Hackers broaden reach of cross-site scripting attacks

Cross-site scripting (XSS) attacks have been around for years, and have been a favorite technique of script kiddies and others looking to deface Web sites or steal a few cookies in their spare time. But security researchers until now have not paid much attention to such attacks because it was thought that they offered little opportunity to inflict real damage on target machines.

One researcher, however, has proven that XSS flaws can be used for all kinds of interesting attacks after all. Billy Hoffman, lead research and development engineer at Atlanta-based SPI Dynamics Inc., has developed a tool called Jikto that can use XSS flaws and JavaScript to create a distributed botnet without any kind of user interaction at all. Hoffman plans to discuss the tool and publish the source code for it at the upcoming Shmoocon conference in Washington .

Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user's PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller.