I know that a lot of you may object but this is how I see it and there is nothing wrong in expressing what we strongly believe in.The next generation of security tools will run from the browser.And I am not referring to Web security tools only. I am talking about the whole 9 yards, packed into easy to use modules. We are not going to ditch the command line, neither we will forget how to use other scripting platforms like Perl, Python and Ruby. They will all come together into the game in one form or another.
The reason for feeling so strong about this, is hidden behind my recent experience with improving upon Technika. After going through a great deal of pain, I realized that what I’ve come up with is something that potentially can save me a lot of trouble later in work.
Technika is nothing more but a simple browser extension that adds another layer on the top of Firefox in order to accommodate script hungry fanatics, penetration testers, browser hackers, developers, security researchers, etc, etc, etc. The extension comes with a built in scripting shell which supports several useful primitives such as, JavaScript command line evaluation, when the text is enclosed in ` (backticks), external and internal object referencing, when we use @ or @@, and of course the bash like EOF primitive, when we want to feed more text into a single command.
After I was done with pre-alpha 1.3 release, I started thinking about how this extension should be really used. For a moment, I questioned the actual benefit of having something like Technika – after all, I believe that the more diverse your toolkit is, the better job you can do. These doubts soon disappeared when I remembered HD’s efforts to port Metasploit for the iPhone. I thought for a second about how I would have approached the task. I thought about other platforms such as Symbian and what technikal implications there will be if we want to run something as versatile as Metasploit.
The more I was thinking, the more I was realizing that you need more then a few developers in order to make this project throughly cross-platformed. It is not just that someone needs to port Perl or Ruby, but you also have to work around the technical limitations of the framework, not to mention the fact that the user interface also matters – the command line simple does not work that well when it comes to mobile interfaces, while the web interface needs to be configured to run as smoothly as possible and let’s not forget about all power related issues.
Then I jumped into a completely different direction. Not that long time ago, Mozilla has announced that they are thinking about a mobile version of Firefox. I am quite pleased with this news. Essentially this means that soon or later I will be able run all my browser extensions, including Technika, from my phone. The more versatile my browser toolkit is, the more security/hacking/pentesting functionalities I will be able to pack. This is nothing more but an excellent news. Wait, but there is more. I don’t remember the source, but I’ve read that some hardware manufacturer ships their BIOSes with integrated Firefox browser. The browser still runs on the top of a Linux microkernel, but it is almost instant to get it up and running. Wait a second! Does that mean that the browser becomes almost like an OS and kernel/OS platform it runs on is just simply there to make the browser work. The nature of the Web just adds even more to it – the knowledge of the Universe at your fingertips.
I know that this is yet another abstraction layer which we can easily leave without it, but the further we go from the kernel the easer it becomes for the user. This is also applicable to the hacker/penetester as well. I am not saying that we will never mess around with the system internals, on the contrary, we will continue doing that just because we will have to, but when it comes to codding a tool, you might want to consider the platform you are writing it for. If you choose the right platform, your tool may gain incredible success. On the other hand, if you choose the wrong platform, your tool will simply become another proof of concept.
When it comes to developing Firefox extensions, you have to deal with XPCOM which is a pain. It is more painful then anything seen, but the end result is more then satisfactory. The components simply work. The entire Mozilla platform is designed to work from scratch, no matter what the OS is. It does not only work, but also provides great facilities to mess around with technologies such as XML, RDF, CSS, SOAP, HTTP, etc, etc, etc. I don’t believe that there is any other platform that can do all that in such a depth and better then Mozilla.
jokot3 responds:
I have a question, are you thinking all the tools would be rewritten to be browse extensions or something or just like a web front end that interacts with the binaries like nmap’s nmapfe, and metasploit’s web interface?