Here is a 22 minute webcast, containing a demo of Jikto and detailed discussions about how it works and why these types of attacks are possible.

Jikto Webcast

To improve the user experience for your application, we've added support for session keys that don't expire. This means that users will only have to log in to Facebook once
for your application.

... holy shit, you have to be kidding me.

To take advantage of infinite sessions, your application should permanently store a user's session key and include it in method calls. You won't ever need to establish a new session on behalf of that user, unless the user explicitly logs out of your application. To see infinite sessions in action, check out the Facebook Exporter for iPhoto - once logged in to Facebook for the first time, users should never have to log in again.

Ok, follow the idiot bread crumbs here. First Facebooks turns down $800 million. Now they are just asking to get 0wn3d with their "infinite" sessions. I never thought I'd use the words "wet dream" and XSRF in the same sentence but this is a wet dream for anyone wanting to write a facebook XSS or XSRF worm.

Make you wonder exactly how many bong hits did Mark Zuckerberg do at Harvard?

Facebook rolls out infinite session ids

I just recorded a webcast about Jikto, including a demo. I had to fix a number of bugs in the original (and leaked) code. Jikto now properly audits POST requests and flags on XSS and SQL Injection vulns. I also revamped the web interface, and photoshopped the Nikto logo (property of http://cirt.net) into one for Jikto.

Here is a screen shot of Jikto.

Demo is rendering on my laptop now, and should be up on SPI's website sometime tomorrow

Here are the slides from my Shmoocon presentation JavaScript Malware for a Gray Goo tomorrow!. Nice wrap up of nasty JavaScript malware and some good information about Jikto. FYI: I'm writing a white paper about Jikto right now with more detailed info and am recording a webcast with a demo of it on Monday. I'm post most here then

Shmoocon slides/Jikto

While not wanting to drink too much koolaid or make this blog simply a corporate mouthpiece, I was pretty happy with SPI's annoucement today.

"Announcing our 1,000th customer is a significant milestone for SPI Dynamics as it demonstrates strong market adoption of web application security and of our innovative, industry leading solutions," said Brian Cohen, CEO of SPI Dynamics.

As the industry's leading web application security software provider, SPI Dynamics' products serve a wide variety of customers in many industries. The company's enterprise customers include:

-- Four out of five of the largest banks in the world
-- Nine out of ten of the largest banks in the U.S.
-- Four out of five of the largest software companies
-- Three out of four of the largest aerospace and defense companies
-- The four largest accounting firms
-- The five largest telecommunications companies in the U.S.
-- Six out of eight of the largest technology hardware and equipment companies
-- Two out of three of the largest healthcare companies
-- Over ninty-five U.S. Federal agencies

Simply put, SPI is the largest Web scanner vendor in the world, in terms of revenue from web scanning products, number of customers, and number of employees focused on web scanners. I'm extremely proud to be an employee at SPI and hope to stay for many more years.

SPI Dynamics Announces 1,000th Customer

derStandard.at: What do you have in store for the next major release?

Miguel de Icaza: In terms of the API, we will make the core and ASP.NET be 2.0 implementations. Other pieces like 2.0 Windows.Forms will be part of a future release.

There are three major developments outside of the API tracking:

* The Mono Debugger.
* The Stetic GUI designer.
* The MonoDevelop IDE reaching 1.0

One interesting bit is that all of those technologies will be tied in the 1.0 release of MonoDevelop.

For some people, the lack of a debugger has been a big turnoff and we hope to finally fix this problem.

That lack of a debugger has been critical. This makes me unbelievably happy! I write many tools in C# on Linux using Monodevelop but I'd use it more if they fixed these things:

-GUI Designer that produces Windows.Forms code! I know you can do it! I can take GUI projects from VS2005 and they compile and work just fine in Mono. Don't make me use this Stetic stuff! There is no need for it for simple GUIs and I don't want to force Windows people to download a GUI framework to look at my proof of concept.

-Better VS2005 Solution/Project support! I've never had even the most basic VS2005 solution/project import properly. Ever. And what saving a project as a VS solutions/project? So often I take code home from the office, drink some redbull, hack some code, and then take it back to work. And basically forget going from Monodev -> VS. I have to rebuild the project/solutions by hand. This needs to get fixed!

