HP Security Products Blog
From applications to infrastructure, enterprises and governments alike face a constant barrage of digital attacks designed to steal data, cripple networks, damage brands, and perform a host of other malicious intents. HP Enterprise Security Products offers products and services that help organizations meet the security demands of a rapidly changing and more dangerous world. HP ESP enables businesses and institutions to take a proactive approach to security that integrates information correlation, deep application analysis and network-level defense mechanisms—unifying the components of a complete security program and reducing risk across your enterprise. In this blog, we will announce the latest offerings from HP ESP, discuss current trends in vulnerability research and technology, reveal new HP ESP security initiatives and promote our upcoming appearances and speaking engagements.

Jikto in the wild

It appears that the source code to Jikto is in the wild. I suppose it was only a matter of time, even though as you will see SPI to extreme steps to prevent this from happening.

As my Shmoocon presentation slides discuss, Jikto bypasses the "Same Origin Policy" by using a proxy website like the-cloak, proxydrop, Google Translate, etc. This allows Jikto's code and the content of 3rd party sites to be loaded into the same security domain (ie the proxy sites), and thus read the responses. I believe pdp of GNUCITIZEN first discussed this and I based much of Jikto off his work. The consequence of this means that Jikto's code had to exist somewhere on the public Internet when I did my demo. Worse, when I got to Shmoo I saw that I didn't have a hard connection to the Internet, only wireless. This means anyone in the audience sniffing traffic would see where Jikto was and get a copy. Obviously I couldn't let that happen.

Instead I VPNed into SPI. This created an encrypted tunnel. I then remotely connected to my Desktop machine at work and did the demo from there. This means no one in the audience could sniff traffic and see where Jikto was stored. The problem is if someone watched very closely they could see the URL of where Jikto's code was. I ran all my traffic on the work machine through a proxy to show all the requests Jikto was making. The first request would have been to grab Jikto's code. Someone could have seen the URL and grabbed it.

Which is exactly what happened! A guy named LogicX grabbed a copy this way and posted it on Digg just a day after Shmoocon. However I contacted LogicX and asked him to take it down. I'm thankful he did. However, it seems someone else grabbed either his copy before it was removed or grabbed the code themselves at Shmoocon just like LogicX did.

The long and short of all of this is Jikto's code is in the wild. Regardless what you might have heard, SPI didn't leak it. Even LogicX admitted he snatched it because he got lucky. I suppose it was only a matter of time.

Labels: Jikto| Shmoocon| XSS Ajax
| ‎04-02-2007 03:41 PM
i saw it but didn't download because i don't want . maybe you should just release it to the public at this point?
| ‎04-02-2007 03:47 PM
As unfortunate as this is, you have to admit that in this age of information, trying to hang onto things while also showing them off or displaying or even talking about them is just not going to happen. Even if the code never got out, the idea is there and the technology aligned to make someone else's code work instead.

Unfortunate, but reality. Oh well, in the wild or not, the issue(s) needed to be addressed.
| ‎04-02-2007 04:43 PM
| ‎04-02-2007 08:14 PM
>>Someone could have seen the URL and grabbed it.
Extreme measures were taken? Maybe you were just being funny. It sounds more like the hardened steel front door was right next to an open window.

At least this will get people scrambling to fix the problem.
| ‎04-04-2007 05:06 AM
Hi Billy,
in your presentation you wrote:
"XSS + Jikto + Social Networking = Botnets"

Perhaps my write-up on Webbased Dynamic Botnets could be interesting for you :smileyhappy:

| ‎04-04-2007 12:34 PM
I suppose it like going into a room with a loaded gun, and when some gets hurts, claiming it went off by accident.

I guess you just joined the club with members like Oppenheimer, Einstein, etc.
| ‎04-06-2007 06:13 PM
personaly im glad it was leaked it will mean more ppl will be monitoring the code they write in javascript

besides someone else would have written something semilier and released it sooner or later
| ‎04-07-2007 03:19 PM
I really find the idea that someone of your obvious talents "accidently" let this happen an insult to the collective security industry. You expect us to believe that all the hype an attention you are getting now was not your plan in the beginning. Nope. Not buying it.to qoute Jack Nicholson in a recent movie.." Sell crazy somewhere else. We're not buying."

| ‎04-10-2007 12:51 PM

What does it matter whether sources have leaked or not? This is about ideas and the presentation already gives enough of them to construct the attacks on one's own. Some lines of poc js code does not make any difference.

Whether to cut the bread or stab a person with it, is people's own choice.

"Bypassing Same Origin Policy" was the keyword, which was also discussed in CCC a lot, recently.

I don't understand why some people are suddenly so energic about it.
| ‎05-23-2007 06:16 AM
Hey I'd just like to say thanks for making the internet a safer place. And I'd like to give you a big pat on the back for DEMONSTRATING jikto through a wireless connection, absolutely brilliant. It's not like a wireless connection broadcasts to everyone within a certain radius, or anything. I hope you don't have kids. It would be a shame to have any more of you.
| ‎05-23-2007 04:07 PM
let me know when it is available for download/exploit ;-)
| ‎04-21-2008 04:31 PM

very thanks

| ‎05-10-2008 08:42 AM

@Wang Chung:

The wireless data was encrypted. I quote: "anyone in the audience sniffing traffic would see where Jikto was and get a copy. ... Instead I VPNed into SPI. This created an encrypted tunnel. ... This means no one in the audience could sniff traffic and see where Jikto was stored."

The problem was typing Jikto's URL into an address bar that was projected onto a screen in front of a bunch of young keen-eyed computer people. Guess what happened next.

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Showing results for 
Search instead for 
Do you mean 
About the Author

Follow Us
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation.