PunkSPIDER project founder defends 'Google for web app vulns'

Global bug scanner can be used 'for good or for evil'

The Essential Guide to IT Transformation

The founder of a project that aims to offer a global web application vulnerability scanner has defended the potentially controversial technology. The tech is a useful tool to check the security of websites you use for shopping, or to which you've submitted your personal data, but it could equally be a tool for budding VXers - although, as its founder points out: checking for the existence of vulnerabilities is not the same as exploiting them in an actual attack.

Alejandro Caceres, CTO at Hyperion Gray, presented the PunkSPIDER project at the ShmooCon 2013 cyber security conference in Washington DC on Saturday, 16 February.

"[PunkSPIDER] is a global web application vulnerability repository that is on track to cover the entire internet - we've discovered hundreds of thousands of vulnerabilities already," Caceres explained. "This information is being made available for free to the general public in a search engine format, because we believe that the general public, not just the security community, should have access to information about the security status of the websites they use every day."

The scanner and its architecture can handle a massive number of web application vulnerability scans, "set them loose on the internet, and make the results available to you". It runs off of an Apache Hadoop cluster.

Caceres added that the presentation was "really well-received despite (or maybe because of) it being a bit controversial," he added.

Early reactions to the PunkSPIDER have been mixed, although many have praised the technology for its innovation. PunkSPIDER is built on a scalable architecture, built for stability, and designed to help organisations to run vulnerability detection and mitigation of their publicly available assets.

However others have criticised PunkSPIDER as offering little more than a "centralized database for scriptkiddies".

Caceres told El Reg: "In fact, the goal of my project [is] to alert firms to such vulnerabilities – for free – so that they could have their web developers fix it.

Not of much use to black hatters, actually

"I think there are probably quite a few folks out there who are conflating checking for the existence of vulnerabilities with exploiting them in an actual attack. But just to be clear, no one can conduct an exploit from PunkSPIDER nor is it intended for this purpose," Caceres added.

Possible comparisons between PunkSPIDER and Metasploit are also wide of the mark because there’s no “sploit-ing” involved with PunkSPIDER.

"The main difference is that Metasploit is a repository of exploits that can be readily used against targets, whereas PunkSPIDER is a repository of specific discovered vulnerabilities on websites," Caceres, adding that the technology is more like a SHODAN1 for live web app vulnerabilities.

Caceres said the abuse of PunkSPIDER by script kiddies is a legitimate concern but argued that the tool helps the owners of Mom and Pop websites far more than it helps unskilled black-hat hackers. As a general note, the vulnerabilities that PunkSPIDER discovers are the most basic vulnerabilities that simple web development best practices could easily avoid.

"We’re not giving script kiddies any information that they can’t get on their own," Caceres said. "In fact any and every website on the public internet is likely to get scanned for vulnerabilities by someone within weeks of going up. If the average website owner could plug in an IDS and watch the traffic on their website, they could see this for themselves – I do this in my day job and it’s admittedly pretty astonishing."

Caceres acknowledged that PunkSPIDER can be "used for good or for evil" but the same point could be made about Metaploit and even Google hacking, as pioneered by Johnny Long, adding that he hoped the PunkSPIDER project will help to raise awareness about the issue of insecure and unsafe websites.

"There are enough threats on the internet already, we have no excuse for not eliminating the most common and simple of these," Caceres explained.

"We also take extreme care to do very safe checks against sites, and we respect robots.txt and don’t crawl sites that don’t want to be crawled."

He adds: "But one of my main points is that the average website owner doesn’t focus on website security, so we’re trying to make it more accessible to them (for free) and also point out that if they don’t take a few basic precautions, someone will break into their site - it’s only a matter of time. The first thing that we hope any website owner does when they hear about PunkSPIDER is go search for their own site or sites," he said, adding that he hopes the tool will also be useful to ordinary web surfers.

Kickstarting a community

The open-source project is seeking donations. "I’m committed to PunkSPIDER being a free and open-source project for the duration of its existence, and I don’t have any plans to monetise the project in any way, aside from seeking donations to cover my operating costs whenever possible, thus the Kickstarter," Caceres explained.

"I hope it becomes a community project, with like-minded people contributing new ideas for how to further its underlying mission. One idea I’ve already received is for a Firefox plugin that tells a user when they are visiting a site that has registered vulnerabilities in our database," he added.

Other ideas include is publishing a set of PunkSPIDER rules that sysadmins can apply to their firewalls to block users from visiting unsafe sites. ®


1 The Shodan search tool indexes routers, servers and other internet devices creating a means to pinpoint industrial control systems that might be vulnerable to tampering, among other applications.

Build a business case: developing custom apps

More from The Register

next story
14 antivirus apps found to have security problems
Vendors just don't care, says researcher, after finding basic boo-boos in security software
'Things' on the Internet-of-things have 25 vulnerabilities apiece
Leaking sprinklers, overheated thermostats and picked locks all online
iWallet: No BONKING PLEASE, we're Apple
BLE-ding iPhones, not NFC bonkers, will drive trend - marketeers
Only '3% of web servers in top corps' fully fixed after Heartbleed snafu
Just slapping a patched OpenSSL on a machine ain't going to cut it, we're told
Multipath TCP speeds up the internet so much that security breaks
Black Hat research says proposed protocol will bork network probes, flummox firewalls
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Israel's Iron Dome missile tech stolen by Chinese hackers
Corporate raiders Comment Crew fingered for attacks
Tor attack nodes RIPPED MASKS off users for 6 MONTHS
Traffic confirmation attack bared users' privates - but to whom?
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
prev story


Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Why and how to choose the right cloud vendor
The benefits of cloud-based storage in your processes. Eliminate onsite, disk-based backup and archiving in favor of cloud-based data protection.
The Essential Guide to IT Transformation
ServiceNow discusses three IT transformations that can help CIO's automate IT services to transform IT and the enterprise.
Maximize storage efficiency across the enterprise
The HP StoreOnce backup solution offers highly flexible, centrally managed, and highly efficient data protection for any enterprise.