Brace for impact!
Posted on Fri Mar 23 15:02:00 UTC 2007
Tomorrow might prove to be interesting! So fasten your seatbelts…
Paul Hirsch, a moderator on WebHostingTalk.com got wind that hacker Billy Hoffman with SPI Dynamics is going to do a talk tomorrow at Schmoo titled: “Javascript Malware for a Gray Goo Tomorrow”.
He created Jikto, a web scanner written in javaScript:
This homogenous platform, coupled with JavaScript’s new features has enabled attackers to perform advanced attacks using XSS that were thought to be impossible even 2 years ago. Self-propagating XSS+Ajax worms, advanced keystroke and mouse loggers, port scanning, fingerprinting, and assaulting intranet applications, as well as stealing search engine queries or browser histories are now all components in an attackers toolbox.
If this does not concern you just a bit, I’m not sure what could…
The good news? Well, he’s not going to release Jikto, at least not yet…
But this will definitely bring XSS in the forefront.
Jikto source code: http://fpux.com/jikto
Nice catch :D It looks like the original version was taken down. Lots to study now.
Even if the real fix for XSS is up to the wisdom, skill and training of each web developer (scary!), the [NoScript Firefox extension](http://noscript.net) provides effective user-side protection against JavaScript-based and XSS attacks.
Sounds like a good alternative to each and every developer having to be extra careful and know about these arcane details. This sort of protection should become part of the browser, like popup blockers.