Network Security & Hardware - eWeek


Battery 500 Project Charged Up over All-Electric Cars
Charting the Final Frontier--Google Maps for Indoors
Get Smarter Technology on Your Mobile!
  Network Security & Hardware


Tool Turns Any JavaScript-Enabled Browser into a Malicious Drone



 By: Lisa Vaas
2007-03-26
Article Rating:starstarstarstarstar / 0


There are 0 user comments on this Network Security & Hardware story.


  Table of Contents:
  1. Tool Turns Any JavaScript-Enabled Browser into a Malicious Drone
  2. ' Other exploits '

Rate This Article:
Poor Best
Tool Turns Any JavaScript-Enabled Browser into a Malicious Drone
( Page 1 of 2 )

A new tool called Jikto can turn any PC or device with a browser into a site attacker.A new tool too dangerous to give away can turn any PC—Windows, Mac, Linux—or any device with a browser into a site attacker.

The tool, called Jikto, is a Web application scanner that searches for cross-site scripting vulnerabilities. Billy Hoffman, a security researcher with SPI Dynamics, demonstrated what the tool could do at the ShmooCon hacker convention March 24. Namely, Jikto, which is written in JavaScript, can surreptitiously latch onto a browser that has JavaScript enabled.

After silently inserting itself to run inside any browser—be it that of a PC, a cell phone—Jikto can then search sites for cross-site scripting vulnerabilities and report its findings to a third party without the user of the infected browser being aware.

It can also replicate itself onto sites containing cross-site scripting vulnerabilities and then spread via latching onto visiting browsers, Hoffman told eWEEK in an interview.

This is something that JavaScript wasnt supposed to be able to do, but unfortunately, Hoffman said, it can.

Resource Library:
JavaScript was originally Netscapes version of the ECMAScript standard, a scripting language based on the concept of prototype-based programming.

Now controlled by the Mozilla Foundation, JavaScript is best known for its client-side use in Web sites.

Read more here about cross-site scripting attacks.

In that context, a major use of JavaScript is to write functions that are embedded in HTML pages and which interact with the DOM (Document Object Model) of the page to do things that HTML cant do on its own: create pop-up windows, validate Web form input values or change images as a mouse cursor moves over them, for example.

Web application vulnerability scanners have been around some seven years. Most have been software installed on a PC.

Jikto, because its written in JavaScript, doesnt need to be grounded on a client, Hoffman said.

"Your browser just visits a page. If it contains JavaScript, it can start scanning other sites for vulnerabilities," he said.

The ShmooCon audience, which contained members of Microsofts Internet Explorer team and representatives from Mozilla—the makers of the FireFox browser—were "kind of shocked" to learn what the evil one can do with JavaScript, Hoffman said.

Thats good, the security researcher said—"By getting them interested, we can use that to [heighten the awareness of the dangers of Web site vulnerabilities]."

As it is, over the past few years, security researchers have seen attackers doing much more with Web site vulnerabilities, particularly with cross-site scripting vulnerabilities, where attackers can inject JavaScript into a site, he said.

For example, instead of typing a message or a question on an online guestbook or forum, an attacker could insert JavaScript. The malicious HTML then downloads to a browser.

Examples of recent JavaScript exploits have included the Windows Live Italy search engine getting hit by a link bomb earlier in March, with some 95 percent of search results on "hot" keywords leading to malware and exploit sites.

Next Page: Other exploits





  Reader Comments: Tool Turns Any JavaScript-Enabled Browser into a Malicious Drone
>>> Be the FIRST to comment on this article!
 


 
 
