Ok, so I'm being a little overly dramatic, but it appears there's a very real threat to one of the staples of Web 2.0, AJAX, that threatens to make this technology too risky for browsers to continue to support.
Noted Hacker Billy Hoffman has written an application that uses your browser JavaScript engine to scan other sites on the Web for vulnerabilities and execute scripts at will. Notice I said "uses," not "exploits." Why? Because Billy's script doesn't take advantage of any security holes. It simply uses AJAX technology as it was built, and therefore, as it was meant to be used.
The application, named Jikto, is not subject to anti-virus (because it's not an exploit). It runs silently in the background of a Web site on which it is loaded, and it closes quickly and quietly when the Web site on which it is housed is closed. During the time it is open, Jikto can be used to "hijack your HTTP sessions... and detect every website you have visited... and port scan and fingerprint your internal network... and reconfigure your routers... and brute force usernames and passwords... and capture all the words you search Google for. And I almost forgot, they can self propagate too." (from the ShmooCon speaker biography of Billy Hoffman)
Jikto is scheduled for public release in two days. Billy will be demoing and releasing Jikto at ShmooCon, 2007, at 1 p.m., this Saturday. Some people might be upset or worried by this release, but believe me, it is much better that he is releasing it publicly than distributing it to a controlled cracker network. At least the industry has a fighting chance to figure out a way to suppress AJAX vulnerabilities without having to give up the technology.
Imagine the cosmic retooling that would have to take place on sites across the world if browser manufacturers announced simultaneously they would be releasing new versions that did not support AJAX!
###
==========[ MORE ABOUT PAUL ]==========
PaulHirsch.com . International Web Developers Network . Web Hosting Talk . Equentity Host
http://en.wikipedia.org/wiki/Cross-site_request_fo...
I still remember a couple years ago when PHP injection caused a number of sites to rework their email handlers to prevent spammers from exploiting them. That was a relatively easy fix, but it sure caused a lot of activity, and I would expect there are still plenty of exploitable sites out there.
There might be a similar response necessary here, but I don't think the fixes will be easy. Imagine router manufacturers having to contact every home unit owner to have them download software (or firmware) updates or risk being compromised, for example.
Some sort of beast is going to be unleashed this weekend - I feel pretty safe with that statement. I'm crying "wolf" now in anticipation. Hopefully instead of a wolf the beast will only turn out to be a pesky squirrel.
This doesn't mean that the cracker will not be using it, Infact, they will make much more damage till some solution arises. As far as I think, there must be some control over such softwares.
Whereas, these kind of softw~ can be used for security purpose as well.
"Imagine the cosmic retooling that would have to take place on sites across the world if browser manufacturers announced simultaneously they would be releasing new versions that did not support AJAX!"
FINE !, if this takes place soon. But what about the existing versions.
What type of widget? I would imagine a black-hatter or two might release such things. I don't know of any plans for them. Remember, Jikto source still isn't available.
> This doesn't mean that the cracker will not be using it, Infact, they will make much more damage till some solution arises.
No question. At least the Web world will know what's hitting it. It's much easier to fight the enemy you know than the one you don't know. But yeah, there are negative implications either way.
> FINE !, if this takes place soon. But what about the existing versions.
Just make sure your own Web sites are secure (using up-to-date application releases, free of security holes, etc.), and a substantial amount of damage will be mitigated or eliminated - not all, but much of it. Again, I can't speak as an expert in Jikto - it's not out yet, and even after it's released, I don't know that my level of expertise will allow me to grasp it in its entirety.
I'm just reporting some interesting news and pondering the implications :)
Billy Hoffman wrote to me with some updates and clarifications regarding his application.
"I wanted to drop you a line to give you an update about my Jikto presentation as
well as correct a few things in your Post. Just to clarify Jikto is solely a web
vulnerability scanner written in JavaScript. It doesn't do anything like
self-propagate, create botnets, port scan, etc. Those are things that existing
JavaScript malware can do."
- Billy Hoffman
I had the impression from the ShmooCon speaker summary that vulnerability <em>exploitation</em> was built into Jikto, but this is not the case!
Billy's demonstration went exceptionally well, and was very well received. He gave a full rundown of Jikto architecture and did an exhaustive demo. The presentation was witnessed by many corporate representatives (including Microsoft) and the Department of Defense.
I have a few questions burning in my mind about Jikto (implications mostly), and hopefully I can get a few answers for another follow-up post.