Punkspider is controversial but it works well

 The abuse of Punkspider by script kiddies is a legitimate concern, but it's argued that the tool, more than unskilled black-hat hackers, helps operators of mom-and-pop websites. In general, the vulnerabilities discovered by PunkSpiders are fundamental weaknesses in simple web development best practices that should be avoided.  

Caceres acknowledges that punk spiders can be used for good or bad - the same argument was made by Metaploit and Google hacking pioneer Johnny Nix - and adds that he hopes the punk spider project will help raise awareness about the problem of unsafe and insecure websites. Caceres also believes it will inspire network administrators to fix the ubiquitous bugs that hackers abuse against them.    

On top of Caceres Hopper being a search engine, it also has a built-in Chrome plug-in that scans every site a user visits for hackable bugs. Once a website is set up, Hopper provides a database to search for URL, keyword, vulnerability, severity and bugs. The search tool and browser plug-ins offer websites a dumpster fire score of 1 to 5 (Dumps on Fire) based on the number and severity of the vulnerabilities it contains.    

Ransomware attacks plague businesses and consumers alike, and vulnerable web applications play a tragic role in collecting user information to support global fraud and criminal enterprises. Qomplx recognizes that Internet everyday users and the cyber community need to share perspectives on the specific dangers of the Internet. For this reason, the company punkspider has revived a powerful tool that scans and identifies vulnerability of websites in the breadth and depth of the web.    

Instead of a search engine that scans the entire web, a tool called hackspider detects hackable vulnerabilities in websites and allows search results to access sensitive pages and data before they leak. Alejandro Caceres and Jason Hopper say the tool creates a catalogue of vulnerabilities that millions of people can launch, making them easily accessible. Instead of the search engine punksspider identifies these vulnerabilities and enables the search results to find pages that are susceptible to defacement or data leaks. 

For example, in January last year security researchers found such a web vulnerability that permitted anyone to take over a Fortnite account, and earlier this year a web bug allowed hacktivists to crack the right-wing social media site Gab and release 70 gigabytes of their back-end data. The types of web vulnerabilities that Punkspider finds remain common even after years of warning. Its creators say that it has catalogued hundreds of thousands of hackable vulnerabilities in websites since launch, making them easily accessible to anyone.  

The types of web vulnerabilities that punk spiders are trying to get hold of remain widespread even after years of warning. Vulnerabilities are seen as weak fruits in the hacking world, but they exist in much of the Internet. Networks are hotbeds for hackers, who offer hundreds of millions of public servers to comb through for major vulnerabilities that can be exploited.   

Defcon organizers Alejandro Caceres and Jason Hopper are planned to release an update to the hacker conference Defcon next month to release a tool called Punkspider after a year off the shelf.

PunkSpider is a powerful tool that scans and identifies vulnerabilities on websites across the depth and breadth of the Internet. It provides a simple and scalable monitoring tool that detects gaps in collective defense and highlights websites that could fall victim to attackers. Unlike search engines which scan the entire web, a tool called PunkSpider can identify vulnerabilities in websites that have already been compromised, allowing search results to find websites that are susceptible to corruption and data breaches. PunkPider 5.0 expands the scale of PunkSpiders known web vulnerability scanners and adds a place in the top 10% of vulnerabilities to its detection priority.

The new version of the tool is made possible by the recent acquisition of Punkspider, the famed Web vulnerability scanner, made by parent company Hyperion Gray and Qomplx, a leading provider of cloud native risk analysis. Announced by Google as "the broken web," PunkSpider democratised the scanning of web vulnerabilities when it was launched in 2013. Developed by Alejandro Caceres and the Hyperion team and funded by the Pentagon Defense Advanced Research Projects Agency, it scans and identifies vulnerabilities across the public web, including cross-site scripting, SQL injection and path traversal.    

The idea for Caceres Hopper at Defcon Talk came about ten years ago, in the summer of 2011, when massive hackers from Anonymous and its splinter group LulzSec rampaged online, stealing and defacing data made possible largely by simple web vulnerabilities. Cacere admits that malicious hackers have used Punkspider to locate hacking websites. But he argues that the scanner can also find web vulnerabilities.

Caceres pointed out at the time that inexperienced hackers would have difficulty finding the preponderance of web bugs. Caceres also pointed out that at that time inexperienced hackers had difficulty finding a plethora of web bugs.    

The checklist consists of SQL injection vulnerabilities that allow hackers to enter instructions for entering fields into a website, corrupt the website and spill the contents of their backend database, cross-site scripting vulnerabilities that allow hackers to create malicious hyperlinks and have a person click on them to load a modified model of the website, phishing vulnerabilities to serve malware and path-traversal vulnerabilities where hackers can hack a website URL and learn to write sensitive records on the server hosting it. Caceres and Hopper hope the visibility will pressure .NET directors to acknowledge that websites contain simple and obvious cases of malicious bugs and fix them. A rendered version of PunkSpider reveals the true weaknesses of the major websites.

The founders of a project to provide a global vulnerability scanner for web applications are defending a controversial technology. Alejandro Caceres and Jason Hopper claim to have launched PunkSpider to catalog hundreds of thousands of unprotected vulnerabilities and make them, well, as unprotected as possible. Cacere and Hopper are the CTOs of Hyperion and Gray, respectively, who presented the project at SHoMoCon 2013, a cyber security conference in Washington, D.C., on Saturday, February 16.


Post a Comment

Previous Post Next Post