March 20, 2007 5:04 PM PDT

Tool turns unsuspecting surfers into hacking help

A security researcher has found a way hackers can make PCs of unsuspecting Web surfers do their dirty work, without having to actually commandeer the systems.

That's possible with a new security tool called Jikto. The tool is written in JavaScript and can make PCs of unknowing Web surfers hunt for flaws in Web sites, said Jikto creator Billy Hoffman, a researcher at Web security firm SPI Dynamics. Hoffman, who developed the tool as a way to advance Web security, plans to release Jikto publicly later this week at the ShmooCon hacker event in Washington, D.C.

"This is going to drastically change the scope of evil things you can do with JavaScript," Hoffman said. "Jikto turns any PC into my little drone. Your PC will start attacking Web sites on my behalf, and you're going to give me all the results."

With the advent of online applications, hackers have shown increased interest in breaching Web security. Though vulnerabilities such as cross-site scripting bugs and SQL injection flaws have been around for years, such security problems are increasingly being reported and exploited.

Jikto is a Web application vulnerability scanner. It can silently crawl and audit public Web sites, and then send the results to a third party, Hoffman said. Jikto can be embedded into an attacker's Web site or injected into trusted sites by exploiting a common Web security hole known as a cross-site scripting flaw, he said.

Vulnerability scanners by themselves aren't new. Hackers often use such tools to find holes that let them break into systems. Jikto is like Nikto, a Web application bug-scanning tool popular among hackers. The difference is that Nikto is a traditional PC application, while Jikto runs in a Web browser and distributes the bug-hunting task across multiple PCs.

Jikto can hunt for various common security holes and can connect back to its controller for instructions on which Web sites to hit and what flaws to look for, Hoffman said. For example, it could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could be serious and open databases to attack.

"This is going to drastically change the scope of evil things you can do with JavaScript."
--Billy Hoffman, Jikto creator

"Half of hacking is collecting information and then sorting it. An attacker can now distribute this job to many people," Hoffman said. As a bonus, the targeted Web site won't know the identity of the attacker because the site is being probed by the unsuspecting Web surfer who happened upon a Web page rigged with Jikto.

Jikto is an interesting example of how JavaScript can be used maliciously, but traditional vulnerability-scanning tools probably are a more efficient, said Fyodor Vaskovich, creator of Nmap Security Scanner, a tool widely used in the security community to find vulnerabilities.

"These JavaScript attacks are usually very slow to perform compared to the attacker scanning from an already compromised machine," Vaskovich said. "Hiding the attacker and distributing the scanning can be useful, but the reality is that attackers can generally scan pretty widely with impunity, or they just use a chain of proxies."

Because it is created in JavaScript, a scripting language commonly used on the Web, Jikto will run in most Web browsers without any warning. Internet users who hit a Web site with Jikto embedded likely won't even know what's happening. The tool will run as long as the browser is open and disappear without any obvious trace, or residual damage.

Jikto is different in that way from bots, a common method miscreants use to take control over PCs. Typically, bots compromise PCs through security holes in Web browsers or e-mail messages laden with a Trojan horse. Somebody with a patched browser, smart e-mail habits and updated security software would typically be protected against bot software.

"As a user you really can't do much against Jikto or other JavaScript-based threats," Hoffman said. "I am not giving you a Trojan or a traditional backdoor. I am not really compromising your computer. That is what makes this so scary. Antivirus is not going to help you."

JavaScript plays a major role in the Web 2.0 boom, which is causing a splash as it stretches the boundaries of what Web sites can do. But malicious JavaScript, especially in combination with the increasingly common Web site security flaws, could lead to insidious Web-based attacks, security experts have said.

Right now, Jikto only crawls and detects vulnerabilities. Hoffman is working on a next version that can also exploit vulnerabilities and extract data. That version may be presented at the Black Hat security conference in Las Vegas this summer, he said.

See more CNET content tagged:
Web security, Web surfer, JavaScript, attacker, hacker

12 comments

Join the conversation!
Add your comment
That's Nice!
I especially like the part where Hoffman is going to release it publicly later on. AND, the next version will exploit as well as probe.

Wouldn't it be sufficient to just SAY that it can be done via JS and require a signed "use-it-and-go-to-jail-form" before anyone can hear the details of how?
Posted by Kings X Rocks! (89 comments )
Reply Link Flag
Not much point
Even if he doesn't release it and no one from the presentation does either, the only real details required are "JavaScript version of Nikto". From that pretty much any malicious hacker with experience in JavaScript could write the thing. It might take an extra week or so, but that's about it.
Posted by Hoser McMoose (182 comments )
Link Flag
Reward
Should we thank this guy or hate him?
Posted by videofuel (6 comments )
Reply Link Flag
Thank him.
Everybody who programs in JavaScript and AJAX already knows about this possibility. It's great that he's bringing it to our attention. IMO, unrestricted cross-site scripting is a major security hole in JavaScript and it should either be restricted or tools should be provided to manage it.

One thing about this though: JavaScript implementations typically aren't very good at managing threads, so if a malicious site is running a process like this, it should be pretty obvious. You will see a noticeable degradation in the responsiveness of your web browser.
Posted by fcekuahd (244 comments )
Link Flag
Extortion
What this guy and his company are attempting to do is same thing that the mafia does. They are releasing a hacking tool and his company will sell you a product that will protect you from it. Any business owner knows you need to buy protection from the mob!
Posted by guruwannabe (1 comment )
Reply Link Flag
Turn off Java Script
I think, it is time to TRAIN the most dangerous threat "THE USERS". Since i see one of the solution for Stopping Java Script attack is to turn them off. BUT in this way all of web 2.0 based application will stop working.

May be it will solvable with some Firefox plugins.

Zeeshan Ali Shah
www.Xeeshan.com
Posted by javaclinic2 (1 comment )
Reply Link Flag
I am NOT turning off Javascript
If any site I visit plants a javascript crap on my machine, I am
calling the authories. At least they know who to question now.

These type of new idiots really made security business get bad
name from average user.
Posted by Ilgaz (573 comments )
Reply Link Flag
bugs me not lol
noScript and firebug are so gonna kick ur lousy little scripts ass.
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
bugs me not lol
and bug me not owns cnet
Posted by aabcdefghij987654321 (1721 comments )
Reply Link Flag
Jikto Source Leaked
The Jikto source appears to have been leaked and subsequently
taken down here:

<a class="jive-link-external" href="http://blog.vulnerableminds.com/2007/03/javascript-internal-" target="_newWindow">http://blog.vulnerableminds.com/2007/03/javascript-internal-</a>
port-scan-source_25.html
Posted by justanotheruser (2 comments )
Reply Link Flag
jikto
this is a dangerous one...
Posted by Shakyamuni (1 comment )
Reply Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.