Now, amid reports that Jikto's code has been leaked onto the Internet, Fortify Software has released a new report describing a major flaw in Web 2.0 and AJAX software.
Brian Chess, Fortify's co-founder and chief scientist, said that with recent surveys indicating that almost 75% of enterprises plan to increase their investment in Web 2.0 technologies, it is clear that the information security community must address the issue now.
"Unlike vulnerabilities that are tied to a specific application or operating system, there is no single vendor to which this issue can be reported and resolved," Chess said in a statement. "In fact, many rich Web applications don't use any framework at all. As a result, we need to educate software developers about the risk that Web 2.0 brings."
Though Web 2.0 functionality is already incorporated into social networking sites like MySpace, the corporate world has a growing appetite for frameworks that facilitate quick access to information, improve application performance and encourage collaboration, Chess said. According to a March 2007 McKinsey survey, he noted, the industries most likely to adopt Web 2.0 technologies are retail, high tech, telecommunications, finance and pharmaceuticals.
Fortify's research was released amid reports that Hoffman's Jikto tool had been snatched up by other researchers and leaked onto the Internet.
Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user's PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller.
According to published reports, a Shmoocon attendee downloaded a copy of the code during Hoffman's presentation and posted it on his Web site. The attendee removed it at Hoffman's request, but not before others made their own copies. The code is now available on the Internet, leaving some security experts worried that the bad guys could start making use of it.
SearchSecurity.com Executive Editor Dennis Fisher contributed to this report.