JavaScript bug-hunting tool demonstrated

WASHINGTON--A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help.

As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said.

But, in a change of plans, Hoffman did not publicly release Jikto. "The higher-ups first say we can, and then they change their mind," he said after his presentation. "We decided to focus on the educational message and show people the danger."

Another SPI Dynamics representative at ShmooCon said the company had decided not to release Jikto because that could play into the hands of cybercrooks. "We do not want to release anything that could be used for malicious purposes," said Michael Sutton, a security evangelist for the company, which sells Web security tools.

Hoffman said he demonstrated Jikto to raise awareness. Vulnerabilities in Web sites could be exploited to inject malicious JavaScript code, which puts users at serious risk, he said. Jikto itself, for example, can be placed on a trusted site by exploiting a common Web security hole known as a cross-site scripting flaw, he said.

"The whole point was to show how scary cross-site scripting has become," Hoffman said. While some in the security industry claim such flaws are minor, Hoffman has demonstrated that they could be serious, particularly in combination with JavaScript. "This is code execution," he said. "JavaScript completely blows away the security model."

JavaScript is a scripting language, commonly used on the Web, that runs in most Web browsers without warning. Internet users who hit a Web site with JavaScript embedded likely won't even know it is running. Turning off JavaScript in a browser can help, but often that also disables many useful features on a site.

Jikto can hunt for common security holes and can connect back to its controller for instructions on which Web sites to hit and flaws to look for, Hoffman said. For example, Jikto could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could open databases to attack.

ShmooCon attendees asked Hoffman for the Jikto code, expecting it to be released at the event. But there didn't appear to be great disappointment when he said SPI Dynamics wouldn't release the tool.

"Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."

[n3td3v]

hoffman

the guy is trying to sex up javascript and cross-site scripting rolled into one.

this is a make life easier tool, but it won't change any kind of security incident scenario, will it?

[gmcaloon--2008]

Hoffman

The man who wrote the exploit was going to demonstrate it at a security conference, but his company managers refused to allow him to do so. Those managers deserve kudos for that. Had the author demonstrated the exploit he would have been making it available to every hacker out there. In the event, he made it a point to mention that he had wanted to demonstrate it, but was not allowed to do so, apparently expecting howls of protest from the hacker attendees. He got not so much as a whisper. Now, that is progress.

Unfortunately, apparently someone has leaked the exploit anyway. That is a good example why hackers should never be in charge of when or if a security vulnerability should be released. There are just too many irresponsible hackers out there. None of them can be trusted, including the author of this particular exploit. That character would have released it, but didn?t only because he would have been fired had he done so.

[justanotheruser]

Jikto source code leaked

I just found the Jikto source code was leaked at: <a class="jive-link-external" href="http://" target="_newWindow">http://</a>
blog.vulnerableminds.com/2007/03/javascript-internal-port-
scan-source_25.html

[ambigous]

Posted code

The code had been posted there but has been removed...

"UPDATE 3/25: Source code removed at request of Jikto creator"

[wbenton]

Nice, but too late!

&gt;&gt;&gt;"We do not want to release anything that could be used for malicious purposes,"&lt;&lt;&lt;

As responsible as that may sound... the barn door is already open and the horses have all left their stables.

Closing that door now is too late.

People will do anything to get their hands on that code... some might even offer top dollar to get their hands on it.

Now that it's KNOWN to be available... people are going to try and get their hands on it... most notably... the blackhat hackers!

Hey, why should they write their own code when they can hack and steal really good code!

Sounds sort of like too little too late if you ask me.

They should have been more responsible and not gone public with such prior to investigating the entire dark side!!!

Walt