PunkSPIDER project founder defends 'Google for web app vulns'

Global bug scanner can be used 'for good or for evil'

Providing a secure and efficient Helpdesk

The founder of a project that aims to offer a global web application vulnerability scanner has defended the potentially controversial technology. The tech is a useful tool to check the security of websites you use for shopping, or to which you've submitted your personal data, but it could equally be a tool for budding VXers - although, as its founder points out: checking for the existence of vulnerabilities is not the same as exploiting them in an actual attack.

Alejandro Caceres, CTO at Hyperion Gray, presented the PunkSPIDER project at the ShmooCon 2013 cyber security conference in Washington DC on Saturday, 16 February.

"[PunkSPIDER] is a global web application vulnerability repository that is on track to cover the entire internet - we've discovered hundreds of thousands of vulnerabilities already," Caceres explained. "This information is being made available for free to the general public in a search engine format, because we believe that the general public, not just the security community, should have access to information about the security status of the websites they use every day."

The scanner and its architecture can handle a massive number of web application vulnerability scans, "set them loose on the internet, and make the results available to you". It runs off of an Apache Hadoop cluster.

Caceres added that the presentation was "really well-received despite (or maybe because of) it being a bit controversial," he added.

Early reactions to the PunkSPIDER have been mixed, although many have praised the technology for its innovation. PunkSPIDER is built on a scalable architecture, built for stability, and designed to help organisations to run vulnerability detection and mitigation of their publicly available assets.

However others have criticised PunkSPIDER as offering little more than a "centralized database for scriptkiddies".

Caceres told El Reg: "In fact, the goal of my project [is] to alert firms to such vulnerabilities – for free – so that they could have their web developers fix it.

Not of much use to black hatters, actually

"I think there are probably quite a few folks out there who are conflating checking for the existence of vulnerabilities with exploiting them in an actual attack. But just to be clear, no one can conduct an exploit from PunkSPIDER nor is it intended for this purpose," Caceres added.

Possible comparisons between PunkSPIDER and Metasploit are also wide of the mark because there’s no “sploit-ing” involved with PunkSPIDER.

"The main difference is that Metasploit is a repository of exploits that can be readily used against targets, whereas PunkSPIDER is a repository of specific discovered vulnerabilities on websites," Caceres, adding that the technology is more like a SHODAN1 for live web app vulnerabilities.

Caceres said the abuse of PunkSPIDER by script kiddies is a legitimate concern but argued that the tool helps the owners of Mom and Pop websites far more than it helps unskilled black-hat hackers. As a general note, the vulnerabilities that PunkSPIDER discovers are the most basic vulnerabilities that simple web development best practices could easily avoid.

"We’re not giving script kiddies any information that they can’t get on their own," Caceres said. "In fact any and every website on the public internet is likely to get scanned for vulnerabilities by someone within weeks of going up. If the average website owner could plug in an IDS and watch the traffic on their website, they could see this for themselves – I do this in my day job and it’s admittedly pretty astonishing."

Caceres acknowledged that PunkSPIDER can be "used for good or for evil" but the same point could be made about Metaploit and even Google hacking, as pioneered by Johnny Long, adding that he hoped the PunkSPIDER project will help to raise awareness about the issue of insecure and unsafe websites.

"There are enough threats on the internet already, we have no excuse for not eliminating the most common and simple of these," Caceres explained.

"We also take extreme care to do very safe checks against sites, and we respect robots.txt and don’t crawl sites that don’t want to be crawled."

He adds: "But one of my main points is that the average website owner doesn’t focus on website security, so we’re trying to make it more accessible to them (for free) and also point out that if they don’t take a few basic precautions, someone will break into their site - it’s only a matter of time. The first thing that we hope any website owner does when they hear about PunkSPIDER is go search for their own site or sites," he said, adding that he hopes the tool will also be useful to ordinary web surfers.

Kickstarting a community

The open-source project is seeking donations. "I’m committed to PunkSPIDER being a free and open-source project for the duration of its existence, and I don’t have any plans to monetise the project in any way, aside from seeking donations to cover my operating costs whenever possible, thus the Kickstarter," Caceres explained.

"I hope it becomes a community project, with like-minded people contributing new ideas for how to further its underlying mission. One idea I’ve already received is for a Firefox plugin that tells a user when they are visiting a site that has registered vulnerabilities in our database," he added.

Other ideas include is publishing a set of PunkSPIDER rules that sysadmins can apply to their firewalls to block users from visiting unsafe sites. ®


1 The Shodan search tool indexes routers, servers and other internet devices creating a means to pinpoint industrial control systems that might be vulnerable to tampering, among other applications.

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.