[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[WEB SECURITY] Jikto in the wild

From: "Billy Hoffman" <Billy.Hoffman@xxxxxxxxxxxxxxx>
Subject: [WEB SECURITY] Jikto in the wild
Date: Mon, 2 Apr 2007 12:59:16 -0400

------_=_NextPart_001_01C77548.3FC24525
Content-Type: text/plain;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

FYI: Jikto's in the wild. You can read about it here:
http://portal.spidynamics.com/blogs/spilabs/archive/2007/04/02/Jikto-in-
the-wild.aspx

=20

I supposed it was only a matter of time. As the post describes, I took a
bunch of steps to protect the code during my demo. Even if someone
hadn't managed to grab a copy, I image a Jikto clone would have come out
sometime this year. In fact, pdp was so close back in October with his
web crawling demo. His work heavily influenced Jikto. His solution
however used timer and iframe remoting and as I've said before
(http://www.gnucitizen.org/blog/javascript-remoting-dangers)
XmlHttpRequest is way faster than iframes.

=20

Using pdp's idea, all I had to do for Jikto was write ~800 of JavaScript
functions to handle response parsing, link scrapping, URL resolution,
and some glue code. Most of those things I had already written for other
projects. Jikto probably only took me < 24 hours to piece together.

=20

Anyway, the long and short of all of this is that the code to a web vuln
scanner written in JavaScript is in the wild now.

=20

Billy Hoffman

--

Lead Researcher, SPI Labs

SPI Dynamics Inc. - http://www.spidynamics.com
<http://www.spidynamics.com/>=20

Phone:  678-781-4800

Direct:   678-781-4845

=20


------_=_NextPart_001_01C77548.3FC24525
Content-Type: text/html;
	charset="us-ascii"
Content-Transfer-Encoding: quoted-printable

<html xmlns:o=3D"urn:schemas-microsoft-com:office:office" =
xmlns:w=3D"urn:schemas-microsoft-com:office:word" =
xmlns:st1=3D"urn:schemas-microsoft-com:office:smarttags" =
xmlns=3D"http://www.w3.org/TR/REC-html40";>

<head>
<meta http-equiv=3DContent-Type content=3D"text/html; =
charset=3Dus-ascii">
<meta name=3DGenerator content=3D"Microsoft Word 11 (filtered medium)">
<o:SmartTagType =
namespaceuri=3D"urn:schemas-microsoft-com:office:smarttags"
 name=3D"PersonName"/>
<!--[if !mso]>
<style>
st1\:*{behavior:url(#default#ieooui) }
</style>
<![endif]-->
<style>
<!--
 /* Style Definitions */
 p.MsoNormal, li.MsoNormal, div.MsoNormal
	{margin:0in;
	margin-bottom:.0001pt;
	font-size:12.0pt;
	font-family:"Times New Roman";}
a:link, span.MsoHyperlink
	{color:blue;
	text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
	{color:purple;
	text-decoration:underline;}
span.EmailStyle17
	{mso-style-type:personal-compose;
	font-family:Arial;
	color:windowtext;}
@page Section1
	{size:8.5in 11.0in;
	margin:1.0in 1.25in 1.0in 1.25in;}
div.Section1
	{page:Section1;}
-->
</style>

</head>

<body lang=3DEN-US link=3Dblue vlink=3Dpurple>

<div class=3DSection1>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>FYI: Jikto&#8217;s in the wild. You can read about it =
here: <a
href=3D"http://portal.spidynamics.com/blogs/spilabs/archive/2007/04/02/Ji=
kto-in-the-wild.aspx">http://portal.spidynamics.com/blogs/spilabs/archive=
/2007/04/02/Jikto-in-the-wild.aspx</a><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>I supposed it was only a matter of time. As the post
describes, I took a bunch of steps to protect the code during my demo. =
Even if
someone hadn&#8217;t managed to grab a copy, I image a Jikto clone would =
have
come out sometime this year. In fact, pdp was so close back in October =
with his
web crawling demo. His work heavily influenced Jikto. His solution =
however used
timer and iframe remoting and as I&#8217;ve said before (<a
href=3D"http://www.gnucitizen.org/blog/javascript-remoting-dangers";>http:=
//www.gnucitizen.org/blog/javascript-remoting-dangers</a>)
XmlHttpRequest is way faster than iframes.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Using pdp&#8217;s idea, all I had to do for Jikto was =
write ~800
of JavaScript functions to handle response parsing, link scrapping, URL
resolution, and some glue code. Most of those things I had already =
written for
other projects. Jikto probably only took me &lt; 24 hours to piece =
together.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Anyway, the long and short of all of this is that the =
code
to a web vuln scanner written in JavaScript is in the wild =
now.<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'><o:p>&nbsp;</o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Billy Hoffman<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>--<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Lead Researcher, <st1:PersonName w:st=3D"on">SPI =
Labs</st1:PersonName><o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>SPI Dynamics Inc. &#8211; <a
href=3D"http://www.spidynamics.com/";>http://www.spidynamics.com</a><o:p><=
/o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Phone:&nbsp; =
678-781-4800<o:p></o:p></span></font></p>

<p class=3DMsoNormal><font size=3D2 face=3DArial><span =
style=3D'font-size:10.0pt;
font-family:Arial'>Direct:&nbsp;&nbsp; 678-781-4845</span></font><font =
size=3D2
face=3DArial><span =
style=3D'font-size:10.0pt;font-family:Arial'><o:p></o:p></span></font></p=
>

<p class=3DMsoNormal><font size=3D3 face=3D"Times New Roman"><span =
style=3D'font-size:
12.0pt'><o:p>&nbsp;</o:p></span></font></p>

</div>

</body>

</html>

------_=_NextPart_001_01C77548.3FC24525--

Follow-Ups:
- Re: [WEB SECURITY] Jikto in the wild
  - From: pdp (architect)

Prev by Date: [WEB SECURITY] Re: [Webappsec] [WEB SECURITY] Preventing Cross-site Request Forgeries
Next by Date: Re: [WEB SECURITY] Jikto in the wild
Previous by thread: [WEB SECURITY] From Old Bucket To New : Clobbering Of Global Variables
Next by thread: Re: [WEB SECURITY] Jikto in the wild
Index(es):
- Date
- Thread

Brought to you by http://www.webappsec.org
Search this site