Hi guys, I was listening to the latest Security Now! (with Steve Gibson; hey, this guy has good intentions :P) and he mentioned about jikto source code being leaked out. I would like to take a look. Anybody has a copy? http://sla.ckers.org/forum/read.php?11,9275,9275#msg-9275 Tue, 18 Jun 2013 00:38:27 -0500 Phorum 5.2.15a http://sla.ckers.org/forum/read.php?11,9275,9748#msg-9748 http://sla.ckers.org/forum/read.php?11,9275,9748#msg-9748 rsnake OMG Ponies Sun, 08 Apr 2007 16:23:05 -0500 http://sla.ckers.org/forum/read.php?11,9275,9728#msg-9728 http://sla.ckers.org/forum/read.php?11,9275,9728#msg-9728
I edited the jikto.js to direct to my control.txt

the-cloak banned me within seconds so im using google translate even though im testing pages in the same domain

with firebug i can see for example
http://www.testdomainiamusing.com/jikto/control.txt1&url=http%3A//www.testdomainiamusing.com%3A80/gallery/details.php%3Fimage_id%3D30&method=GET

looking at the code in jikto.js:

function reportURL(method, url) {
var i = new Image();
i.src = GUIURL + "1&url=" + escape(url) + "&method=" + escape(method);
}

function reportVuln(method, url, sev, title, req, resp) {
var i = new Image();
i.src = GUIURL + "2&url="

which means that unless I see "http://www.testdomainiamusing.com/jikto/control.txt2&url="
it did not find a vulnerability

i guess that's the way to do it without a controller, but someone above me said they wrote up a controller, can you post the source to the controller?

or maybe im using the tool incorrectly?]]> Royal2000H OMG Ponies Sun, 08 Apr 2007 06:36:48 -0500 http://sla.ckers.org/forum/read.php?11,9275,9607#msg-9607 http://sla.ckers.org/forum/read.php?11,9275,9607#msg-9607 CrYpTiC_MauleR OMG Ponies Fri, 06 Apr 2007 13:37:40 -0500 http://sla.ckers.org/forum/read.php?11,9275,9605#msg-9605 http://sla.ckers.org/forum/read.php?11,9275,9605#msg-9605 busin3ss OMG Ponies Fri, 06 Apr 2007 13:01:38 -0500 http://sla.ckers.org/forum/read.php?11,9275,9561#msg-9561 http://sla.ckers.org/forum/read.php?11,9275,9561#msg-9561
Edit the post? ;)]]> thrill OMG Ponies Fri, 06 Apr 2007 00:36:20 -0500 http://sla.ckers.org/forum/read.php?11,9275,9559#msg-9559 http://sla.ckers.org/forum/read.php?11,9275,9559#msg-9559 CrYpTiC_MauleR OMG Ponies Thu, 05 Apr 2007 23:50:22 -0500 http://sla.ckers.org/forum/read.php?11,9275,9439#msg-9439 http://sla.ckers.org/forum/read.php?11,9275,9439#msg-9439 http://busin3ss.name/wp-content/uploads/2007/04/jitko.zip

Greetings,
.mario]]> Anonymous User OMG Ponies Tue, 03 Apr 2007 16:15:49 -0500 http://sla.ckers.org/forum/read.php?11,9275,9438#msg-9438 http://sla.ckers.org/forum/read.php?11,9275,9438#msg-9438 Beetlejuice OMG Ponies Tue, 03 Apr 2007 13:56:00 -0500 http://sla.ckers.org/forum/read.php?11,9275,9399#msg-9399 http://sla.ckers.org/forum/read.php?11,9275,9399#msg-9399 Delixe OMG Ponies Mon, 02 Apr 2007 16:52:38 -0500 http://sla.ckers.org/forum/read.php?11,9275,9396#msg-9396 http://sla.ckers.org/forum/read.php?11,9275,9396#msg-9396 Acidus OMG Ponies Mon, 02 Apr 2007 15:38:19 -0500 http://sla.ckers.org/forum/read.php?11,9275,9394#msg-9394 http://sla.ckers.org/forum/read.php?11,9275,9394#msg-9394 >> [blogs.zdnet.com]

oops]]> CrYpTiC_MauleR OMG Ponies Mon, 02 Apr 2007 15:03:10 -0500 http://sla.ckers.org/forum/read.php?11,9275,9393#msg-9393 http://sla.ckers.org/forum/read.php?11,9275,9393#msg-9393
For those who want to download the source code (Since all mirrors are offline):

http://busin3ss.name/jikto-in-the-wild]]> busin3ss OMG Ponies Mon, 02 Apr 2007 15:02:04 -0500 http://sla.ckers.org/forum/read.php?11,9275,9391#msg-9391 http://sla.ckers.org/forum/read.php?11,9275,9391#msg-9391 You are most definitely doing something wrong, maybe didn't used rot13 or entered some bad URL or path or ?
The script is working pretty nice, I'm watching the requests/responses with Firebug.
You can even insert breakpoints and debug the code if you want. Firebug rocks!]]> blad3 OMG Ponies Mon, 02 Apr 2007 14:51:42 -0500 http://sla.ckers.org/forum/read.php?11,9275,9388#msg-9388 http://sla.ckers.org/forum/read.php?11,9275,9388#msg-9388 -------------------------------------------------------
> The code has since been posted to the Sla.ckers.org forum.
> Hacker RSnake discusses nippets of the code, which can be
> used to hunt for common security holes and then connect
> back to its controller for instructions on which Web sites
> to hit and >which flaws to look for.

