Hackvertor and clickjacking


I’ve updated Hackvertor for the final time until the brand new version is ready. I thought I’d blog about it because it includes some interesting features from a security point of view.

HTML escape

The DOM inspector didn’t escape HTML when inspecting the DOM, this didn’t cause XSS because user interaction was need to actually execute the inspector but I fixed it anyway because I need to check some values when performing some javascript research.

Clickjacking protection

I’ve also added some Clickjacking/CSS Overlay/UI redressing/Insert Lame name here protection. It works by destroying the Hackvertor UI if it has been framed. I can do this because the vulnerability is that Hackvertor executes javascript and isn’t vulnerable to CSRF because there’s no server side action to perform 🙂

The code I’ve used is:-

if(top != self) {
   window.onload=function() {
     document.write('UI Redressing/Clickjacking/CSS Overlay/Latest Buzzword protection');

Inspect output improvements

Finally I’ve updated the inspect output button. This button is really handy when you need to traverse a object quickly and find “hidden” properties or relationships with other objects. It works by evaluating the output entered and running a bruteforce check on the object for properties between -10000 and 10000 as well as single characters. Why do this? Because it exposes some interesting browser quirks in Firefox and maybe others, originally it was inspired by DoctorDan’s discovery on sla.ckers that the reg exp object in Firefox contains a hidden property.

The format now looks nice and I’ve added native js properties to help with js hacking and XSS research. A sample of how it works can be found here:-

One Response to “Hackvertor and clickjacking”

  1. Vinícius K-Max writes:

    Yeah, good news!
    I love your Hackvertor 😉