tag:blogger.com,1999:blog-13756280.post9171890082154911884..comments2024-02-08T03:44:23.780-08:00Comments on Jeremiah Grossman: Jikto, crossing the line?Jeremiah Grossmanhttp://www.blogger.com/profile/05017778127841311186noreply@blogger.comBlogger14125tag:blogger.com,1999:blog-13756280.post-25526449456661110392007-09-08T00:35:00.000-07:002007-09-08T00:35:00.000-07:00Hi, Can you please provide the list of tools (open...Hi, <BR/><BR/>Can you please provide the list of tools (open source) for XSS detection and prevention.<BR/><BR/>I am pursuing my Masters in Info.Sec<BR/><BR/>Cheers.<BR/><BR/>K.Bhaskar AU-KBC Research CentreK Bhaskarhttps://www.blogger.com/profile/16908767393332043344noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-40040507074019068582007-04-03T13:34:00.000-07:002007-04-03T13:34:00.000-07:00http://rapidshare.com/files/24138312/jikto.zip.htm...http://rapidshare.com/files/24138312/jikto.zip.htmlAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-25529249693912621262007-03-27T05:57:00.000-07:002007-03-27T05:57:00.000-07:00Offensive tools are much more useful than just for...Offensive tools are much more useful than just for <I>proof of concept</I> demonstrations. They are actually helpful to determine what a <B>real</B> attacker can do and to deploy and test countermeasures. <BR/>Those against the release of tools like Jikto must wake up and remove their head from the sand: The bad guys do not need Jikto to do their deed they already have tools like it.<BR/>More than 10 years ago Dan Farmer and Wietse Venema released SATAN, a vulnerability scanner, and the c0ompanion paper "Improving the security of your site by breaking into it". The paper and the tool elicited similar reactions back then, Farmer even ended up loosing his job because of it and many infosecurity conservatives rallied against the <B>incredibly outrageous idea</B> of testing your own site.<BR/>Today, if you run information security at any reasonably sized organization and do not use a vulnerability scanner <B>you</B> are likely to be fired.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-38771479028267255852007-03-24T05:36:00.000-07:002007-03-24T05:36:00.000-07:00For once, i don't like the idea of Jikto. If Jikto...For once, i don't like the idea of Jikto. If Jikto were to released, it will only cause more havoc. If it were to release, please only make it for sale as an enterprise item and be selective on the product being sold to customers. <BR/><BR/>http://hackathology.blogspot.comAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-3554781066362085732007-03-23T22:07:00.000-07:002007-03-23T22:07:00.000-07:00The easier the tools to perpetrate complex attacks...The easier the tools to perpetrate complex attacks with a high scare factor, the better. The better for what, you're asking. To convince executive-level staff of product marketing departments in large organizations that it's high time a real WAF was designed. Because fear sells.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-24281604253390410332007-03-23T03:17:00.000-07:002007-03-23T03:17:00.000-07:001) Billy's (and SPIs) recent research into the "wh...1) Billy's (and SPIs) recent research into the "what can be done with XSS" is crossing the line. We already know what can be done with it - "a lot". Why keep digging into this? <BR/><BR/>Could it be that their marketing team is asking for more news stories, so they keep producing XSS-related stuff? <BR/><BR/>2) PDP is doing the same thing with AttackAPI - at this point, it is no longer a demonstration tool - it is a script kiddie toolAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-89255631044871616782007-03-22T15:19:00.000-07:002007-03-22T15:19:00.000-07:00I don't think you read aything wrong Jeremiah... j...I don't think you read aything wrong Jeremiah... just got yur ref. article off.<BR/><BR/>"Hoffman plans to discuss the tool and publish the source code for it at the upcoming Shmoocon conference in Washington ."<BR/><BR/>ref: "TechTarget"<BR/>http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1248127,00.html<BR/><BR/>That's not to say the author dindn't misunderstand.Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-81483439610751860692007-03-22T01:50:00.000-07:002007-03-22T01:50:00.000-07:00Hi!Well I don't see the reason for all the smoke -...Hi!<BR/><BR/>Well I don't see the reason for all the smoke - there have always been tools that weren't easy to categorize - good or bad. I haven't seen Jikto yet but I would like to! Let's be honest - it doesn't sound like more that a kind of glue for things that already exist - pdp's backframe, the xss proxy, the lately released zombie map, my LFH xss scanner etc. etc.<BR/><BR/>You don't need a highschool degree in programming and webapp security to put all those tools together to sth similar like Jikto is described as. Personally I think we should wait if/until the sources are relased and what real impact the tool has.<BR/><BR/>@ntp: strange question<BR/><BR/>Greetings!<BR/>.mario.mariohttps://www.blogger.com/profile/04272129081843869542noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-52519454468128373762007-03-21T23:11:00.000-07:002007-03-21T23:11:00.000-07:00What has me a little confused is why is SPI creati...What has me a little confused is why is SPI creating and releasing this type of code? I am all for security researchers. And I do not operate under the delusion that they don't have a profit motive. But to me this is sort of like Symantec and McAfee releasing a malware generator to the public to show that it can be done.