Hackers broaden reach of cross-site scripting attacks

An explosion of AJAX-based applications has increased the damage that cross-site scripting (XSS) attacks can inflict on machines. A new tool uses XSS flaws to create a botnet.

A US-based security expert is to release details of  a tool that can use cross-site scripting (XSS) flaws and JavaScript to create a distributed botnet without any kind of user interaction at all.

XSS attacks have been around for years, and have been a favorite technique of script kiddies and others looking to deface Web sites or steal a few cookies in their spare time. But security researchers until now have not paid much attention to such attacks because it was thought that they offered little opportunity to inflict real damage on target machines.

One researcher, however, has proven that XSS flaws can be used for all kinds of interesting attacks after all. Billy Hoffman, lead research and development engineer at Atlanta-based SPI Dynamics, has developed a tool called Jikto that can use XSS flaws and JavaScript to create a distributed botnet without any kind of user interaction at all. Hoffman plans to discuss the tool and publish the source code for it at the upcoming Shmoocon conference in Washington .

Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user's PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller.

Cross-site scripting attacks:
Cross-site tracing vs. Cross-site scripting: Cross-site tracing, slightly different from cross-site scripting, can still do some significant damage to your Web applications. In this SearchSecurity.com Q&A, information security threats expert Ed Skoudis reveals how each attack is carried out.

How to prevent cross-site scripting: Learn how cross-site scripting, a common Web application attack, operates and what Web users and Web developers can do to protect against it, in this information security threats Ask the Expert Q&A.

What are the risks of social networking sites?: Social networking sites allow someone to post information that thousands of other users can read. But that's not at all. In this Q&A, information security threats expert Ed Skoudis reveals how sites like Myspace and Youtube let the bad guys post something dangerous.

Jikto's master controller has the ability to keep track of which infected machines are online and active at any given time, enabling an attacker to wait until a PC is idle before sending instructions to a bot. This could help the attacker avoid alerting the user of the infected machine to Jikto's presence. All of this is done in pure JavaScript and, Hoffman said, helped along by the huge explosion in the number of AJAX-based applications on the Web in the last year or so. AJAX gives users—and attackers—direct access to the APIs in a Web application, which can be quite useful if you're trying to send malicious commands to back-end applications.

"AJAX increases the speed of this ten-fold. No Web application vulnerability is minor. Now it's getting serious," Hoffman said. "All of these Web 2.0 applications are so heavy on JavaScript. I can sit there and tell your browser to do all kinds of nasty things. If I find cross-site scripting on your site, I win. And the scary thing is, I don't know how to solve this because malicious JavaScript looks just like normal JavaScript."

JavaScript, by its nature, also has the ability to execute on its own and modify itself on the fly, making many traditional methods of detecting malicious code useless in trying to defend against Jikto and other such threats.

"It's almost impossible for anti-virus vendors to create a signature for JavaScript because they can't look at it and see if it's good or bad," Hoffman said. "Signature-based defenses are useless."

Hoffman, a fixture in the security community for years, has been researching JavaScript and AJAX security for some time. He gave a presentation on the topic at this year's RSA Conference and his Shmoocon talk will expand upon that.

"There are two parts to me on this: one that likes to push the art and see where it takes me, and the other that uses online banking and likes to buy things on the Web but knows what's possible with these attacks," he said. "I guarantee there are five other guys who have found this [problem with AJAX and JavaScript] and haven't told anyone."

Read more on IT risk management