July 25, 2017

Jikto Hits The Web

The source code for the JavaScript web scanner Jikto has made it into the wild, making it easier for attackers to silently turn PCs into scanners for sites vulnerable to cross-site scripting exploits.

Jikto Hits The Web
Jikto Hits The Web

“I will not be releasing the source code of Jikto…” – Billy Hoffman, March 22nd, talking about his upcoming Shmoocon discussion of Jikto.

“It appears that the source code to Jikto is in the wild.” – Billy Hoffman, April 2nd, noting how someone promptly grabbed the code during his Shmoocon presentation and posted it publicly.

The potential impact of Jikto, a JavaScript-based website scanning engine, was one of the topics that came up during our chat with Paul Henry of Secure Computing. Plenty of discussion about it had taken place online before we talked last week, and that proved very timely.

As Henry noted, Jikto installs silently on a machine visiting a web page containing its JavaScript. Once Jikto is in place, it can scan other sites for holes, and report them back to whoever has been designated in Jikto as a recipient.

Hoffman, a security researcher at SPI Dynamics, took steps during his presentation to try and keep prying eyes from seeing where the Jikto code could be obtained. Although he said in a later blog post that SPI took “extreme steps” to keep the source code protected during the Shmoocon talk, a hacker going by the handle of LogicX easily spotted a URL where he could get it.

He did so, and posted it to his website and then to Digg. Although LogicX took it down upon request, the damage was done, and Jikto made it into the wild.

“Regardless what you might have heard, SPI didn’t leak it,” said Hoffman. “Even LogicX admitted he snatched it because he got lucky.”

“I meant no harm to Billy or SPI, and immediately took it down. My interest in the code was purely from the perspective of how it worked,” LogicX wrote on his blog. He identified himself as an Information Security Consultant with Security Management Partners in Boston.

The code that escaped was only client side code, LogicX said, and is incomplete without other pieces of Jikto.

As a proof of concept, Hoffman just wanted to show how dangerous XSS vulnerabilities could be, and why web designers needed to be more aware of developing an online application securely. When criminals start building upon Hoffman’s work, the real world demonstration will be very instructive.

AddThis Social Bookmark Button

Tags: , ,

About David Utter 902 Articles
David Utter is a business and technology writer for SecurityProNews and WebProNews.