, said the toolkit is to be used in conjunction with the existing Hackability tool, which analyses the web attack surface of connecting clients to detect what technologies it supports.
“The Hackability Inspector is the missing offensive dev toolkit for security researchers.”
“If you don’t have browser dev tools because a site is rendering a page in a different browser server-side, then it can be quite challenging to see what objects you have access to, and if the developer adds custom objects that might contain a vulnerability it can be difficult to discover that without the Inspector.”
In addition to this functionality, Hackability Inspector automatically searches for a number of vulnerabilities based on bugs previously discovered by Heyes.
Heyes explained: “It’s a lot like taking a magnifying glass and looking at the code. It’s a cool tool that enables you to find cool bugs – the Hackability Inspector is the missing tool focused just on security.
“It will find and show you the interesting stuff first and it will automatically run security tests on each of the objects.”
Users wanting to host the Inspector on their own server should head over to GitHub. A public version of the Inspector is also available.
Heyes concluded: “Before this tool existed it was a lot like life before dev tools – it was like having rocks and banging them against the computer, trying to get it to do what you want.”