<BR/><BR/>Would it have made a difference if he releases this through OWASP or some other web application security organization? To me, yes. <BR/><BR/>This will add at least one to the con side for their product when I am considering spending a boatload of money (I work for a small university so it is a boatload to us) on a web application security solution.<BR/><BR/>Go forth and do good things,<BR/>CutawayAnonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-30807174944968389162007-03-21T21:31:00.000-07:002007-03-21T21:31:00.000-07:00@ntp, I wasn't aware the Covert Crawling tool wasn...@ntp, I wasn't aware the Covert Crawling tool wasn't released. And I have it on good authority that the "tool" code or whatever for ShmooCon won't be released either. <BR/><BR/>> I support free research for the community that cost a company money.<BR/><BR/>As do I.<BR/><BR/>> What have you done for us lately?<BR/><BR/>Are you serious?Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-42812727658549176322007-03-21T20:14:00.000-07:002007-03-21T20:14:00.000-07:00He probably won't release Jikto because I never di...He probably won't release Jikto because I never did see the code for his <I>Covert Crawling</I> tool he promised.<BR/><BR/>Billy probably wrote the tool (or similar one) for SPI to do customer demonstrations of `what is possible'. I support free research for the community that cost a company money.<BR/><BR/>What have you done for us lately?Anonymousnoreply@blogger.comtag:blogger.com,1999:blog-13756280.post-39190186071223080532007-03-21T20:03:00.000-07:002007-03-21T20:03:00.000-07:00txs and jordan, excellent points and I think we're...txs and jordan, excellent points and I think we're on the same page with the ethics and usability. If a TOOL is released and has the potential of being used by the good guys AND the bad guys, thats OK as I described. However, if the TOOL would ONLY be usable by a bad guy, I'd call that into question. So here's where the report lost me (and again, I haven't seen the tool or presentation and going purely by the media reports)<BR/><BR/>"Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user's PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller."<BR/><BR/>This is a TOOL that does this. Not some PoC code or a demonstration framework. From the way it reads it appears anyone can fire this up, start hi-jacking browsers, and exploit real-live websites. My question is, how can a "good guy" use this?Jeremiah Grossmanhttps://www.blogger.com/profile/05017778127841311186noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-28365306997946723612007-03-21T18:28:00.000-07:002007-03-21T18:28:00.000-07:00Here's a concrete example of the value of that sor...Here's a concrete example of the value of that sort of tool. I'd argue that at least from the description of it, it sounds very similar to a lot of the work pdp's doing with AttackAPI, BackFrame, Carnival, etc. <BR/><BR/>I used that toolkit at a <A HREF="http://www.wantingseed.com/sprout/presentations" REL="nofollow">presentation</A> yesterday and I think it was /much/ more effective demonstrating how simple and easy it was for me to control and abuse hosts. Simply demonstrating a bunch of single PoCs is valuable too, but a lot less impressive in terms of the "wow" factor.<BR/><BR/>Or are you saying that jikto is worse because it provides actual exploit templates inside in addition to the C&C code?<BR/><BR/>I'm leaning on the side of supporting the tool -- if for nothing else, because at the sound of it, it doesn't seem like anything anybody with an hour of free time, basic javascript skills and resources on the net couldn't come up with a basic version of. Not to demean Billy's work, just that he's not telling the bad guys anything they don't know. <BR/><BR/>Incidentally, don't bother with the video in the above link -- acoustics sucked in the room, and I didn't get a direct audio feed from the mic, so it's pretty hard to hear.Jordanhttps://www.blogger.com/profile/08341608982649448622noreply@blogger.comtag:blogger.com,1999:blog-13756280.post-11480538533959317562007-03-21T17:48:00.000-07:002007-03-21T17:48:00.000-07:00I believe the MAIN point of most offensively minde...I believe the MAIN point of most offensively minded tools is to demonstrate proof of concept. In this instance the tool "could" be used as a utility to demonstrate proof of concept to web developers who may not understand the risks of these types of vulnerabilities.<BR/><BR/>Obviously there are nefarious uses for this tool as well, however, I wouldn't imagine that was the intent of it's author (since it is coming from SPI).<BR/><BR/>I absolutly hear where you are coming from and recognize the dilema, but if a subset of developers learns from messing with this tool in an enclosed environment then it has served a good purpose.<BR/><BR/>Lots of tools have been released that are questionable in nature but eventually confirmed to be useful. I'll let your readers fill in this list.. it's quite large.<BR/><BR/>My .02$ on this one.<BR/><BR/>Cheers.Anonymousnoreply@blogger.com