Menu
JavaScript malware threatens internet

JavaScript malware threatens internet

A researcher at security event, ShmooCon has demonstrated proof-of-concept code showing how JavaScript can be used to turn an unsuspecting browser into a hacker attack instrument.

The tool is called Jikto, a reference to a popular hacker vulnerability-scanner called Nikto, and was demonstrated on Saturday by SPI Dynamics researcher Billy Hoffman.

Hoffman said he created Jikto to demonstrate that cross-site scripting (XSS) vulnerabilities are now allowing hackers to carry out highly dangerous attacks, something developers aren't sufficiently aware of.

"Self-propagating XSS+Ajax worms, advanced keystroke and mouse loggers, port scanning, fingerprinting and assaulting intranet applications, as well as stealing search engine queries or browser histories, are now all components in an attacker's toolbox," Hoffman wrote in a post on SPI's site.

Jikto is a vulnerability scanner written in JavaScript. When a Web browser with JavaScript enabled visits a site containing the tool, it can latch onto the browser, and can then scan any site the user visits for XSS bugs, reporting the results to a third party.

If a site visited does contain an XSS flaw, the tool can embed itself in the site and propagate to other visiting JavaScript-enabled browsers.

In theory, an attacker could use a tool such as Jikto to create a distributed vulnerability-scanning network using innocent users' browsers to scan vast numbers of Web sites for flaws, Hoffman said.

"JavaScript is capable of crawling and auditing third-party Web sites just like a traditional Web scanner," he said in the posting.

Such a scanner wouldn't necessarily be the most effective or efficient way for attackers to glean vulnerabilities, but the point is that it is possible with JavaScript, and that XSS poses real dangers - something most developers would be surprised to learn, Hoffman said.

"This homogenous platform, coupled with JavaScript's new features, has enabled attackers to perform advanced attacks using XSS that were thought to be impossible even two years ago," he wrote. "The biggest tragedy of all would be if a developer decides to put off fixing a XSS vulnerability because they weren't aware of all the damage that could be done."

Hoffman was initially planning to release the code for Jikto at the event, but decided against it after SPI voiced concerns. However, he said his work would be easy to duplicate, and attackers are likely to already be actively exploiting the possibilities he demonstrated.

Windows Live Italy's search engine, Yahoo's Web mail and MySpace have all recently been struck by attacks exploiting XSS flaws.

Targeting such malware at the JavaScript level is next to impossible, since the problem isn't due to a bug in the technology, but only to a capability in it that can be subverted, Hoffman said at the presentation.

The best way to ensure security is to eliminate XSS flaws in Web sites, he said.


Follow Us

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Events

Featured

Slideshows

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners

This year’s Reseller News 30 Under 30 Tech Awards were held as an integral part of the first entirely virtual Emerging Leaders​ forum, an annual event dedicated to identifying, educating and showcasing the New Zealand technology market’s rising stars. The 30 Under 30 Tech Awards 2020 recognised the outstanding achievements and business excellence of 30 talented individuals​, across both young leaders and those just starting out. In this slideshow, Reseller News honours this year's winners and captures their thoughts about how their ideas of leadership have changed over time.​

Meet the Reseller News 30 Under 30 Tech Awards 2020 winners
Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security

This exclusive Reseller News Exchange event in Auckland explored the challenges facing the partner community on the cloud security frontier, as well as market trends, customer priorities and how the channel can capitalise on the opportunities available. In association with Arrow, Bitdefender, Exclusive Networks, Fortinet and Palo Alto Networks. Photos by Gino Demeer.

Reseller News Exchange Auckland: Beyond the myths — how partners can master cloud security
Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomes industry figures at 2020 Hall of Fame lunch

Reseller News welcomed 2019 inductees - Leanne Buer, Ross Jenkins and Terry Dunn - to the fourth running of the Reseller News Hall of Fame lunch, held at the French Cafe in Auckland. The inductees discussed the changing face of the IT channel ecosystem in New Zealand and what it means to be a Reseller News Hall of Fame inductee. Photos by Gino Demeer.

Reseller News welcomes industry figures at 2020 Hall of Fame lunch
Show Comments