PunkSPIDER project founder defends 'Google for web app vulns'

Global bug scanner can be used 'for good or for evil'


The founder of a project that aims to offer a global web application vulnerability scanner has defended the potentially controversial technology. The tech is a useful tool to check the security of websites you use for shopping, or to which you've submitted your personal data, but it could equally be a tool for budding VXers - although, as its founder points out: checking for the existence of vulnerabilities is not the same as exploiting them in an actual attack.

Alejandro Caceres, CTO at Hyperion Gray, presented the PunkSPIDER project at the ShmooCon 2013 cyber security conference in Washington DC on Saturday, 16 February.

"[PunkSPIDER] is a global web application vulnerability repository that is on track to cover the entire internet - we've discovered hundreds of thousands of vulnerabilities already," Caceres explained. "This information is being made available for free to the general public in a search engine format, because we believe that the general public, not just the security community, should have access to information about the security status of the websites they use every day."

The scanner and its architecture can handle a massive number of web application vulnerability scans, "set them loose on the internet, and make the results available to you". It runs off of an Apache Hadoop cluster.

Caceres added that the presentation was "really well-received despite (or maybe because of) it being a bit controversial," he added.

Early reactions to the PunkSPIDER have been mixed, although many have praised the technology for its innovation. PunkSPIDER is built on a scalable architecture, built for stability, and designed to help organisations to run vulnerability detection and mitigation of their publicly available assets.

However others have criticised PunkSPIDER as offering little more than a "centralized database for scriptkiddies".

Caceres told El Reg: "In fact, the goal of my project [is] to alert firms to such vulnerabilities – for free – so that they could have their web developers fix it.

Not of much use to black hatters, actually

"I think there are probably quite a few folks out there who are conflating checking for the existence of vulnerabilities with exploiting them in an actual attack. But just to be clear, no one can conduct an exploit from PunkSPIDER nor is it intended for this purpose," Caceres added.

Possible comparisons between PunkSPIDER and Metasploit are also wide of the mark because there’s no “sploit-ing” involved with PunkSPIDER.

"The main difference is that Metasploit is a repository of exploits that can be readily used against targets, whereas PunkSPIDER is a repository of specific discovered vulnerabilities on websites," Caceres, adding that the technology is more like a SHODAN1 for live web app vulnerabilities.

Caceres said the abuse of PunkSPIDER by script kiddies is a legitimate concern but argued that the tool helps the owners of Mom and Pop websites far more than it helps unskilled black-hat hackers. As a general note, the vulnerabilities that PunkSPIDER discovers are the most basic vulnerabilities that simple web development best practices could easily avoid.

"We’re not giving script kiddies any information that they can’t get on their own," Caceres said. "In fact any and every website on the public internet is likely to get scanned for vulnerabilities by someone within weeks of going up. If the average website owner could plug in an IDS and watch the traffic on their website, they could see this for themselves – I do this in my day job and it’s admittedly pretty astonishing."

Caceres acknowledged that PunkSPIDER can be "used for good or for evil" but the same point could be made about Metaploit and even Google hacking, as pioneered by Johnny Long, adding that he hoped the PunkSPIDER project will help to raise awareness about the issue of insecure and unsafe websites.

"There are enough threats on the internet already, we have no excuse for not eliminating the most common and simple of these," Caceres explained.

"We also take extreme care to do very safe checks against sites, and we respect robots.txt and don’t crawl sites that don’t want to be crawled."

He adds: "But one of my main points is that the average website owner doesn’t focus on website security, so we’re trying to make it more accessible to them (for free) and also point out that if they don’t take a few basic precautions, someone will break into their site - it’s only a matter of time. The first thing that we hope any website owner does when they hear about PunkSPIDER is go search for their own site or sites," he said, adding that he hopes the tool will also be useful to ordinary web surfers.

Kickstarting a community

The open-source project is seeking donations. "I’m committed to PunkSPIDER being a free and open-source project for the duration of its existence, and I don’t have any plans to monetise the project in any way, aside from seeking donations to cover my operating costs whenever possible, thus the Kickstarter," Caceres explained.

"I hope it becomes a community project, with like-minded people contributing new ideas for how to further its underlying mission. One idea I’ve already received is for a Firefox plugin that tells a user when they are visiting a site that has registered vulnerabilities in our database," he added.

Other ideas include is publishing a set of PunkSPIDER rules that sysadmins can apply to their firewalls to block users from visiting unsafe sites. ®

Bootnote

1 The Shodan search tool indexes routers, servers and other internet devices creating a means to pinpoint industrial control systems that might be vulnerable to tampering, among other applications.


Other stories you might like

  • DuckDuckGo tries to explain why its browsers won't block some Microsoft web trackers
    Meanwhile, Tails 5.0 users told to stop what they're doing over Firefox flaw

    DuckDuckGo promises privacy to users of its Android, iOS browsers, and macOS browsers – yet it allows certain data to flow from third-party websites to Microsoft-owned services.

    Security researcher Zach Edwards recently conducted an audit of DuckDuckGo's mobile browsers and found that, contrary to expectations, they do not block Meta's Workplace domain, for example, from sending information to Microsoft's Bing and LinkedIn domains.

    Specifically, DuckDuckGo's software didn't stop Microsoft's trackers on the Workplace page from blabbing information about the user to Bing and LinkedIn for tailored advertising purposes. Other trackers, such as Google's, are blocked.

    Continue reading
  • Despite 'key' partnership with AWS, Meta taps up Microsoft Azure for AI work
    Someone got Zuck'd

    Meta’s AI business unit set up shop in Microsoft Azure this week and announced a strategic partnership it says will advance PyTorch development on the public cloud.

    The deal [PDF] will see Mark Zuckerberg’s umbrella company deploy machine-learning workloads on thousands of Nvidia GPUs running in Azure. While a win for Microsoft, the partnership calls in to question just how strong Meta’s commitment to Amazon Web Services (AWS) really is.

    Back in those long-gone days of December, Meta named AWS as its “key long-term strategic cloud provider." As part of that, Meta promised that if it bought any companies that used AWS, it would continue to support their use of Amazon's cloud, rather than force them off into its own private datacenters. The pact also included a vow to expand Meta’s consumption of Amazon’s cloud-based compute, storage, database, and security services.

    Continue reading
  • Atos pushes out HPC cloud services based on Nimbix tech
    Moore's Law got you down? Throw everything at the problem! Quantum, AI, cloud...

    IT services biz Atos has introduced a suite of cloud-based high-performance computing (HPC) services, based around technology gained from its purchase of cloud provider Nimbix last year.

    The Nimbix Supercomputing Suite is described by Atos as a set of flexible and secure HPC solutions available as a service. It includes access to HPC, AI, and quantum computing resources, according to the services company.

    In addition to the existing Nimbix HPC products, the updated portfolio includes a new federated supercomputing-as-a-service platform and a dedicated bare-metal service based on Atos BullSequana supercomputer hardware.

    Continue reading

Biting the hand that feeds IT © 1998–2022