Hahahaha...]]> busin3ss OMG Ponies Mon, 02 Apr 2007 14:37:43 -0500 http://sla.ckers.org/forum/read.php?11,9275,9383#msg-9383 http://sla.ckers.org/forum/read.php?11,9275,9383#msg-9383 http://blogs.zdnet.com/security/?p=146]]> blad3 OMG Ponies Mon, 02 Apr 2007 14:14:31 -0500 http://sla.ckers.org/forum/read.php?11,9275,9382#msg-9382 http://sla.ckers.org/forum/read.php?11,9275,9382#msg-9382
I'm trying without using a "proxy", I'm scanning a site in the same domain (To bypass the Same Origin Policy)... But I get this weird javascript errors

Is there any chance that I can see a working demo blad3? Just to see how your are testing]]> busin3ss OMG Ponies Mon, 02 Apr 2007 14:04:40 -0500 http://sla.ckers.org/forum/read.php?11,9275,9381#msg-9381 http://sla.ckers.org/forum/read.php?11,9275,9381#msg-9381 blad3 OMG Ponies Mon, 02 Apr 2007 13:56:54 -0500 http://sla.ckers.org/forum/read.php?11,9275,9379#msg-9379 http://sla.ckers.org/forum/read.php?11,9275,9379#msg-9379 busin3ss OMG Ponies Mon, 02 Apr 2007 13:43:41 -0500 http://sla.ckers.org/forum/read.php?11,9275,9338#msg-9338 http://sla.ckers.org/forum/read.php?11,9275,9338#msg-9338 http://www.spidynamics.com/spilabs/education/presentations/Javascript_malware.pdf]]> blad3 OMG Ponies Mon, 02 Apr 2007 02:33:06 -0500 http://sla.ckers.org/forum/read.php?11,9275,9334#msg-9334 http://sla.ckers.org/forum/read.php?11,9275,9334#msg-9334
UPDATE: please read http://sla.ckers.org/forum/read.php?11,9275,9326#msg-9559]]> CrYpTiC_MauleR OMG Ponies Mon, 02 Apr 2007 00:07:51 -0500 http://sla.ckers.org/forum/read.php?11,9275,9333#msg-9333 http://sla.ckers.org/forum/read.php?11,9275,9333#msg-9333 rsnake OMG Ponies Sun, 01 Apr 2007 23:32:04 -0500 http://sla.ckers.org/forum/read.php?11,9275,9331#msg-9331 http://sla.ckers.org/forum/read.php?11,9275,9331#msg-9331 CrYpTiC_MauleR OMG Ponies Sun, 01 Apr 2007 21:39:36 -0500 http://sla.ckers.org/forum/read.php?11,9275,9329#msg-9329 http://sla.ckers.org/forum/read.php?11,9275,9329#msg-9329 Awesome AnDrEw OMG Ponies Sun, 01 Apr 2007 20:10:55 -0500 http://sla.ckers.org/forum/read.php?11,9275,9326#msg-9326 http://sla.ckers.org/forum/read.php?11,9275,9326#msg-9326
btw this is not an April Fools Joke. Tell if if server is not responding or not. Its on my home server so kinda unreliable. Make backup because will take server down after you check.]]> CrYpTiC_MauleR OMG Ponies Sun, 01 Apr 2007 18:46:53 -0500 http://sla.ckers.org/forum/read.php?11,9275,9324#msg-9324 http://sla.ckers.org/forum/read.php?11,9275,9324#msg-9324 CrYpTiC_MauleR OMG Ponies Sun, 01 Apr 2007 18:36:45 -0500 http://sla.ckers.org/forum/read.php?11,9275,9301#msg-9301 http://sla.ckers.org/forum/read.php?11,9275,9301#msg-9301 Anonymous User OMG Ponies Sun, 01 Apr 2007 14:16:21 -0500 http://sla.ckers.org/forum/read.php?11,9275,9300#msg-9300 http://sla.ckers.org/forum/read.php?11,9275,9300#msg-9300 Henaro OMG Ponies Sun, 01 Apr 2007 14:14:13 -0500 http://sla.ckers.org/forum/read.php?11,9275,9299#msg-9299 http://sla.ckers.org/forum/read.php?11,9275,9299#msg-9299 Anonymous User OMG Ponies Sun, 01 Apr 2007 14:11:17 -0500 http://sla.ckers.org/forum/read.php?11,9275,9285#msg-9285 http://sla.ckers.org/forum/read.php?11,9275,9285#msg-9285 CrYpTiC_MauleR OMG Ponies Sun, 01 Apr 2007 08:28:34 -0500 http://sla.ckers.org/forum/read.php?11,9275,9284#msg-9284 http://sla.ckers.org/forum/read.php?11,9275,9284#msg-9284 CrYpTiC_MauleR OMG Ponies Sun, 01 Apr 2007 08:27:40 -0500