Wednesday, March 21, 2007

Jikto, crossing the line?

Another Update: Robert McMillan from IDG describes how the Jikto leak occurred in some detail, including some quotes from Mike Schroll, who originally snagged the code and posted it to Digg.

Update
: via sla.ckers.org RSnake posted that the source code to Jitko did in fact make its public debut. I checked with Billy on the authenticity of the code, he verified it, and also explained how the leak occurred. Was bound to happen eventually, but its surprising how fast.

Update
: Billy has more to say about his conference experience with Jikto and about me personally.

Update
: Billy sets us straight in his ShmooCon post: "The first part of my presentation will provide an overview of all these new advanced threats. Specifically, how this attacks work and how they can be prevented. In the second half I’ll discuss how JavaScript is capable of crawling and auditing 3rd party websites just like a traditional web scanner. As a proof of concept, I created Jikto, a web scanner written in JavaScript. Although I will not be releasing the source code of Jikto, I will be giving a full live demo and provide a detailed discussion about its methodology and architecture."

It appears there was some miscommunication in the original c-net story.
"Hoffman, who developed the tool as a way to advance Web security, plans to release Jikto publicly later this week at the ShmooCon hacker event in Washington, D.C."

Figured "release" meant distribute rather than demo. That's that. next topic.


I think most security professionals would agree that releasing information about vulnerabilities, attack techniques (what I'm known for), and tools is generally positive. People should have information they need to defend themselves should they choose to. For example nessus, nmap, whisker and even metasploit have the distinction of evening the playing field. The good guys and bad guys can both use it. Industry ethics would say you wouldn't want to release a virus or phishing toolkit for real-world use because it only helps the bad guys. Then I see this:

"Billy Hoffman, lead research and development engineer at Atlanta-based SPI Dynamics Inc., has developed a tool called Jikto that can use XSS flaws and JavaScript to create a distributed botnet without any kind of user interaction at all. Hoffman plans to discuss the tool and publish the source code for it at the upcoming Shmoocon conference in Washington ."

Sounds like a nicely packaged script kiddie tool, usable in the real world, and only helpful to the bad guys. Without getting my hands on the code or the slide... am I'm reading way too much into this? Apparently I wasn't the only person who saw something strange about this as Don Park and RSnake weighed in with their thoughts.

"Yes, I understand these tools can be used to protect but what about tools that use questionable means? Jikto, for example, uses unsuspecting website visitors' browser to scan other websites for holes. Would any businesses use such tools to protect their sites? If not, who does it benefit? Is it security researchers' job to push the envelope of black hat's state of art?"
Don Park

"One very narrow line that we all must face is where the distinction between security research and building script kiddy tools comes into play. I think a lot of us have fallen victim to writing tools to make our own lives easier, while also making script kiddie’s lives easier. In this case Jikto doesn’t make a security researcher’s life easier, except perhaps to demonstrate how bad script kiddies can be if given that exact tool."

RSnake

RSnake asks is it for Good or for Evil. I'd say neither, just unnecessary. Being a SPI competitor, I don't presume to tell they or Billy what to do. Its probably good that Billy hasn't spoken yet or released the code at ShmooCon. Maybe he'd reconsider releasing this code into the wild. Or perhaps he'll get pissed and say myself or RSnake or others have done the same thing with all our PoC. To which I of course disagree entirely.

14 comments:

txs said...

I believe the MAIN point of most offensively minded tools is to demonstrate proof of concept. In this instance the tool "could" be used as a utility to demonstrate proof of concept to web developers who may not understand the risks of these types of vulnerabilities.

Obviously there are nefarious uses for this tool as well, however, I wouldn't imagine that was the intent of it's author (since it is coming from SPI).

I absolutly hear where you are coming from and recognize the dilema, but if a subset of developers learns from messing with this tool in an enclosed environment then it has served a good purpose.

Lots of tools have been released that are questionable in nature but eventually confirmed to be useful. I'll let your readers fill in this list.. it's quite large.

My .02$ on this one.

Cheers.

Jordan said...

Here's a concrete example of the value of that sort of tool. I'd argue that at least from the description of it, it sounds very similar to a lot of the work pdp's doing with AttackAPI, BackFrame, Carnival, etc.

I used that toolkit at a presentation yesterday and I think it was /much/ more effective demonstrating how simple and easy it was for me to control and abuse hosts. Simply demonstrating a bunch of single PoCs is valuable too, but a lot less impressive in terms of the "wow" factor.

Or are you saying that jikto is worse because it provides actual exploit templates inside in addition to the C&C code?

