March 24, 2007 2:30 PM PDT

JavaScript bug-hunting tool demonstrated

WASHINGTON--A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help.

As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said.

But, in a change of plans, Hoffman did not publicly release Jikto. "The higher-ups first say we can, and then they change their mind," he said after his presentation. "We decided to focus on the educational message and show people the danger."

Another SPI Dynamics representative at ShmooCon said the company had decided not to release Jikto because that could play into the hands of cybercrooks. "We do not want to release anything that could be used for malicious purposes," said Michael Sutton, a security evangelist for the company, which sells Web security tools.

Hoffman said he demonstrated Jikto to raise awareness. Vulnerabilities in Web sites could be exploited to inject malicious JavaScript code, which puts users at serious risk, he said. Jikto itself, for example, can be placed on a trusted site by exploiting a common Web security hole known as a cross-site scripting flaw, he said.

"The whole point was to show how scary cross-site scripting has become," Hoffman said. While some in the security industry claim such flaws are minor, Hoffman has demonstrated that they could be serious, particularly in combination with JavaScript. "This is code execution," he said. "JavaScript completely blows away the security model."

JavaScript is a scripting language, commonly used on the Web, that runs in most Web browsers without warning. Internet users who hit a Web site with JavaScript embedded likely won't even know it is running. Turning off JavaScript in a browser can help, but often that also disables many useful features on a site.

Jikto can hunt for common security holes and can connect back to its controller for instructions on which Web sites to hit and flaws to look for, Hoffman said. For example, Jikto could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could open databases to attack.

ShmooCon attendees asked Hoffman for the Jikto code, expecting it to be released at the event. But there didn't appear to be great disappointment when he said SPI Dynamics wouldn't release the tool.

"Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."

See more CNET content tagged:
SPI Dynamics, JavaScript, Web security, researcher, XSS


Join the conversation!
Add your comment
Jikto source code leaked
I just found the Jikto source code was leaked at: <a class="jive-link-external" href="http://" target="_newWindow">http://</a>
Posted by justanotheruser (2 comments )
Reply Link Flag
Posted code
The code had been posted there but has been removed...

"UPDATE 3/25: Source code removed at request of Jikto creator"
Posted by ambigous (58 comments )
Link Flag
Nice, but too late!
&gt;&gt;&gt;"We do not want to release anything that could be used for malicious purposes,"&lt;&lt;&lt;

As responsible as that may sound... the barn door is already open and the horses have all left their stables.

Closing that door now is too late.

People will do anything to get their hands on that code... some might even offer top dollar to get their hands on it.

Now that it's KNOWN to be available... people are going to try and get their hands on it... most notably... the blackhat hackers!

Hey, why should they write their own code when they can hack and steal really good code!

Sounds sort of like too little too late if you ask me.

They should have been more responsible and not gone public with such prior to investigating the entire dark side!!!

Posted by wbenton (522 comments )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.