Cenzic 232 Patent
Paid Advertising
web application security lab

Jikto For Good or Jikto For Evil

Jeremiah sent me this link to Don Park’s blog, discussing a new tool released by SPI Dynamics called Jikto. Jikto is a play on the words JavaScript and Nikto (the web vulnerability scanning tool). It is essentially a mashup of a lot of other people’s tools that acts as a framework for exploiting anyone who visits any site that you have control over. Now the question isn’t so much can it be done, because we all know it can. The question Don poses is SHOULD it be done.

One very narrow line that we all must face is where the distinction between security research and building script kiddy tools comes into play. I think a lot of us have fallen victim to writing tools to make our own lives easier, while also making script kiddie’s lives easier. In this case Jikto doesn’t make a security researcher’s life easier, except perhaps to demonstrate how bad script kiddies can be if given that exact tool.

However, don’t be fooled by the quote in the article, “This is going to drastically change the scope of evil things you can do with JavaScript.” Although this is an interesting take, it does NOT change the scope of evil things that can be done with JavaScript. However, from my understanding of the tool it does nicely package up a lot of known vulnerabilities. So which is it? A tool for good or a tool for evil?

20 Responses to “Jikto For Good or Jikto For Evil”

  1. pdp Says:

    Jikto…, to be dead honest with you I have a private project called this way. shame….

  2. pdp Says:

    however, think about Metasploit. For sure people can use it for bad stuff but it does help the good guys too.

  3. dw1de Says:

    Option C) Tool for Marketing.

    I like SPI. I use their products and I know some of their engineers personally and professionally. That said they are a company and their job is to make money and sell products. Jikto does just that. I am not saying it’s wrong just that it is.

  4. RSnake Says:

    Samy had some good marketing when he released the worm… that seems like a slippery slope. I’m not saying it is evil, I’m merely echoing Don’s question.

  5. Kyran Says:

    While it could help the ‘good’ somewhat, I’d much rather have the good guys/companies understand the issues themselves rather than using a tool that will almost undoubtedly help script kiddies and the bad guys more than it helps the good guys.

  6. Mephisto Says:

    I read the article on security wire daily about how the tool can be used to create/control a botnet forcing a download of malicious code. The part I don’t understand is how is a forced download even possible in a web environment?? Correct me if I’m wrong but don’t most (all) browsers prevent this type of security risk?

  7. RSnake Says:

    I think it was probably taking into account known vulnerabilities. And while yes, browsers have taken care of this, older browsers have not and there are still tons of them out there.

  8. txs Says:

    Just like any tool it can be used for either or. There really is no correct answer to this. I have written a few tools myself that have made my daily life as an app penetration tester easier. I’ve then released the tools to the public for consumption (and hopefully, but not usually, expansion). Does that make the tool bad? Nope. Does that make me bad for releasing it? Gosh I hope not!

  9. Zeroknock Says:

    Well I believe in No need to reinvent the wheel.It makes things messy.
    New Borwsers New shots .No need to track things at back.Well may
    be its good if designed for individual testing but overall seems to me messy.

  10. David Says:

    Any indication if it supports anti-DNS pinning proxying, especially socket-based with flash? I’m writing a tool for demonstrations, but have no interest in releasing it to script kiddies.

  11. RSnake Says:

    I haven’t heard many specifics, no, but I’d love to see the tool you’ve got in mind.

  12. David Says:

    I hope to have the HTTP proxy part done within a week. The Flash/SOCKS proxy will take another week or so.

  13. RSnake Says:

    Ah, here’s more info on Jeremiah’s site: http://jeremiahgrossman.blogspot.com/2007/03/jikto-crossing-line.html

    Apparently he’s not going to release it after all. False alarm.

  14. .mario Says:

    As i before wrote into Jeremiahs comments - Jikto doesn’t sound very magic. All components to create such a tool are already existing - to create sth like Jikto you just had to put them together.

  15. zeno Says:

    SPI has posted

    http://portal.spidynamics.com/blogs/spilabs/archive/2007/03/22/Speaking-at-Shmoo.aspx

  16. hackathology Says:

    Whitehat or Blackhat? Yin or Yang?

    I have no clue if this tool will actually do a lot of damage to the community and people complaining about their sites being attacked. For once in my life, i would’nt want to see this tool being released. Too much damaged, especially if it gets into the hands of script kiddies.

  17. gd Says:

    why all the noise? let billy get on with,his work …

  18. hrdnit Says:

    Can a computer be hardened against these known vulnerabilities that Jikto exploits, or is this a situation where a flaw in JavaScript must be re-designed out of it as a language?

  19. RSnake Says:

    hrdnit - a computer could easily be hardened, but it would be nearly unusable in the way most people think of web browsers working. Try logging into Google without JavaScript for instance. Websites that force users to have JavaScript installed are going to make hardening a risky proposition from a consumer adoption perspective.

  20. subhuman Says:

    if it is a javascript tool there must exist a javascript means to deactivate it. i would really like to get the code.