oxff Inc. -- Bragging Redefined

I count at least five of nine papers from HotBots referencing at least one paper, I have had my hands involved in.

Jikto Hype

After not posting for quite some time, I've got something to say again.

Recently, the Jikto `Javascript Drone' was hyped a lot in different media; the usual ``OMG t3h Internet is l0st'' we see at least once each year. I just had a look at Jikto's code, which was leaked the day after Jikto was presented on ShmooCon. It's totally ridiculous, it's using XMLHttpRequests to spider web-pages and tries finding `.old' and `.bak' files on these servers bug bruteforcing every found file. Additionally, it features a very false positive prone XSS scanner.

This XSS scanner injects <script>alert('xss');</script> into every GET parameter and just parses for `script' in the response. If the brackets are properly escaped, we still get our false positive. How enterprise.

Another wrong rumor is, that this code turns your computer or your browser into a drone. It's just yet another non-resident script. Additionally, because of the XMLHttpRequests, you're limited to your own domain to scan (unless you find a cool vulnerability in your browser or already know a XSS in the target site to inject Jikto).

All in all, this is just some hyped, lame, proof of concept script, if you ask me. :/

Update:
One of my favourite hypes regarding Jikto says ``the hacker tool Jikto is spreading uncontrolled'' and ``the script captures computers of clueless Internet users to perform a portscan''; ``security experts are afraid that blackhats could misuse the extremely dangerous potential of this software''.

Botnets? No real threat, not interesting to the media... Hey, there is already a cool botnet monitoring tool from Microsoft, featuring a laggy GUI and dieing if more than 2k nets are monitored. Hey, subfolders for each botnet are cool.
Seriously, let's just all commit suicide in such an IT security world. :/