>>> More Network Security & Hardware Articles          >>> More By Lisa Vaas
 


x}r㶲s\@♵M=RJؖI*EBc")JN~b:?qtMJ=gq2D th4{$ W7-gD.]sfS?q;O ['w> (ˑԫ1mSHnwݶFN=gP'^> \?g3Q;Y|N8CEnOU[۾tsgyHff.j.9acm c @2zz`N{tXa_eY7;Ͱ-.@6#M-jZUQ bkG╇o[©̝ wQo~{UMSe}~#GAmkh[J"ZAP\On:Y\u>..Ƀ-N6|'[oLR*rP8$ȇ ;|5 P%oJV4E; KHr SdXIC/YTU![ǽSҺnoNΏoڭ3do̲5<JEӀ Zvb"?[W۳kiK:7}"+|vg5M0\̱:֪׷V1?!&A_8?_OHN‰,Nɿ{;Beu#7{7#ReQ o̱n>@|ˤd0&p* ߱n^S'G5ǯhVj5V0z[SĿ G/<@'LY p3Z&9T23=MH5ņ])!ehFSۤ%/^(P%!P샖_.[ jF|*(If({΀/3A.r)i t 6=aL+^뻹(4l.k\֛esJVt];7Eя0-*<5ZǛ)^wtv[0*>cq4Y`A-. :oo:jr-67RQ^Tjrkhc2ud8԰< &} aO> 5٤>'4}t>჎$>hƋCri[n-rӇ{u4Aݣn]=&tfiXŞ+LPZi50C m| &>r\l 8d$)syp;L- σ5]ѽ[:? a= 0.Zm$8ʼ E]ub3Bݷ|{ њ떭,L<ģ̠>N(~9-WRC/0z""D% T h4AǰEENA7;.VKŤ\*y"Jm':.ܑWKRx&,S,BV-KᗄPf%i2mhƪń(VFNl(0Vf)ShƏ00UEBf'ShW(f3ᠺN4S}52{B;`a3s]etGKz4&T֬&4Y R >5mVAL  |U=kb$`~f Д +< +1!Y/>uzS\99IAw ew貟Fi_f]ZЬ{{#Uv/:At ]օVPKo@x dX{K/,è+AJK_ji tsaŰ,Bl6<:iМ^fdTR4>t:>{j -j&{ߪ&TYwCxz#jISʑbY;wl ʸfJiriz68u>N)MKϵ("ݩ?vl>u lp>hBJmHw:vJ[Y*,b3)4j+zF of`׆ K ؈|ȁUraҝŅebiQ=k-);US]HXa6nZ- V!0\0|pT30`-eO)]&ٰ\R ~j"yd\s˰e0Q?؉ 7ܕVR53]։;lRzzwݑM% Wl RN0C)Xk±&>,<<+ځi0A  ~H.Lb4>\Pbr>+ eT)5*IMxm"P/?ˇ%Ŵ谢Ԙy}Rː 0gted-흧 IR-frheU-UjR9_V2:EƟR!p^Z3;|d2,` | Z<|˰"U~o |JZYPIb+ģYV WMUp`wy~t=t@hxZ `i@%p LM{jJwg `Z~,pO,3yZD]bRYEG?voqmM)Dkԃ!3~b_@URTڞO"9KAG^320";wF\!vʬi~ q?Nqߎ3XAmšk+sD ü z30Jј<-*=>Y6AP,2Ϧy3iqS2ܪ+_e<M`%g\Ukh{9A;B, r}SϺ!'܏p<7L M}G TQW5@dLfaNg1µ ek&w5* <lRL5sݿyj=z{Ǻq7ʧ@dC-sC dKS0ާ' Yn:AjAy̧`Rb3ⵚV+g|6i4DZ63ȈDrzzB*>_l6a%|wN:@"c]f.2|Yy1֏';*})cʌEo(SYmq'&F.҄^\fvmvLTSdPR6Z|b\).3GzxLaWPjjz L*>MC 7PF[#n$}=բ,A7HU(V $ }Ur9-h2Y+(#t+^}a mD<[ 1wʨTIV+Gs;"ʊg b|p{>'F{zlj>eWՄθ4;b9[FIdYyVum4uP"5Hq'$˴I>N0atA*¾G.CGTTFogMGD0|=f^%uRiEmT)玾ߓN\Z 8zAbQ=Y rvjT GrF2R@BZNb.xlēo -"Ԅ֟; +~W?l)ɁXXD>DQkF\{e"nxB* gF Dccb^f>Q*oP[/I]S0:;bd}G]Itmw~H ۇ>\e!1a<}םn\f#rj?E)jiRviԾ:m됔J>|:ڗ-~l1z˾WM$(Xp4q'^y{{<=m_n; EFh0Z < hq\ 8͛+%E熟;"u ׹< rDpAj^_'d0| srjބ6b ` xѤ8"F<$Ø/ B@ ˸tnN[7Y0z!B3ZMUc z A0֢< V_8/w`TIBQ2 7?