PunkSpider — the search engine for web exploits — Returns
One of the most controversial cybersecurity projects on the web is be brought back to life next week. PunkSpider – essentially a tool that crawls the internet to create a searchable database of hackable sites on the web – resurfaces at next week’s Defcon cybersecurity conference, WIRED reports. This is the first time people will be able to use the tool since dark in 2015.
In a nutshell, PunkSpider works by automatically scanning sites on the open web and “scramble“Each one — basically the language of hackers to pull data into the underlying code of a website to see what vulnerabilities emerge.” In this case, PunkSpider will search for sites susceptible to some of the more common exploits in a hacker’s arsenal, such as SQL injections and cross-site scripting attacks. Although these are considered rather easy hacks to remove (and protect), there are tons of sites on the web that leave themselves wide open.
In 2019, for example, HackerOne revealed that the main vulnerability reported by hackers through its bug bounty program was the aforementioned cross-site scripts – essentially exploits that allow hackers to inject malicious links into otherwise benign (and often overlooked) sites) sites. And more recently, we’ve seen high-profile sites like far-right refuge Gab get hit with SQL injections; in Gab’s case, the site ended up leaking 70 gigabytes of its user data accordingly.
Launch of the original iteration of PunkSpider ten years ago, the favorite project of software developer Alejandro Caceres and his software company, Hyperion Gray. But very quickly, Caceres was faced with technical and fiscal hurdles that led his tool to scan the web only once a year, before collapsing completely. Earlier this year however, Virginia-based tech company QOMPLX acquired Hyperion Gray. and announcement it would restart PunkSpider shortly thereafter.
The new project will feature a database that users can search using the URL of a site or the type of vulnerability they are interested in, as well as a Chrome-based browser extension that checks websites that they are interested in. you visit to detect any apparent security breaches. Depending on the level of bugs of a site, PunkSpider will assign a rating to a given site using a “dumpster fire”Rating system that assesses (as the name suggests) how safe this site actually is from a dumpster fire.
But with any of these types of hacker-friendly search engines like PunchSpider, Shodan, or Censys– there is always an ethical question that comes with their disclosure to the public. On the one hand, being warned of a vulnerability of a site could convince the operator of this site to pull himself together and close this gap. On the other hand, having a list ofEasily exploitable sites mean that anyone, good or bad, is free to poke around.
This means that for all the good the Caceres tool could do for the broader cybersecurity community, there is a very real possibility that it is opening up some of these sites to harmful attacks that they would not otherwise be. struck. At the very least, that’s enough motivation for these operators to start taking their security seriously.