Jikto For Good or Jikto For Evil
Jeremiah sent me this link to Don Park’s blog, discussing a new tool released by SPI Dynamics called Jikto. Jikto is a play on the words JavaScript and Nikto (the web vulnerability scanning tool). It is essentially a mashup of a lot of other people’s tools that acts as a framework for exploiting anyone who visits any site that you have control over. Now the question isn’t so much can it be done, because we all know it can. The question Don poses is SHOULD it be done.
One very narrow line that we all must face is where the distinction between security research and building script kiddy tools comes into play. I think a lot of us have fallen victim to writing tools to make our own lives easier, while also making script kiddie’s lives easier. In this case Jikto doesn’t make a security researcher’s life easier, except perhaps to demonstrate how bad script kiddies can be if given that exact tool.
However, don’t be fooled by the quote in the article, “This is going to drastically change the scope of evil things you can do with JavaScript.” Although this is an interesting take, it does NOT change the scope of evil things that can be done with JavaScript. However, from my understanding of the tool it does nicely package up a lot of known vulnerabilities. So which is it? A tool for good or a tool for evil?
March 21st, 2007 at 11:33 am
Jikto…, to be dead honest with you I have a private project called this way. shame….
March 21st, 2007 at 11:36 am
however, think about Metasploit. For sure people can use it for bad stuff but it does help the good guys too.
March 21st, 2007 at 1:55 pm
Option C) Tool for Marketing.
I like SPI. I use their products and I know some of their engineers personally and professionally. That said they are a company and their job is to make money and sell products. Jikto does just that. I am not saying it’s wrong just that it is.
March 21st, 2007 at 2:29 pm
Samy had some good marketing when he released the worm… that seems like a slippery slope. I’m not saying it is evil, I’m merely echoing Don’s question.
March 21st, 2007 at 3:52 pm
While it could help the ‘good’ somewhat, I’d much rather have the good guys/companies understand the issues themselves rather than using a tool that will almost undoubtedly help script kiddies and the bad guys more than it helps the good guys.
March 21st, 2007 at 4:24 pm
I read the article on security wire daily about how the tool can be used to create/control a botnet forcing a download of malicious code. The part I don’t understand is how is a forced download even possible in a web environment?? Correct me if I’m wrong but don’t most (all) browsers prevent this type of security risk?
March 21st, 2007 at 5:01 pm
I think it was probably taking into account known vulnerabilities. And while yes, browsers have taken care of this, older browsers have not and there are still tons of them out there.
March 21st, 2007 at 5:38 pm
Just like any tool it can be used for either or. There really is no correct answer to this. I have written a few tools myself that have made my daily life as an app penetration tester easier. I’ve then released the tools to the public for consumption (and hopefully, but not usually, expansion). Does that make the tool bad? Nope. Does that make me bad for releasing it? Gosh I hope not!
March 22nd, 2007 at 1:01 am
Well I believe in No need to reinvent the wheel.It makes things messy.
New Borwsers New shots .No need to track things at back.Well may
be its good if designed for individual testing but overall seems to me messy.
March 22nd, 2007 at 1:16 pm
Any indication if it supports anti-DNS pinning proxying, especially socket-based with flash? I’m writing a tool for demonstrations, but have no interest in releasing it to script kiddies.
March 22nd, 2007 at 2:30 pm
I haven’t heard many specifics, no, but I’d love to see the tool you’ve got in mind.
March 22nd, 2007 at 2:46 pm
I hope to have the HTTP proxy part done within a week. The Flash/SOCKS proxy will take another week or so.
March 22nd, 2007 at 3:22 pm
Ah, here’s more info on Jeremiah’s site: http://jeremiahgrossman.blogspot.com/2007/03/jikto-crossing-line.html
Apparently he’s not going to release it after all. False alarm.
March 22nd, 2007 at 3:28 pm
As i before wrote into Jeremiahs comments - Jikto doesn’t sound very magic. All components to create such a tool are already existing - to create sth like Jikto you just had to put them together.
March 22nd, 2007 at 3:29 pm
SPI has posted
http://portal.spidynamics.com/blogs/spilabs/archive/2007/03/22/Speaking-at-Shmoo.aspx
March 23rd, 2007 at 1:57 am
Whitehat or Blackhat? Yin or Yang?
I have no clue if this tool will actually do a lot of damage to the community and people complaining about their sites being attacked. For once in my life, i would’nt want to see this tool being released. Too much damaged, especially if it gets into the hands of script kiddies.
March 24th, 2007 at 11:28 am
why all the noise? let billy get on with,his work …
March 28th, 2007 at 12:01 pm
Can a computer be hardened against these known vulnerabilities that Jikto exploits, or is this a situation where a flaw in JavaScript must be re-designed out of it as a language?
March 28th, 2007 at 12:42 pm
hrdnit - a computer could easily be hardened, but it would be nearly unusable in the way most people think of web browsers working. Try logging into Google without JavaScript for instance. Websites that force users to have JavaScript installed are going to make hardening a risky proposition from a consumer adoption perspective.
April 2nd, 2007 at 8:58 pm
if it is a javascript tool there must exist a javascript means to deactivate it. i would really like to get the code.