PunkSpider essentially a tool that crawls the internet to create a searchable database of hackable sites across the web is being resurfaced at Defcon conference. This is the first time people will be able to use the tool since it went dark in 2015.
PunkSpider works by automatically scanning sites on the open web and “fuzzing” each one essentially hacker-speak for feeding data into the code underlying a website to see what vulnerabilities jump out. It will be looking for sites susceptible to some of the more common exploits in a hacker’s arsenal, like SQL injections and cross-site scripting attacks.
HackerOne revealed that the top vulnerability that white-hat hackers were reporting through its bug bounty program was the aforementioned cross-site scripts essentially exploits that let hackers inject malicious links into otherwise benign sites.
PunkSpider’s original iteration launched ten years ago, the pet project of software dev Alejandro Caceres and his software firm, Hyperion Gray. But pretty soon, Caceres was facing technical and fiscal roadblocks that resulted in his tool only scanning the web once a year, before collapsing entirely. Earlier this year though, the Virginia-based tech firm QOMPLX acquired Hyperion Gray and announced it would be rebooting PunkSpider.
The new project will feature a database that users can search using a site’s URL or the type of vulnerability they’re curious about, along with a Chrome-based browser extension that checks the websites you’re visiting for any apparent security flaws. Depending on how riddled with bugs a site might be, PunkSpider will assign a rating to a given site using a “dumpster fire” rating system that rates how much of a dumpster fire that site’s security actually is.
With Hacker-friendly search engines like PunchSpider, Shodan, or Censys there’s always an ethical question that comes with releasing them to the public. Otherwise tipped off about a site vulnerability might convince that site’s operator to get their shit together and close that gap. On the other, having a list of publicly accessible, easily exploitable sites means that anyone, good or bad, is free to poke around.
That means for all the good Caceres’s tool might be doing for the cybersecurity community writ large, there’s the very real possibility that it will open some of these sites to harmful attacks that they wouldn’t otherwise be struck with. At the very least, this is ample motivation for these operators to start taking their security seriously