%E:Z7dl&u"N M5W"Jv-{t#1݇ðaTwd* e~=m2결tC%<0OтN)tJȓSI8 z>RB'T5˓$/IYO)Eqjhd꒐~~(h&'ءXҡ۳^7'8 $O krwisq/P}~%yx2kI85(^yNHqJiIw3DJ^KjpVKu^N,~xRr'T'z@”+<iTVHl{3q,: mȓK9C7<;^bG/syBO+f8-,]:]W_>_GoIM21Bwyn xqf='st97X16q=wv"ϓ{~\[ ("[ ueNx>HА[#=p>~⌜003|m6bOf0>oV8i?{޽s¾"CWq [:+`*9$HhHN d_"2NIJn/:}L9zdM#}ӺJfz7ki^x̠t8s w{~}!.u?/y ᛟtϯ3i8%~WJ][i}D)]K5"vًKqǛyeQjȓGDK`#i>Ro14l*z3=}r9[fvÏ5$i NZ6;xY6 ɵcr_jPooWHJCym" [Po,BjA- f/PiM5F>,ϩ&<"!YʹD)OLS/r/Xg@65x <> > 0q~┆ CDDCk}j<(4?n>7=^0ďoz6#&$>ۋ?= j=N*%-؜Iqy#H?b[PQ1T=$L~0{96ٶ5X*K<Ǘ\7nZ,y){O= •tհܙ/zL,!ahĭH"D.eQ359eEOS2EU0ݳix.W-7ހW$ i#z<=]nDRMzs0$qWHa}x6BX,0-?5J8PJ& M/Ę_*!AB^ډjJVx)~c>S۝N&0`H8H́; D~8Ӽdf˅ZP`AXr$gY"`m߇$_~)jz2qO} LZؖI_P)~t O3VV 'cϝPڞ K|ݒ*jl H% 62'BZȵ9Hs!ή-^]i(J9)}b1t,BUtoΤ3[33^  GA|]\TDK'wtܖ/s7ON\)nbAa=XOjjM)f0^ C|f}X{r"JHi/i3V^nV@@t̑X'1$ c.RQ v ':^2aF,i'}29O~ DaµSn__“oNoNoNoN.EU};W/^sΐZȩUpJ/]cbm/RҥOU„|C~ÅX }"@ԓ:T%ycP5UB<%יeg0aotГu{\:;30Bh8%^=.x}!5MMB|.a#1<O+;P65G+ (A'RW/_TЌ=t"eT`˛=KנX6S#FIp8^* |!;%߼73w2ԥn zc̟se}La\e-56h#D8szhHߒJ_`jJ|a !:x}a=)A9timjSh#ʍo /&ܻFHaeoqVk0z|W3E-'I4b'`/A1DKb@/]j Ґ}LR68PC᥿n.iɧ^i=T60#87~@( xm}-6#Ӫ=F(KLBͨ4$t{#i>ڌ} !^tEw'y{Ddb =MU).a ?@y um|Vy#ou?&n &c(,!@^t L]/НST䉯 RHoËEMVstxwKē n8~OZY13ʉmO]ax;OEqmc8B4ow.@,6aٵ()ȁ;]ĆmɗWc#kx|mDYFBi. ؕPe9LYؕĠAIB4ĸW܇n"IhPVWkg+ , t"Y"'"KIE/]^|~8. dR /(_Z6DPsm.MEfAȢ儷[\15UZr^:XuZ.˘xT ioՍ"r\IoA$NPRT UP+$4h^TŨ&@ 66L}^Š@FJk&ȍZkݜs3e_i<1E7Zzڝ D37:Viqs;w'7ƘF[TvXKߚu:A#dn-&~iX!l>H'*t=jh܇DnԤJ .vjR#rz4 Ps0]+UMhբ fG@VTl}ˮ%cF#x٥5{8 Փ>-,b'c0/Ƙ;0/bZNa={ΏvTXC.,|5.aGN$(b ~-=Ÿ>OO|KALr j1w[ w5kitPAH+[lhE{wi/1~J+kѱf=̜/_`ci7t]ktK73>^3B{s^1~"js{-6NW̎ - 6Ƕl[va|D'OR)q2ɹ莥ep::IwJ Ki~RBJuTy+s\1mieBn).rBʇیh%=Q2 4&GvD!1 Ą[)bUfwܠ~z*ڟOme^f#nʏZU{F dM,|U!i|%w[ҥn,M1-/;>#o[I XPpS|MA9(WTD~N F̋XH t8,$:W{m{A=~{DLRO\ND>_ _!