[Novalug] jikto

Matt Ahrens matt.ahrens at gmail.com
Mon Apr 2 11:29:41 EDT 2007 

It definitely looks and feels "grey hat", but I couldn't tell you as I
haven't actually tried to use it.  It's a cool proof of concept of the true
ability of XSS attacks.

I'm sure somebody could generate a talk about it, but if you wait a few
weeks, the Shmoo group should post the video from the ShmooCon presentation
on it for a free download (http://www.shmoocon.org/).

If anyone is specifically interested in security concepts and tools you
might want to check out NoVASec (http://novasec.blogspot.com/), local group
that meets fairly regularly talking about security based ideas.

On 4/1/07, gregory pryzby <greg at pryzby.org> wrote:
>
> Sounds interesting and maybe someone can give a talk on it at a LUG
> meeting.
>
> So, it is a 'grey hat' tool?
>
> I have mixed feelings about something that makes it easy for
> script-kiddies to exploit sites. I like some barrier of entrance so
> the user has to have some intelligence to use the tool. If it
> exploits web stuff, then require some web programming knowledge.
>
> Of course my knowledge is this post only. Maybe I will read the link
> and do some research.
>
> Thanks
>
> On Sat, Mar 31, 2007 at 04:42:51PM -0500, Matt Ahrens wrote:
> > http://www.grc.com/securitynow.htm
> >
> > The latest security now podcast has an explanation of this tool for
> those who
> > don't know what it is/how it works.
> >
> > The short version for those who don't want to listen through an hour
> long
> > podcast is:
> >
> > Jikto is a web application security tool released by Spi Dynamics which
> > exploits cross site scripting vulnerabilities and executes a web
> application
> > vulnerability scanner from compromised clients of the targeted web site.
> >
> > I haven't used it and missed the ShmooCon presentation on
> it.  Eventually, the
> > Shmoo Group will post the video of the presentation, and you can see a
> demo
> > from the author of what it does how it works.
> >
> > To the OP, it can be a very powerful tool, I wasn't a huge fan of Nikto
> (the
> > scanner used for Jikto) as it generally had excessive false
> positives.  I
> > haven't used it, so I can't tell you if its effective or not, i suspect
> it
> > would make a nice demo for programmers and other technical people.
> >
> > Thanks,
> > Matt
> >
> > On 3/31/07, gregory pryzby <greg at pryzby.org> wrote:
> >
> >     Maybe because I have no idea what it is and there was no link?
> >
> >     Some people are too connected (ssh on a treo) but can't move to a
> >     browser at the same time or spell the word correctly.
> >
> >     I don't think anything about it because I don't know anything about
> it
> >     :)
> --
> greg pryzby                              greg at pryzby dot org
> fingerprint: 8A1A DB90 869F 5DD1 D6E9 EEB6 C156 6B04 849F A86F
>
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.3 (GNU/Linux)
>
> iD8DBQFGD6rewVZrBISfqG8RAvi6AKCCG+BXP4x6nA3h8xSnCSxMutRFjwCfUM9O
> rp2rVN8B9XStAPx2RV4fzBs=
> =QegI
> -----END PGP SIGNATURE-----
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://calypso.tux.org/pipermail/novalug/attachments/20070402/25043170/attachment.htm

More information about the Novalug mailing list