Comments on: Tool turns unsuspecting surfers into hacking help

With Jikto, JavaScript on a Web site can turn PCs into a bug-hunting tool, thus doing a hacker's dirty work.

[Kings X Rocks!]

That's Nice!

I especially like the part where Hoffman is going to release it publicly later on. AND, the next version will exploit as well as probe.

Wouldn't it be sufficient to just SAY that it can be done via JS and require a signed "use-it-and-go-to-jail-form" before anyone can hear the details of how?

[Hoser McMoose]

Not much point

Even if he doesn't release it and no one from the presentation does either, the only real details required are "JavaScript version of Nikto". From that pretty much any malicious hacker with experience in JavaScript could write the thing. It might take an extra week or so, but that's about it.

[n3td3v]

hi

how much did they pay you mr.evers?

[felgercarbnaysay]

Lets's "pollute" Java some more

When you say "they" I assume you mean Microsoft.

[videofuel]

Reward

Should we thank this guy or hate him?

[n3td3v]

hate

he is adding to the problem.

he knows all types (including malicious hackers) will use this tool, and he doesn't care.

all he cares about is his own status at the security conference in 2007.

more than likely he has a web site too, with adverts at the side as well.

[fcekuahd]

Thank him.

Everybody who programs in JavaScript and AJAX already knows about this possibility. It's great that he's bringing it to our attention. IMO, unrestricted cross-site scripting is a major security hole in JavaScript and it should either be restricted or tools should be provided to manage it.

One thing about this though: JavaScript implementations typically aren't very good at managing threads, so if a malicious site is running a process like this, it should be pretty obvious. You will see a noticeable degradation in the responsiveness of your web browser.

[guruwannabe]

Extortion

What this guy and his company are attempting to do is same thing that the mafia does. They are releasing a hacking tool and his company will sell you a product that will protect you from it. Any business owner knows you need to buy protection from the mob!

[javaclinic2]

Turn off Java Script

I think, it is time to TRAIN the most dangerous threat "THE USERS". Since i see one of the solution for Stopping Java Script attack is to turn them off. BUT in this way all of web 2.0 based application will stop working.

May be it will solvable with some Firefox plugins.

Zeeshan Ali Shah
www.Xeeshan.com

[Ilgaz]

I am NOT turning off Javascript

If any site I visit plants a javascript crap on my machine, I am
calling the authories. At least they know who to question now.

These type of new idiots really made security business get bad
name from average user.

[aabcdefghij987654321]

bugs me not lol

noScript and firebug are so gonna kick ur lousy little scripts ass.

[aabcdefghij987654321]

bugs me not lol

and bug me not owns cnet

[justanotheruser]

Jikto Source Leaked

The Jikto source appears to have been leaked and subsequently
taken down here:

http://blog.vulnerableminds.com/2007/03/javascript-internal-
port-scan-source_25.html

[Shakyamuni]

jikto

this is a dangerous one...