A researcher at security event, ShmooCon has demonstrated proof-of-concept code showing how JavaScript can be used to turn an unsuspecting browser into a hacker attack instrument.

The tool is called Jikto, a reference to a popular hacker vulnerability-scanner called Nikto, and was demonstrated on Saturday by SPI Dynamics researcher Billy Hoffman.

Hoffman said he created Jikto to demonstrate that cross-site scripting (XSS) vulnerabilities are now allowing hackers to carry out highly dangerous attacks, something developers aren't sufficiently aware of.

"Self-propagating XSS+Ajax worms, advanced keystroke and mouse loggers, port scanning, fingerprinting and assaulting intranet applications, as well as stealing search engine queries or browser histories, are now all components in an attacker's toolbox," Hoffman wrote in a post on SPI's site.

Jikto is a vulnerability scanner written in JavaScript. When a web browser with JavaScript enabled visits a site containing the tool, it can latch onto the browser, and can then scan any site the user visits for XSS bugs, reporting the results to a third party.

If a site visited does contain an XSS flaw, the tool can embed itself in the site and propagate to other visiting JavaScript-enabled browsers.

In theory, an attacker could use a tool such as Jikto to create a distributed vulnerability-scanning network using innocent users' browsers to scan vast numbers of websites for flaws, Hoffman said.

"JavaScript is capable of crawling and auditing third-party websites just like a traditional web scanner," he said in the posting.

Such a scanner wouldn't necessarily be the most effective or efficient way for attackers to glean vulnerabilities, but the point is that it is possible with JavaScript, and that XSS poses real dangers - something most developers would be surprised to learn, Hoffman said.

"This homogenous platform, coupled with JavaScript’s new features, has enabled attackers to perform advanced attacks using XSS that were thought to be impossible even two years ago," he wrote. "The biggest tragedy of all would be if a developer decides to put off fixing a XSS vulnerability because they weren’t aware of all the damage that could be done."

Hoffman was initially planning to release the code for Jikto at the event, but decided against it after SPI voiced concerns. However, he said his work would be easy to duplicate, and attackers are likely to already be actively exploiting the possibilities he demonstrated.

Windows Live Italy's search engine, Yahoo's webmail and MySpace have all recently been struck by attacks exploiting XSS flaws.

Targeting such malware at the JavaScript level is next to impossible, since the problem isn't due to a bug in the technology, but only to a capability in it that can be subverted, Hoffman said at the presentation.

The best way to ensure security is to eliminate XSS flaws in websites, he said.