Demonstrate the maliciousness of JavaScript

A security researcher has discovered how hackers turn a PC into a tool that serves their dark purpose without "kidnapping".

That's what Jikto - a new security tool by SPI Dynamics security researcher Billy Hoffman - can do. The tool, which is programmed in this Javascript language, can turn the PC into a web security flaw tool that its owner doesn't know about.

Hoffman is expected to announce the Jikto tool at the ShmooCon Hacker forum later this week.

" This tool will change our mind about what hackers can do with Javascript ," Hoffman said. " Jikto can turn any PC into a security search tool or attack another website ."

Jikito is essentially a website security scanning application. This application secretly scans the web and returns the results. Jikto can be embedded into any website - hackers' websites or legitimate websites - by exploiting the XSS vulnerability (cross-site scripting).

Jikto can hunt down and detect most of the web security vulnerabilities often seen or can hunt down the required web vulnerability. For example, Jikto can only hunt for SQL Injection vulnerabilities in online banking sites, for example.

Because Jikto is programmed in Javascript, this tool can operate on most types of browsers without giving any warning to users. Internet users can face a website that embeds Jikto on the Internet without knowing it. This tool will work as long as the browser window is open and disappears without leaving any trace when the browser window closes.

Currently Hoffman is studying to develop the next version of Jikto capable of exploiting security errors and retrieving data. It is expected that this version will be shown at Black Hat this summer.

Hoang Dung