Article

Hackers broaden reach of cross-site scripting attacks

Dennis Fisher, Executive Editor

Cross-site scripting (XSS) attacks have been around for years, and have been a favorite technique of script kiddies and others looking to deface Web sites or steal a few cookies in their spare time. But security researchers until now have not paid much attention to such attacks because it was thought that they offered little opportunity to inflict real damage on target machines.

One researcher, however, has proven that XSS flaws can be used for all kinds of interesting attacks after all. Billy Hoffman, lead research and development engineer at Atlanta-based SPI Dynamics Inc., has developed a tool called Jikto that can use XSS flaws and JavaScript to create a distributed botnet without any kind of user interaction at all. Hoffman plans to discuss the tool and publish the source code for it at the upcoming

Continue Reading This Article

Enjoy this article as well as all of our content, including E-Guides, news, tips and more.

Shmoocon conference in Washington .

Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user's PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller.

Jikto's master controller has the ability to keep track of which infected machines are online and active at any given time, enabling an attacker to wait until a PC is idle before sending instructions to a bot. This could help the attacker avoid alerting the user of the infected machine to Jikto's presence. All of this is done in pure JavaScript and, Hoffman said, helped along by the huge explosion in the number of AJAX-based applications on the Web in the last year or so. AJAX gives users—and attackers—direct access to the APIs in a Web application, which can be quite useful if you're trying to send malicious commands to back-end applications.

"AJAX increases the speed of this ten-fold. No Web application vulnerability is minor. Now it's getting serious," Hoffman said. "All of these Web 2.0 applications are so heavy on JavaScript. I can sit there and tell your browser to do all kinds of nasty things. If I find cross-site scripting on your site, I win. And the scary thing is, I don't know how to solve this because malicious JavaScript looks just like normal JavaScript."

JavaScript, by its nature, also has the ability to execute on its own and modify itself on the fly, making many traditional methods of detecting malicious code useless in trying to defend against Jikto and other such threats.

"It's almost impossible for anti-virus vendors to create a signature for JavaScript because they can't look at it and see if it's good or bad," Hoffman said. "Signature-based defenses are useless."

Hoffman, a fixture in the security community for years, has been researching JavaScript and AJAX security for some time. He gave a presentation on the topic at this year's RSA Conference and his Shmoocon talk will expand upon that.

"There are two parts to me on this: one that likes to push the art and see where it takes me, and the other that uses online banking and likes to buy things on the Web but knows what's possible with these attacks," he said. "I guarantee there are five other guys who have found this [problem with AJAX and JavaScript] and haven't told anyone."