Tool Turns Any JavaScript-Enabled Browser into a Malicious Drone

A new tool too dangerous to give away can turn any PC—Windows, Mac, Linux—or any device with a browser into a site attacker.

The tool, called Jikto, is a Web application scanner that searches for cross-site scripting vulnerabilities. Billy Hoffman, a security researcher with SPI Dynamics, demonstrated what the tool could do at the ShmooCon hacker convention March 24. Namely, Jikto, which is written in JavaScript, can surreptitiously latch onto a browser that has JavaScript enabled.

After silently inserting itself to run inside any browser—be it that of a PC, a cell phone—Jikto can then search sites for cross-site scripting vulnerabilities and report its findings to a third party without the user of the infected browser being aware.

It can also replicate itself onto sites containing cross-site scripting vulnerabilities and then spread via latching onto visiting browsers, Hoffman told eWEEK in an interview.

This is something that JavaScript wasn’t supposed to be able to do, but unfortunately, Hoffman said, it can.

JavaScript was originally Netscape’s version of the ECMAScript standard, a scripting language based on the concept of prototype-based programming.

Now controlled by the Mozilla Foundation, JavaScript is best known for its client-side use in Web sites.

Read more here about cross-site scripting attacks.

In that context, a major use of JavaScript is to write functions that are embedded in HTML pages and which interact with the DOM (Document Object Model) of the page to do things that HTML can’t do on its own: create pop-up windows, validate Web form input values or change images as a mouse cursor moves over them, for example.

Web application vulnerability scanners have been around some seven years. Most have been software installed on a PC.

Jikto, because it’s written in JavaScript, doesn’t need to be grounded on a client, Hoffman said.

“Your browser just visits a page. If it contains JavaScript, it can start scanning other sites for vulnerabilities,” he said.

The ShmooCon audience, which contained members of Microsoft’s Internet Explorer team and representatives from Mozilla—the makers of the FireFox browser—were “kind of shocked” to learn what the evil one can do with JavaScript, Hoffman said.

That’s good, the security researcher said—”By getting them interested, we can use that to [heighten the awareness of the dangers of Web site vulnerabilities].”

As it is, over the past few years, security researchers have seen attackers doing much more with Web site vulnerabilities, particularly with cross-site scripting vulnerabilities, where attackers can inject JavaScript into a site, he said.

For example, instead of typing a message or a question on an online guestbook or forum, an attacker could insert JavaScript. The malicious HTML then downloads to a browser.

Examples of recent JavaScript exploits have included the Windows Live Italy search engine getting hit by a link bomb earlier in March, with some 95 percent of search results on “hot” keywords leading to malware and exploit sites.

Next Page: Other exploits

Neuroscientist reveals a new way to manifest more financial abundance

Breakthrough Columbia study confirms the brain region is 250 million years old, the size of a walnut and accessible inside your brain right now.

Learn More

Picture of Lisa Vaas

Lisa Vaas

TRENDING AROUND THE WEB

If you use these 10 phrases regularly, you have a beautiful soul

If you use these 10 phrases regularly, you have a beautiful soul

The Blog Herald

If you want to improve your overall health but don’t know where to start, say goodbye to these 8 habits

If you want to improve your overall health but don’t know where to start, say goodbye to these 8 habits

Global English Editing

9 incredible things that will happen once you delete social media from your life, says a psychologist

9 incredible things that will happen once you delete social media from your life, says a psychologist

Personal Branding Blog

People who lack close friendships usually display these 8 behaviors (without realizing it)

People who lack close friendships usually display these 8 behaviors (without realizing it)

Small Business Bonfire

They stole your freedom, your sovereignty, and your intuition. Then they came back for your dreams.

They stole your freedom, your sovereignty, and your intuition. Then they came back for your dreams.

The Vessel

If you’re going through challenging times, these 6 habits will make you stronger

If you’re going through challenging times, these 6 habits will make you stronger

Jeanette Brown