At the recent Shmoocon conference, Billy Hoffman of SPI Labsdescribed a tool he built called Jikto. This tool can scan a Web sitefor different types of Web vulnerabilities. In the hands of a good guy,the tool can point out holes, which can then be fixed. In the hands ofa bad guy, the same tool can be used to find holes, which can then beexploited.
Billy ultimately decided not to release the Jikto source code to thepublic. However, while demonstrating Jikto at Shmoocon, the URL hostingthe Jikto source was revealed. Someone sitting near the front of theroom saw the URL, typed it in and downloaded the source. The code wassubsequently posted online, but then taken down. During the brief timeit was up a few more folks got their hands on it. It was posted onlineagain at a separate location, taken down again, and so on.
The leak of the Jikto source has created considerable buzz bothamong security researchers and the media. Such buzz is natural giventhe nature of the tool. At the same time, I think that the whole storybehind the code getting leaked and put online, followed by it takendown is what created the real frenzy. Given the interest this topic hasgarnered, I wanted to offer some balanced viewpoints on Jikto.
First, from a vulnerability scanning standpoint, Jikto is actuallyfairly rudimentary. There are a number of Web vulnerability scannersout there (many of which are freely available) that attackers have beenusing for some time. These can scan for a host of issues in far moredepth than Jikto does. So, whatever vulnerabilities attackers couldhave scanned for with Jikto, they could have also scanned for with ahost of tools that existed prior to it.
Second, the Jikto source was not leaked completely. There is still afront-end piece that wasn’t leaked. So, an attacker would need someknowledge of how to add the missing piece and properly use the tool.While that’s not technically hard to do with the appropriate technicalknowledge, it severely restricts the pool of attackers who would try toleverage such a tool. (Let’s not forget that Jikto was designed as aproof of concept, and not as a production grade tool withdocumentation, clean user interfaces, etc.)
Some would argue that Jikto also allows an attacker to conceal hislocation, which is not a functionality that existing Web vulnerabilityscanners necessarily allow for. This brings me to my third point: thereare readily available tools that can help conceal the attacker’slocation. These tools can be used in conjunction with a vulnerabilityscanner and attackers have been using such tools for a long time.
I don’t really see attackers—at least the good ones, anyway—actuallyadopting Jikto on a wide scale. They will probably continue to use thetools they have been using all along. Given the hype that was createdrecently, though, I wouldn’t be surprised if we see a few attackers useit, but I don’t expect it to be the tool of choice.
There are pros and cons to releasing a tool like this. These toolscan help Web masters find and patch holes in their own system. On theother hand, the same tools can be used by attackers to find holes theycan exploit. My point here is not to take a side in this debate, butrather to provide more information so that a discussion on this topiccould be more balanced.
Ultimately, I believe that the whole accidental leakage of the codeand the way in which appeared—and then disappeared—across online forumsand blogs created the hype. Had Jikto just been released initially(despite whether that’s a good or bad thing), the story would havegarnered much less fanfare.