A US-based security expert is to release details of a tool that
can use cross-site scripting (XSS) flaws and JavaScript to create a
distributed botnet without any kind of user interaction at all.
XSS attacks have been around for years, and have been a favorite
technique of script kiddies and others looking to deface Web sites
or steal a few cookies in their spare time. But security
researchers until now have not paid much attention to such attacks
because it was thought that they offered little opportunity to
inflict real damage on target machines.
One researcher, however, has proven that XSS flaws can be used
for all kinds of interesting attacks after all. Billy Hoffman, lead
research and development engineer at Atlanta-based SPI Dynamics,
has developed a tool called Jikto that can use XSS flaws and
JavaScript to create a distributed botnet without any kind of user
interaction at all. Hoffman plans to discuss the tool and publish
the source code for it at the upcoming
Shmoocon conference in
Washington .
Jikto works by exploiting a XSS flaw on a given Web site and
then silently installing itself on a user's PC. It can then operate
in one of two modes. In one mode, Jikto crawls a specific Web site
in much the same way that a Web application scanner would, looking
for common vulnerabilities, such as XSS or SQL injection. It then
reports the results to whatever machine is controlling it. In the
other mode Jikto calls home to the controlling PC and tells it that
it has installed itself on a new machine, and then awaits further
instructions from the controller.
 |
| Cross-site scripting attacks: | Cross-site tracing vs. Cross-site scripting:
Cross-site tracing, slightly different from cross-site
scripting, can still do some significant damage to your Web
applications. In this SearchSecurity.com Q&A, information
security threats expert Ed Skoudis reveals how each attack is
carried out.
How to prevent cross-site scripting: Learn
how cross-site scripting, a common Web application attack,
operates and what Web users and Web developers can do to protect
against it, in this information security threats Ask the Expert
Q&A.
What are the risks of social networking
sites?: Social networking sites allow someone to post
information that thousands of other users can read. But that's
not at all. In this Q&A, information security threats expert
Ed Skoudis reveals how sites like Myspace and Youtube let the
bad guys post something
dangerous. |
|
| |
|
Jikto's master controller has the ability to keep track of which
infected machines are online and active at any given time, enabling
an attacker to wait until a PC is idle before sending instructions
to a bot. This could help the attacker avoid alerting the user of
the infected machine to Jikto's presence. All of this is done in
pure JavaScript and, Hoffman said, helped along by the huge
explosion in the number of AJAX-based applications on the Web in
the last year or so. AJAX gives users—and attackers—direct access
to the APIs in a Web application, which can be quite useful if
you're trying to send malicious commands to back-end
applications.
"AJAX increases the speed of this ten-fold. No Web application
vulnerability is minor. Now it's getting serious," Hoffman said.
"All of these Web 2.0 applications are so heavy on JavaScript. I
can sit there and tell your browser to do all kinds of nasty
things. If I find cross-site scripting on your site, I win. And the
scary thing is, I don't know how to solve this because malicious
JavaScript looks just like normal JavaScript."
JavaScript, by its nature, also has the ability to execute on
its own and modify itself on the fly, making many traditional
methods of detecting malicious code useless in trying to defend
against Jikto and other such threats.
"It's almost impossible for anti-virus vendors to create a
signature for JavaScript because they can't look at it and see if
it's good or bad," Hoffman said. "Signature-based defenses are
useless."
Hoffman, a fixture in the security community for years, has been
researching JavaScript and AJAX security for some time. He gave a
presentation on the topic at this year's RSA Conference and his
Shmoocon talk will expand upon that.
"There are two parts to me on this: one that likes to push the
art and see where it takes me, and the other that uses online
banking and likes to buy things on the Web but knows what's
possible with these attacks," he said. "I guarantee there are five
other guys who have found this [problem with AJAX and JavaScript]
and haven't told anyone."