-Inline web development - I don't need a designer, but creating websites for using mod_mono and Apache inside of Monodev would kick major ass.

Mono, and what I need.

Rattle Says:

This week on Reflection we have a very young guy from the webappsec field.

Billy’s knowledge on Ajax is tremendous ... his ability to think differently has helped him achieve so much in such a short time.

I got a chance to meet with him in the WASC meetup at RSA. He is a very lively character. Let me put it this way, if billy is a part of a conversation, you won’t get bored even if you just stand there and listen.

Anyone who has worked with Billy knows, he is one of the best security researchers in the world. Billy is among the first people I contact when I need to bounce an idea off someone, and the insight he brings to the table is always impressive. Based on my firsthand experience, it is incomplete to the degree of inaccuracy to simply say "he thinks outside the box". Billy destroys the box before your eyes while telling you what you need to keep in mind when building your next box.

We can say with confidence, that when what comes after "Web 2.0"/AJAX is created, Billy's work will be one of the factors driving design decisions.

I enjoy watching him repeatedly pop up in the press. I feel proud to have known him back when he was just an unknown college student getting sued for the first time.. :)

This has been an interesting week. It started with people who don't even know me questioning my moral fiber. They hadn't seen Jikto. They hadn't asked me what it did. Instead they based all their opinions solely off a news article. As in any situation, forming an opinion, let alone announcing your opinion on a blog when it's only based on knowledge from 1 or 2 sources is rather irresponsible.

However, I must say I laughed more than anything this week. How can you not when you see two people who have never even met you arguing on a public forum: "I think Billy really means this...." "No you're wrong, the larger point of Jikto is ..." I should say that only a handful of these colorful commentators ever stop to ask me anything.

All and all I think Jikto has been success. The demo went extremely well. The presentation was packed to standing room only. I gave a detailed description of the architecture, an exhaustive demo, showed proxy dumps of what was happening, and discussed improvements. I received lots of positive feedback and thanks from many important people, including high level people at Microsoft, Google, MITRE, DoD, IEEE, and Mozilla for disclosing what I had found. As with any good con, I left with more ideas than I arrived with, and hopefully the audience left with a better understanding of the dangers of XSS.

Jikto craziness

The first part of my presentation will provide an overview of all these new advanced threats. Specifically, how this attacks work and how they can be prevented. In the second half I’ll discuss how JavaScript is capable of crawling and auditing 3rd party websites just like a traditional web scanner. As a proof of concept, I created Jikto, a web scanner written in JavaScript. Although I will not be releasing the source code of Jikto, I will be giving a full live demo and provide a detailed discussion about its methodology and architecture. The purpose of this public discussion and demonstration is to raise awareness of the danger of a XSS vulnerability and educate web developers and administrators on how to create websites securely. The biggest tragedy of all would be if a developer decides to put off fixing a XSS vulnerability because they weren’t aware of all the damage that could be done.

The SPI laboratory : Speaking at Shmoo

Wraith wrote:
OK, there are several things here...

1. Reformatting the disk drive during a *routine maintenance check*?

2. Number two follows below...

One bargain computer technician - $7.25/hour

Formatting the disk drive containing the data of one of your biggest accounts - $????.??

Reformatting the backup drive as well - $????.??

Your backup's "Backup" tapes unreadable - $????.??

300 boxes that have to be hand scanned - PRICELESS

OK, it had a price, $200,000, but I just couldn't make it fit the way that I wanted to.

I'm just sitting here pondering the immensity of this.

$10 says these guys have a data backup policy.
$100 says that its sitting in a blinder on a dusty bookshelf in the forgotten corner of the data center.
$1000 bucks says the policy hasn't been read by any of the IT guys since the day it was created by some policy guy in the CTO's office.

RE: FOXNews.com - Computer Tech Accidentally Erases Info on Alaska's $38 Billion Oil Fund - Local News | News Articles | National News | US News

The window.onmouseup doesn't fire in IE6 (others?) but it does in Firefox. You need to use document.onmouseup.