Cross-site scripting (XSS) attacks have been around for years, and have been a favorite technique of script kiddies and others looking to deface Web sites or steal a few cookies in their spare time. But security researchers until now have not paid much attention to such attacks because it was thought that they offered little opportunity to inflict real damage on target machines.
Jikto works by exploiting a XSS flaw on a given Web site and then silently installing itself on a user's PC. It can then operate in one of two modes. In one mode, Jikto crawls a specific Web site in much the same way that a Web application scanner would, looking for common vulnerabilities, such as XSS or SQL injection. It then reports the results to whatever machine is controlling it. In the other mode Jikto calls home to the controlling PC and tells it that it has installed itself on a new machine, and then awaits further instructions from the controller.