Jikto: the JavaScript-based threat

Written by Roberto Preatoni,

Thursday, 22 March 2007

Do you know Jikto? It is a new tool written in JavaScript that could be used by cyber crooks on PCs of unknowing users to make them do illegal activities without directly commandeer the systems. According to Jikto creator Bill Hoffman, researcher at web security firm SPI Dynamics, this is going to drastically change the scope of evil things you can do with JavaScript. "Jikto turns any PC into my little drone. Your PC will start attacking websites on my behalf, and you're going to give me all the results."

The tool will be released later this week during the annual East Coast hacker convention ShmooCon in Washington D.C. Jikto is a web application vulnerability scanner which, according to Mr. Hoffman, can be embedded into an attacker’s website or injected into trusted sites through cross-site scripting flaws. It can silently sound and audit any kind of website and then sent the results to the attacker who set up the tool.

Jikto and other similar tools could be used to detect holes in digital systems, so facilitating cyber-criminals’ activity. The main difference between Jikto and previous tools is that it runs from a web browser and distributes the bug-hunting task across multiple PCs, whereas the others were basically traditional PC applications.

Moreover, Hoffman said that “Jikto can hunt for various common security holes and can connect back to its controller for instructions on which websites to hit and what flaws to look for". For example, it could be programmed to scan major banking websites for SQL injection vulnerabilities. Such vulnerabilities could be serious and open databases to attack.

This tool is an example of how JavaScript could be used with malicious intentions. Thanks to JavaScript, Jikto can run in most web browsers without any warning and without leaving any trace: web surfers hitting a website with Jikto embedded could never realize what is going on, since the tool will run as long as the browser is open and silently disappear as soon as the browser is closed.

On the other hand, JavaScript-based tools are very slow to perform compared to traditional vulnerability-scanning tools. Moreover, as Fyodor Vaskovich, creator of NMap security scanner said: "Hiding the attacker and distributing the scanning can be useful, but the reality is that attackers can generally scan pretty widely with impunity, or they just use a chain of proxies."

The most scary aspect of Jikto and other JavaScript-based threats is that they do not work on the machine to jeopardize it, so antivirus will not help in detecting them. Jikto’s current version only crawls and detects vulnerabilities, but next version - that could be presented this summer, at Black Hat security conference in Las Vegas - will be designed to exploit vulnerabilities and extract data.

Original News #1:

Original News #2:

Original News #3:,289142,sid14_gci1248127,00.html


Home | News | Articles | Advisories | Submit | Alerts | Links | What is XSS | About | Contact | Some Rights Reserved.