The tool is called Jikto, a reference to a popular hacker vulnerability-scanner called Nikto, and was demonstrated on Saturday by SPI Dynamics researcher Billy Hoffman.
Hoffman said he created Jikto to demonstrate that cross-site scripting (XSS) vulnerabilities are now allowing hackers to carry out highly dangerous attacks, something developers aren't sufficiently aware of.
"Self-propagating XSS+Ajax worms, advanced keystroke and mouse loggers, port scanning, fingerprinting and assaulting intranet applications, as well as stealing search engine queries or browser histories, are now all components in an attacker's toolbox," Hoffman wrote in a post on SPI's site.
In theory, an attacker could use a tool such as Jikto to create a distributed vulnerability-scanning network using innocent users' browsers to scan vast numbers of Web sites for flaws, Hoffman said.
Hoffman was initially planning to release the code for Jikto at the event, but decided against it after SPI voiced concerns. However, he said his work would be easy to duplicate, and attackers are likely to already be actively exploiting the possibilities he demonstrated.
Windows Live Italy's search engine, Yahoo's Web mail and MySpace have all recently been struck by attacks exploiting XSS flaws.
The best way to ensure security is to eliminate XSS flaws in Web sites, he said.