A new tool too dangerous to give away can turn any PC - Windows, Mac, Linux - or any device with a browser into a site attacker.
After silently inserting itself to run inside any browser - be it that of a PC, a cell phone - Jikto can then search sites for cross-site scripting vulnerabilities and report its findings to a third party without the user of the infected browser being aware.
It can also replicate itself onto sites containing cross-site scripting vulnerabilities and then spread via latching onto visiting browsers, Hoffman told eWEEK in an interview.
Web application vulnerability scanners have been around some seven years. Most have been software installed on a PC.
That's good, the security researcher said - "By getting them interested, we can use that to - heighten the awareness of the dangers of Web site vulnerabilities ."
"We've seen - worm attacks - before, but infecting desktop applications," he said.
Hoffman had originally intended to publicly release Jikto at ShmooCon, but said he reversed himself at the behest of SPI Dynamics officials, due to the damage attackers could do with the tool.
"We tend to use this as an educational process, to show look, this is where we are now with how bad things can be," he said.
Education is certainly needed, Hoffman said, given that most developers he knows are two and a half to three years behind on security.
"I wanted to get everyone cooked up and say, 'Here's all the things we're seeing it do in the wild.'"
While some security professionals have noted the rising number of cross-site scripting attacks, only recently have those attacks become "really, really dangerous," Hoffman said.
Outside the security industry, the awareness of the dangers are low. "We need to start taking Web vulnerabilities seriously," he said.
The question is, who can patch a browser to be immune to an attack such as Hoffman demonstrated with Jikto? No one, Hoffman said, because "there isn't anything fundamentally wrong with IE or Firefox."
As it is, big Internet players including Google, eBay, PayPal, Yahoo and the Mozilla Foundation have found themselves used as cross-site scripting platforms due to vulnerabilities.
Just as they have addressed it, so too must smaller companies, Hoffman said.
"Google and Yahoo and eBay and PayPal, they throw millions a year, if not tens of millions, at Web security, at designing applications securely from the start," he said. "And even they make mistakes. But the big guys take this seriously. Small to medium companies with Web presence … should take it seriously. If - the big guys are - making mistakes, and they're pretty smart, chances are you're making mistakes too."
Jikto is more a proof of concept code sampling than a tool per se, Hoffman said.
"It's fairly easy for someone to reproduce my work. It's proof of concept code, maybe 900 lines of code total. Most of that was comments to myself and spacing. It wasn't that sophisticated a concept."Maybe not, but it did serve to show that "everybody has to get rid of cross-site scripting vulnerabilities," Hoffman said. "People who think it's not a problem should look to Google's" susceptibility, he said.
Copyright 2007 by Ziff Davis Media, Distributed by United Press International
Explore further: Apple guides shoppers inside stores with iBeacon (Update)