Video Screencast Help
Security Response

JIKTO Out and About

Created: 03 Apr 2007 07:00:00 GMT • Updated: 23 Jan 2014 18:50:39 GMT
Zulfikar Ramzan's picture
0 0 Votes
Login to vote

At the recent Shmoocon conference, Billy Hoffman of SPI Labsdescribed a tool he built called Jikto. This tool can scan a Web sitefor different types of Web vulnerabilities. In the hands of a good guy,the tool can point out holes, which can then be fixed. In the hands ofa bad guy, the same tool can be used to find holes, which can then beexploited.

One remarkable aspect of Jikto is that it is written entirely inJavaScript. That means it can be executed in a Web browser (and alsothat it is more-or-less platform independent – with the ability to runon Windows machines, Macs, Linux boxes, etc.) Also, if an attackercreates a Web page that includes the Jikto code, then anyone who visitsthat Web page can effectively run a vulnerability scan on an entirelyseparate Web site. The results of that scan can be reported back to theattacker. On the other hand, from the victim’s perspective thevulnerability scan will not be traced back to the attacker. Insteadthey will point to the perhaps otherwise unsuspecting Web surfer.

Billy ultimately decided not to release the Jikto source code to thepublic. However, while demonstrating Jikto at Shmoocon, the URL hostingthe Jikto source was revealed. Someone sitting near the front of theroom saw the URL, typed it in and downloaded the source. The code wassubsequently posted online, but then taken down. During the brief timeit was up a few more folks got their hands on it. It was posted onlineagain at a separate location, taken down again, and so on.

The leak of the Jikto source has created considerable buzz bothamong security researchers and the media. Such buzz is natural giventhe nature of the tool. At the same time, I think that the whole storybehind the code getting leaked and put online, followed by it takendown is what created the real frenzy. Given the interest this topic hasgarnered, I wanted to offer some balanced viewpoints on Jikto.

First, from a vulnerability scanning standpoint, Jikto is actuallyfairly rudimentary. There are a number of Web vulnerability scannersout there (many of which are freely available) that attackers have beenusing for some time. These can scan for a host of issues in far moredepth than Jikto does. So, whatever vulnerabilities attackers couldhave scanned for with Jikto, they could have also scanned for with ahost of tools that existed prior to it.
Second, the Jikto source was not leaked completely. There is still afront-end piece that wasn’t leaked. So, an attacker would need someknowledge of how to add the missing piece and properly use the tool.While that’s not technically hard to do with the appropriate technicalknowledge, it severely restricts the pool of attackers who would try toleverage such a tool. (Let’s not forget that Jikto was designed as aproof of concept, and not as a production grade tool withdocumentation, clean user interfaces, etc.)

Some would argue that Jikto also allows an attacker to conceal hislocation, which is not a functionality that existing Web vulnerabilityscanners necessarily allow for. This brings me to my third point: thereare readily available tools that can help conceal the attacker’slocation. These tools can be used in conjunction with a vulnerabilityscanner and attackers have been using such tools for a long time.

I don’t really see attackers—at least the good ones, anyway—actuallyadopting Jikto on a wide scale. They will probably continue to use thetools they have been using all along. Given the hype that was createdrecently, though, I wouldn’t be surprised if we see a few attackers useit, but I don’t expect it to be the tool of choice.
Having made these points, I don’t want to detract from Billy’saccomplishments. Designing a tool like the one he did entirely inJavaScript is pretty remarkable. It requires an excellent understandinghow JavaScript works and how to truly stretch the limits of what peoplethought it could do. In my mind, the actual feature set andcapabilities of Jikto are not nearly as interesting as the fact thatBilly was able to write the whole thing in JavaScript.

There are pros and cons to releasing a tool like this. These toolscan help Web masters find and patch holes in their own system. On theother hand, the same tools can be used by attackers to find holes theycan exploit. My point here is not to take a side in this debate, butrather to provide more information so that a discussion on this topiccould be more balanced.

Ultimately, I believe that the whole accidental leakage of the codeand the way in which appeared—and then disappeared—across online forumsand blogs created the hype. Had Jikto just been released initially(despite whether that’s a good or bad thing), the story would havegarnered much less fanfare.