Ok, so I’m being a little overly dramatic, but it appears there’s a very real threat to one of the staples of Web 2.0, AJAX, that threatens to make this technology too risky for browsers to continue to support.
Noted Hacker Billy Hoffman has written an application that uses your browser JavaScript engine to scan other sites on the Web for vulnerabilities and execute scripts at will. Notice I said “uses,” not “exploits.” Why? Because Billy’s script doesn’t take advantage of any security holes. It simply uses AJAX technology as it was built, and therefore, as it was meant to be used.
The application, named Jikto, is not subject to anti-virus (because it’s not an exploit). It runs silently in the background of a Web site on which it is loaded, and it closes quickly and quietly when the Web site on which it is housed is closed. During the time it is open, Jikto can be used to “hijack your HTTP sessions… and detect every website you have visited… and port scan and fingerprint your internal network… and reconfigure your routers… and brute force usernames and passwords… and capture all the words you search Google for. And I almost forgot, they can self propagate too.” (from the ShmooCon speaker biography of Billy Hoffman)
Jikto is scheduled for public release in two days. Billy will be demoing and releasing Jikto at ShmooCon, 2007, at 1 p.m., this Saturday. Some people might be upset or worried by this release, but believe me, it is much better that he is releasing it publicly than distributing it to a controlled cracker network. At least the industry has a fighting chance to figure out a way to suppress AJAX vulnerabilities without having to give up the technology.
Imagine the cosmic retooling that would have to take place on sites across the world if browser manufacturers announced simultaneously they would be releasing new versions that did not support AJAX!
