The founder of a project that aims to offer a global web application vulnerability scanner has defended the potentially controversial technology. The tech is a useful tool to check the security of websites you use for shopping, or to which you've submitted your personal data, but it could equally be a tool for budding VXers - although, as its founder points out: checking for the existence of vulnerabilities is not the same as exploiting them in an actual attack.
Alejandro Caceres, CTO at Hyperion Gray, presented the PunkSPIDER project at the ShmooCon 2013 cyber security conference in Washington DC on Saturday, 16 February.
"[PunkSPIDER] is a global web application vulnerability repository that is on track to cover the entire internet - we've discovered hundreds of thousands of vulnerabilities already," Caceres explained. "This information is being made available for free to the general public in a search engine format, because we believe that the general public, not just the security community, should have access to information about the security status of the websites they use every day."
The scanner and its architecture can handle a massive number of web application vulnerability scans, "set them loose on the internet, and make the results available to you". It runs off of an Apache Hadoop cluster.
Caceres added that the presentation was "really well-received despite (or maybe because of) it being a bit controversial," he added.
Early reactions to the PunkSPIDER have been mixed, although many have praised the technology for its innovation. PunkSPIDER is built on a scalable architecture, built for stability, and designed to help organisations to run vulnerability detection and mitigation of their publicly available assets.
However others have criticised PunkSPIDER as offering little more than a "centralized database for scriptkiddies".
Caceres told El Reg: "In fact, the goal of my project [is] to alert firms to such vulnerabilities – for free – so that they could have their web developers fix it.
Not of much use to black hatters, actually
"I think there are probably quite a few folks out there who are conflating checking for the existence of vulnerabilities with exploiting them in an actual attack. But just to be clear, no one can conduct an exploit from PunkSPIDER nor is it intended for this purpose," Caceres added.
Possible comparisons between PunkSPIDER and Metasploit are also wide of the mark because there’s no “sploit-ing” involved with PunkSPIDER.
"The main difference is that Metasploit is a repository of exploits that can be readily used against targets, whereas PunkSPIDER is a repository of specific discovered vulnerabilities on websites," Caceres, adding that the technology is more like a SHODAN1 for live web app vulnerabilities.
Caceres said the abuse of PunkSPIDER by script kiddies is a legitimate concern but argued that the tool helps the owners of Mom and Pop websites far more than it helps unskilled black-hat hackers. As a general note, the vulnerabilities that PunkSPIDER discovers are the most basic vulnerabilities that simple web development best practices could easily avoid.
"We’re not giving script kiddies any information that they can’t get on their own," Caceres said. "In fact any and every website on the public internet is likely to get scanned for vulnerabilities by someone within weeks of going up. If the average website owner could plug in an IDS and watch the traffic on their website, they could see this for themselves – I do this in my day job and it’s admittedly pretty astonishing."
Caceres acknowledged that PunkSPIDER can be "used for good or for evil" but the same point could be made about Metaploit and even Google hacking, as pioneered by Johnny Long, adding that he hoped the PunkSPIDER project will help to raise awareness about the issue of insecure and unsafe websites.
"There are enough threats on the internet already, we have no excuse for not eliminating the most common and simple of these," Caceres explained.
"We also take extreme care to do very safe checks against sites, and we respect robots.txt and don’t crawl sites that don’t want to be crawled."
He adds: "But one of my main points is that the average website owner doesn’t focus on website security, so we’re trying to make it more accessible to them (for free) and also point out that if they don’t take a few basic precautions, someone will break into their site - it’s only a matter of time. The first thing that we hope any website owner does when they hear about PunkSPIDER is go search for their own site or sites," he said, adding that he hopes the tool will also be useful to ordinary web surfers.
Kickstarting a community
The open-source project is seeking donations. "I’m committed to PunkSPIDER being a free and open-source project for the duration of its existence, and I don’t have any plans to monetise the project in any way, aside from seeking donations to cover my operating costs whenever possible, thus the Kickstarter," Caceres explained.
"I hope it becomes a community project, with like-minded people contributing new ideas for how to further its underlying mission. One idea I’ve already received is for a Firefox plugin that tells a user when they are visiting a site that has registered vulnerabilities in our database," he added.
Other ideas include is publishing a set of PunkSPIDER rules that sysadmins can apply to their firewalls to block users from visiting unsafe sites. ®
1 The Shodan search tool indexes routers, servers and other internet devices creating a means to pinpoint industrial control systems that might be vulnerable to tampering, among other applications.