Apache-Talk @lexa.ru 

Inet-Admins @info.east.ru 

Filmscanners @halftone.co.uk 

Security-alerts @yandex-team.ru 

nginx-ru @sysoev.ru 




      :: Security-alerts
Security-Alerts mailing list archive (security-alerts@yandex-team.ru)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[security-alerts] FYI: Jikto - The Javascript based bot


 Jikto - The Javascript based bot
Published: 2007-03-28,
Last Updated: 2007-03-28 04:02:28 UTC
by Jason Lam (Version: 1)
Billy Hoffman, a security researcher at SPI Dynamics presented a new
tool called Jikto at ShmooCon. The tool exploits Cross Site Scripting
(XSS) vulnerabilities which tricks victim into running malicious code.
The code is injected into the victim's browser where it runs silently.
It either seeks more XSS vulnerable targets and reports back to the
attacker or it can also report back to the bot controller and await
further commands.

Since Javascript is OS independent, this tool will run well on browsers
running on different OS platforms. With Cross Site Scripting flaws being
one of the most common vulnerabilities reported these days, it is easy
to understand the potential effects of a toolkit like this.

Although Billy did not release the tool to the public, the attack
principles have been well understood amongst the security research
community. Most researchers believe this proof of concept will very
likely become real attacks shortly.

Links to the article here and here.


Copyright © Lexa Software, 1996-2009.