I'm leaning on the side of supporting the tool -- if for nothing else, because at the sound of it, it doesn't seem like anything anybody with an hour of free time, basic javascript skills and resources on the net couldn't come up with a basic version of. Not to demean Billy's work, just that he's not telling the bad guys anything they don't know.

Incidentally, don't bother with the video in the above link -- acoustics sucked in the room, and I didn't get a direct audio feed from the mic, so it's pretty hard to hear.

Jeremiah Grossman said...

txs and jordan, excellent points and I think we're on the same page with the ethics and usability. If a TOOL is released and has the potential of being used by the good guys AND the bad guys, thats OK as I described. However, if the TOOL would ONLY be usable by a bad guy, I'd call that into question. So here's where the report lost me (and again, I haven't seen the tool or presentation and going purely by the media reports)

"Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user's PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller."

This is a TOOL that does this. Not some PoC code or a demonstration framework. From the way it reads it appears anyone can fire this up, start hi-jacking browsers, and exploit real-live websites. My question is, how can a "good guy" use this?

ntp said...

He probably won't release Jikto because I never did see the code for his Covert Crawling tool he promised.

Billy probably wrote the tool (or similar one) for SPI to do customer demonstrations of `what is possible'. I support free research for the community that cost a company money.

What have you done for us lately?

Jeremiah Grossman said...

@ntp, I wasn't aware the Covert Crawling tool wasn't released. And I have it on good authority that the "tool" code or whatever for ShmooCon won't be released either.

> I support free research for the community that cost a company money.

As do I.

> What have you done for us lately?

Are you serious?

cutaway said...

What has me a little confused is why is SPI creating and releasing this type of code? I am all for security researchers. And I do not operate under the delusion that they don't have a profit motive. But to me this is sort of like Symantec and McAfee releasing a malware generator to the public to show that it can be done.

Would it have made a difference if he releases this through OWASP or some other web application security organization? To me, yes.

This will add at least one to the con side for their product when I am considering spending a boatload of money (I work for a small university so it is a boatload to us) on a web application security solution.

Go forth and do good things,
Cutaway

.mario said...

Hi!

Well I don't see the reason for all the smoke - there have always been tools that weren't easy to categorize - good or bad. I haven't seen Jikto yet but I would like to! Let's be honest - it doesn't sound like more that a kind of glue for things that already exist - pdp's backframe, the xss proxy, the lately released zombie map, my LFH xss scanner etc. etc.

You don't need a highschool degree in programming and webapp security to put all those tools together to sth similar like Jikto is described as. Personally I think we should wait if/until the sources are relased and what real impact the tool has.

@ntp: strange question

Greetings!
.mario

dyngnosis said...

I don't think you read aything wrong Jeremiah... just got yur ref. article off.

"Hoffman plans to discuss the tool and publish the source code for it at the upcoming Shmoocon conference in Washington ."

ref: "TechTarget"
http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1248127,00.html

That's not to say the author dindn't misunderstand.

Anonymous said...

1) Billy's (and SPIs) recent research into the "what can be done with XSS" is crossing the line. We already know what can be done with it - "a lot". Why keep digging into this?

Could it be that their marketing team is asking for more news stories, so they keep producing XSS-related stuff?

2) PDP is doing the same thing with AttackAPI - at this point, it is no longer a demonstration tool - it is a script kiddie tool

SpongeBob said...

The easier the tools to perpetrate complex attacks with a high scare factor, the better. The better for what, you're asking. To convince executive-level staff of product marketing departments in large organizations that it's high time a real WAF was designed. Because fear sells.

Anonymous said...

For once, i don't like the idea of Jikto. If Jikto were to released, it will only cause more havoc. If it were to release, please only make it for sale as an enterprise item and be selective on the product being sold to customers.

http://hackathology.blogspot.com

ivan said...

Offensive tools are much more useful than just for proof of concept demonstrations. They are actually helpful to determine what a real attacker can do and to deploy and test countermeasures.
Those against the release of tools like Jikto must wake up and remove their head from the sand: The bad guys do not need Jikto to do their deed they already have tools like it.
More than 10 years ago Dan Farmer and Wietse Venema released SATAN, a vulnerability scanner, and the c0ompanion paper "Improving the security of your site by breaking into it". The paper and the tool elicited similar reactions back then, Farmer even ended up loosing his job because of it and many infosecurity conservatives rallied against the incredibly outrageous idea of testing your own site.
Today, if you run information security at any reasonably sized organization and do not use a vulnerability scanner you are likely to be fired.

Anonymous said...

http://rapidshare.com/files/24138312/jikto.zip.html

Bhaskar said...

Hi,

Can you please provide the list of tools (open source) for XSS detection and prevention.

I am pursuing my Masters in Info.Sec

Cheers.

K.Bhaskar AU-KBC Research Centre