A new tool too dangerous to give away can turn any PC—Windows, Mac, Linux—or any device with a browser into a site attacker.
The tool, called Jikto, is a Web application scanner that searches for cross-site scripting vulnerabilities. Billy Hoffman, a security researcher with SPI Dynamics, demonstrated what the tool could do at the ShmooCon hacker convention March 24. Namely, Jikto, which is written in JavaScript, can surreptitiously latch onto a browser that has JavaScript enabled.
After silently inserting itself to run inside any browser—be it that of a PC, a cell phone—Jikto can then search sites for cross-site scripting vulnerabilities and report its findings to a third party without the user of the infected browser being aware.
It can also replicate itself onto sites containing cross-site scripting vulnerabilities and then spread via latching onto visiting browsers, Hoffman told eWEEK in an interview.
This is something that JavaScript wasnt supposed to be able to do, but unfortunately, Hoffman said, it can.
JavaScript was originally Netscapes version of the ECMAScript standard, a scripting language based on the concept of prototype-based programming.
Now controlled by the Mozilla Foundation, JavaScript is best known for its client-side use in Web sites.
In that context, a major use of JavaScript is to write functions that are embedded in HTML pages and which interact with the DOM (Document Object Model) of the page to do things that HTML cant do on its own: create pop-up windows, validate Web form input values or change images as a mouse cursor moves over them, for example.
Web application vulnerability scanners have been around some seven years. Most have been software installed on a PC.
Jikto, because its written in JavaScript, doesnt need to be grounded on a client, Hoffman said.
“Your browser just visits a page. If it contains JavaScript, it can start scanning other sites for vulnerabilities,” he said.
The ShmooCon audience, which contained members of Microsofts Internet Explorer team and representatives from Mozilla—the makers of the FireFox browser—were “kind of shocked” to learn what the evil one can do with JavaScript, Hoffman said.
Thats good, the security researcher said—”By getting them interested, we can use that to [heighten the awareness of the dangers of Web site vulnerabilities].”
As it is, over the past few years, security researchers have seen attackers doing much more with Web site vulnerabilities, particularly with cross-site scripting vulnerabilities, where attackers can inject JavaScript into a site, he said.
For example, instead of typing a message or a question on an online guestbook or forum, an attacker could insert JavaScript. The malicious HTML then downloads to a browser.
Examples of recent JavaScript exploits have included the Windows Live Italy search engine getting hit by a link bomb earlier in March, with some 95 percent of search results on “hot” keywords leading to malware and exploit sites.
Other exploits
Symantec reported that encrypted JavaScript was redirecting visitors. Other recent JavaScript exploits include the Yamanner virus that struck Yahoos Webmail system and the Samy worm attack that targeted users of MySpace, Hoffman pointed out.
“Weve seen [worm attacks] before, but infecting desktop applications,” he said.
The Web appeals to attackers because its ubiquitous, thus making a much more efficient delivery vehicle, Hoffman said: It will carry an attack to Windows, Linux, Mac, cell phones, smart phones or anything that understands JavaScript.
“I could write a piece of malware to only infect Windows or Linux users, or write it in JavaScript and have it infect everybody.”
“JavaScript is kind of limited in what its supposed to do,” Hoffman told eWEEK. “But in the last few years people have found all kinds of neat tricks you can do with JavaScript.”
Hoffman had originally intended to publicly release Jikto at ShmooCon, but said he reversed himself at the behest of SPI Dynamics officials, due to the damage attackers could do with the tool.
“We tend to use this as an educational process, to show look, this is where we are now with how bad things can be,” he said.
Education is certainly needed, Hoffman said, given that most developers he knows are two and a half to three years behind on security.
“I wanted to get everyone cooked up and say, Heres all the things were seeing it do in the wild.”
While some security professionals have noted the rising number of cross-site scripting attacks, only recently have those attacks become “really, really dangerous,” Hoffman said.
Outside the security industry, the awareness of the dangers are low. “We need to start taking Web vulnerabilities seriously,” he said.
The question is, who can patch a browser to be immune to an attack such as Hoffman demonstrated with Jikto? No one, Hoffman said, because “there isnt anything fundamentally wrong with IE or Firefox.”
Nor is the problem with JavaScript. The problem is that JavaScript is simply capable of doing things that can be subverted, Hoffman said.
“Some of its capabilities allow it to be used this way,” he said. “Its like I have this crowbar, which I can use to break into a car, but its also good for a lot of [positive] things as well. JavaScript isnt evil or bad inherently. Its just you can do things with it people didnt intend for you to do.”
As it is, big Internet players including Google, eBay, PayPal, Yahoo and the Mozilla Foundation have found themselves used as cross-site scripting platforms due to vulnerabilities.
Just as they have addressed it, so too must smaller companies, Hoffman said.
“Google and Yahoo and eBay and PayPal, they throw millions a year, if not tens of millions, at Web security, at designing applications securely from the start,” he said. “And even they make mistakes. But the big guys take this seriously. Small to medium companies with Web presence … should take it seriously. If [the big guys are] making mistakes, and theyre pretty smart, chances are youre making mistakes too.”
The fact that SDI Dynamics refrained from releasing the code should be no comfort. If Hoffman knows about the ability to use JavaScript maliciously in this way, as he demonstrated with Jikto, others certainly do as well.
“Im not that smart a guy,” he said. “If Im talking about it at a conference, you better believe somebody else has figured it out. Those people have not told people about it” because theyre likely quietly exploiting JavaScript in this way, he said. “Theyre likely selling [such code as] exploits, using to find vulnerabilities, or all sorts of things.”
Jikto is more a proof of concept code sampling than a tool per se, Hoffman said.
“Its fairly easy for someone to reproduce my work. Its proof of concept code, maybe 900 lines of code total. Most of that was comments to myself and spacing. It wasnt that sophisticated a concept.” Maybe not, but it did serve to show that “everybody has to get rid of cross-site scripting vulnerabilities,” Hoffman said. “People who think its not a problem should look to Googles” susceptibility, he said.
Check out eWEEK.coms Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEKs Security Watch blog.