Caceres freely admits that malicious hackers could use PunkSpider to identify websites to hack. But he argues that scanners that detect web vulnerabilities have always been around. This only makes the results public. “You know your customers can see it, your investors can see it, so you’re going to fix this shit fast,” Caceres explains.
Caceres and Hopper’s Defcon talk marks PunkSpider’s second incarnation. The idea for the tool was born a decade ago, in the summer of 2011, when hacker collective Anonymous and its dissident group LulzSec were in the midst of a rampage of data theft and damage, much of which was made possible by simple web vulnerabilities. (“Why are there SQL injections everywhere?” Said the refrain from a hip-hop song tribute to LulzSec.)
Caceres noted at the time that even relatively unsophisticated hackers apparently had no trouble finding a preponderance of web bugs. He began to wonder if the only solution would be to expose all the vulnerabilities of the web in a massive purge. So in 2012 he started building PunkSpider to do just that; he presented it at the Shmoocon hacking conference in early 2013. His small security R&D company, Hyperion Gray, also received funding from Darpa.
From the start, however, the project faced challenges. Shmoocon’s audience questioned whether Caceres was allowing hackers and violating the fraud and computer abuse law in the process. Soon Amazon was repeatedly starting it from the Amazon Web Services accounts it was using to fuel the search engine, after receiving reports of abuse from angry web administrators. He was forced to constantly create new burner accounts to make it work.
In 2015, Caceres scanned the web for new vulnerabilities only about once a year. He has struggled to keep PunkSpider online and cover its costs. Soon after, he dropped the project.
Earlier this year, however, Hyperion Gray was acquired by QOMPLX, and the biggest startup agreed to relaunch a new and improved version of its web hacking search engine. Now, Caceres and Hopper claim that their revamped tool’s scans are powered by a cloud-based cluster of hundreds of machines, capable of scanning hundreds of millions of sites per day, updating its results across the board. web continuously or by crawling target URLs at a user’s request. The old PunkSpider’s annual scans across the web took almost a week.
Caceres declined to name his current hosting provider, but says he has come to an understanding with the company about PunkSpider’s motives, which he hopes will prevent his accounts from being banned again. He also, albeit reluctantly, added a feature that allows web administrators to spot PunkSpider’s poll based on the user agent that helps identify visitors to a website, and included an e- mail and an unsubscribe feature that allows websites to opt out of the tool. research. “I’m not happy with that, honestly,” Caceres says. “I don’t like the idea that people can walk away from security activities and put their heads in the sand. But it’s about sustainability and balance.”
The reincarnated version of PunkSpider has already revealed some real flaws in major websites. Caceres showed WIRED screenshots that demonstrated cross-site scripting vulnerabilities in both Kickstarter.com and LendingTree.com. In the case of LendingTree, Caceres claims that the vulnerability could be used to create links which, if users could be tricked into clicking, either harbor malware on the site or display phishing prompts on LendingTree’s own site. The Kickstarter bug, according to Caceres, would allow hackers to create a link that, if a victim clicked, could similarly display phishing prompts or automatically make a payment from their credit card to a Kickstarter project.
“LendingTree uses multiple levels of controls to protect our site and the privacy and integrity of consumer data,” the company said in a statement. “This includes web application firewalls, external penetration testing, and static / dynamic code review to identify and remediate vulnerabilities. Additionally, we take all reported security vulnerabilities seriously and promptly investigate and resolve any issues that are detected. KickStarter wrote in an email to WIRED that it is “actively addressing” its web flaw.