JavaScript bug-hunting tool demonstrated

Security researcher says his company won't let him release Jikto, which turns PCs of unknowing Web surfers into crawlers.

Joris Evers Staff Writer, CNET News.com

Joris Evers covers security.

See full bio

Joris Evers

March 26, 2007 6:25 a.m. PT

2 min read

WASHINGTON--A security researcher at ShmooCon on Saturday demonstrated, but did not release, a tool that turns the PCs of unknowing Web surfers into hacker help.

As expected, SPI Dynamics researcher Billy Hoffman demonstrated a Web application vulnerability scanner written in JavaScript. The tool, called Jikto, can make an unsuspecting Web user's PC silently crawl and audit public Web sites, and send the results to a third party, Hoffman said.

But, in a change of plans, Hoffman did not publicly release Jikto. "The higher-ups first say we can, and then they change their mind," he said after his presentation. "We decided to focus on the educational message and show people the danger."

Another SPI Dynamics representative at ShmooCon said the company had decided not to release Jikto because that could play into the hands of cybercrooks. "We do not want to release anything that could be used for malicious purposes," said Michael Sutton, a security evangelist for the company, which sells Web security tools.

Hoffman said he demonstrated Jikto to raise awareness. Vulnerabilities in Web sites could be exploited to inject malicious JavaScript code, which puts users at serious risk, he said. Jikto itself, for example, can be placed on a trusted site by exploiting a common Web security hole known as a cross-site scripting flaw, he said.

"The whole point was to show how scary cross-site scripting has become," Hoffman said. While some in the security industry claim such flaws are minor, Hoffman has demonstrated that they could be serious, particularly in combination with JavaScript. "This is code execution," he said. "JavaScript completely blows away the security model."

JavaScript is a scripting language, commonly used on the Web, that runs in most Web browsers without warning. Internet users who hit a Web site with JavaScript embedded likely won't even know it is running. Turning off JavaScript in a browser can help, but often that also disables many useful features on a site.

Jikto can hunt for common security holes and can connect back to its controller for instructions on which Web sites to hit and flaws to look for, Hoffman said. For example, Jikto could be programmed to scan major banking Web sites for SQL injection vulnerabilities. Such vulnerabilities could open databases to attack.

ShmooCon attendees asked Hoffman for the Jikto code, expecting it to be released at the event. But there didn't appear to be great disappointment when he said SPI Dynamics wouldn't release the tool.

"Once one person has talked about the ability to do it, it doesn't take that long for somebody else to come up with it," said one ShmooCon attendee who asked to remain anonymous. "It will come out."