߰,VIm{7R[ $y?ZEDB% Quj}@~h/U{Z7] d32+X9ݛb_@SgYU-l  \Zs4aw}?퇛RS ƈn_ea@p=SA-50Șh MQ VHxD~2&giBE< ,iMmang =wBpbZ!Ř!bU^͈ is:q(;.sS}%ߺH"V|8s =J< r׺H8ʿIS*vqY@y+LL͂`Aa~L­!Rjs# h_ƹG&4`M]Xg- .E.Ӈ;q(?qWiN +fɻS:rtT(ʁ2|{` f> cf[7gΥixDZ<& .ycI 8^yN4X+=⟌7,X2| =܇>RXX_1[> MꪂOJBveX &z<>{AguU=q VH+^@03:%⽬$͈ɵ7֝4/> iVt?wOn׽v.:x Zѷptԝs9|ҹ|־j]ߴzƙgw00lB_d_T 3%,C rvռl1;eFq('MB*rK xU" /%Lqx&0ۥ̟D^wRv}Y QJ_MӄGO!~jԊkm9 g58ٙ/K_)9q Χ6='l0c=W܄X @1@C|m]Nzs5Bx_m^;^d@/7P~ (@y'9hp(?g@ Pq}y;8o/oӌr_;i_eC5>t3?C"%1>e2 >2@ \_^f%e^e ?eCyF?P~Q{1W ?Wsw1~'? /q _gs?]fe__P>f'(U}Sn66oیon3/9IR< 9k^픊8kgK " SV9,2kP g  ~-2:B @n~ Ks\WKM0TntEճKD쵆cn%:@b}a/! c|U$X2M*S!#(48%Y}MNJ 4tk 7b[yDYAI{R}tEI>t𞫫i@Lw<-cENj9.~QJxdB$h{U26#{"djc7'%Y#/ܻ Gz‰nQ'L2f~<ĎrnOArr m>v#y]^{P[Йq ޢD)+Fyk@ûY>RqFPgnM= :!E:I>&m\ʠaC7ao/XbKZ;c`\';=2gdy0\9Kh]V=ȾwF=CY%'x-ȷ:ѧ^x2ԧB΄[4пC$s%(uL R8, ODQYgqǭd<@T6?rцwr${H-t{6#KFUx/ C4|'oDՏF"0~.e\Ťe @ v{ -HZ~nҸx\3{0601Nx>}r 1-XhkоxAq4[Hm7c@诿J`Xk/JV7"t#b́Pl@PJ]XnTP'Jq}l8=;d؆"dwnܙ%O_Fq2#0' MĮ+fAj3rf,vg ='ݹfsH!L&d>>%^#%&/4v$ѓ]R `wO 챧$J~Χ%NAf:2Ş_ m|+o/TùLHd v"ѱsPF}v12_ {+2‡_i 괯McA۾&]מ V?>N@U} 1,&'j :BQfw?j ki"tZwkdY9Hr&zU h$7=j"6: gK“J'rJN1^R”s]q75RW}x/ē_| 3Obx`#Yұ ߚP TDO"vy9m$Ki[zQڗE@1agGێf*i/;@Bo&!#R.ܐOF{_S ahy㲁e"=`3 s"Tt73v3E?;wiF)f'NFp)hN<}y?٢ uKğopm.; +C&:bz:SA\W (9|x@Nhtu޴cHPWFWݞ햏 Xo} 8lO.dzl}̀!XsQ%ɷ` <ݛ-Hˍ_d%\#d<l[ +"ۂ KmӤ>q¥"UXJMX,8. kt9ms;.[r,#<[_ڵlAt=] vE hMg+_2qEnBcVJrX}P/):OOgsZ%^Hv"]&,{ QFbf]49N]Rjã ,c<ԭ<P0_C^&?c5Vqٮ7G,cݰKQaW:6n uywXL\7﹨]eCFP1Wov$ѿ9V0|6,lp/>&燸[0tczNozO϶p2$82epCikZK 0Dq] XǢȖWqTR:!; /D?8 ci,;bcXJ ,ozԛ'TS*4.v>Ͻn̯]2xDh\N"?Hxvw6k+[Ȁ7H>Y{D,5R;tP9˓z0 i&tصa=":xqea#Vt*NﺽV/PuzY}TO3uG??;otۿˌhT*.㉋o['M nɇ7WRXFYS$Di+ AHcɊxY0]\}!l4Gn_!?[SˬZY$I#;ov[b$- U.IM)V []jq۩ g۲M*d.%rR⊫+EiQ}"' CfJ܄;66BKFslx61*)