- Apollo Astronaut Dr. Edgar Mitchell Talks About Life on Other Planets
- The Way We Work: Twitter del.icio.us Hack
- Video of Scalable Theming Session from Drupalcon Boston
- Google's Mapping User Experience; Where have you been?
- The Importance of Strategies, Operating Plans & Success Metrics for NGOs
- vi, Drupal Search, and Playa Del Carmen Retreat
- "Breadcrumb" Definition
- Support the Warrior, Not The War.
- Firefox Tip: Changing Default Browser URL Bar Behavior On Click
- DrupalCamp Seattle Wrap Up
Twitter Feed
RSS FeedJikto is coming
Submitted by JacobSingh on March 24, 2007 - 3:16pm.
Seems Billy Hoffman has developed something of an XSS trojan which uses your browser to launch attacks, and log information.
It sounds quite scary from the press I've read, but specifics do not seem very consistent.
Here is something from the Bio page on ShmooCon where this will be demo'd (but not released):
hijack your HTTP sessions... and detect every website you have visited... and port scan and fingerprint your internal network... and reconfigure your routers... and brute force usernames and passwords... and capture all the words you search Google for. And I almost forgot, they can self propagate too. I'll give a live demo of Jikto, a complete web application vulnerability scanner written entirely in JavaScript. Jikto silently crawls and audits any public website and sends the results to a 3rd party. Jikto can be embedded into any website or XSS payload turning website visitors into accomplices that will scan and attack webservers on the Internet.Source: https://www.shmoocon.org/speakers.html
- JacobSingh's blog
- Login or register to post comments
- Delicious
- Digg
- Technorati
Was talked about at the OSCMS by Rasmus Lerdorf. It is pretty bad. There are some things a CMS can do to protect against it - but the browser is completely vulnerable. The vulnerability he talked about is dangerous with multiple tabs. The example he gave was having a banking app in one tab which you've logged into (or are about to log into) and having the trojan launched (unbeknowst to you obviously) in another.
Rasmus also mentioned that he's built a tool that uncovers all sorts of vulnerabilities in a website. He has decided not to release it because "I don't want to be known as the guy who broke the Internet" (at which point someone quipped "again?").