Hackers broaden reach of cross-site scripting attacks
An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet.
A US-based security expert is to release details of a tool that can use cross-site scripting (XSS) flaws and JavaScript to create a distributed botnet without any kind of user interaction at all.
XSS attacks have been around for years, and have been a favorite technique of script kiddies and others looking to deface Web sites or steal a few cookies in their spare time. But security researchers until now have not paid much attention to such attacks because it was thought that they offered little opportunity to inflict real damage on target machines.
One researcher, however, has proven that XSS flaws can be used for all kinds of interesting attacks after all. Billy Hoffman, lead research and development engineer at Atlanta-based SPI Dynamics, has developed a tool called Jikto that can use XSS flaws and JavaScript to create a distributed botnet without any kind of user interaction at all. Hoffman plans to discuss the tool and publish the source code for it at the upcoming Shmoocon conference in Washington .
![]() |
||||
|
![]() |
|||
![]() |
Jikto's master controller has the ability to keep track of which infected machines are online and active at any given time, enabling an attacker to wait until a PC is idle before sending instructions to a bot. This could help the attacker avoid alerting the user of the infected machine to Jikto's presence. All of this is done in pure JavaScript and, Hoffman said, helped along by the huge explosion in the number of AJAX-based applications on the Web in the last year or so. AJAX gives users—and attackers—direct access to the APIs in a Web application, which can be quite useful if you're trying to send malicious commands to back-end applications.
"AJAX increases the speed of this ten-fold. No Web application vulnerability is minor. Now it's getting serious," Hoffman said. "All of these Web 2.0 applications are so heavy on JavaScript. I can sit there and tell your browser to do all kinds of nasty things. If I find cross-site scripting on your site, I win. And the scary thing is, I don't know how to solve this because malicious JavaScript looks just like normal JavaScript."
JavaScript, by its nature, also has the ability to execute on its own and modify itself on the fly, making many traditional methods of detecting malicious code useless in trying to defend against Jikto and other such threats.
"It's almost impossible for anti-virus vendors to create a signature for JavaScript because they can't look at it and see if it's good or bad," Hoffman said. "Signature-based defenses are useless."
Hoffman, a fixture in the security community for years, has been researching JavaScript and AJAX security for some time. He gave a presentation on the topic at this year's RSA Conference and his Shmoocon talk will expand upon that.
"There are two parts to me on this: one that likes to push the art and see where it takes me, and the other that uses online banking and likes to buy things on the Web but knows what's possible with these attacks," he said. "I guarantee there are five other guys who have found this [problem with AJAX and JavaScript] and haven't told anyone."