Researchers will release a reboot of a controversial tool that crawls the web to identify back-end vulnerabilities in websites in the hopes that companies will quickly fix them & reduce security risks.
Researchers plan to introduce a revamp of PunkSpider, which helps identify flaws in websites so companies can make their back-end systems more secure, at DEF CON.
Hijacked by Hackers
However, experts have mixed feelings about the tool called PunkSpider, created by the analytics firm QOMPLX. They fear the tool could be hijacked by hackers to exploit vulnerabilities before companies have time to patch them.
Alejandro Caceres, Director of Computer Network Exploitation at QOMPLX, & hacker Jason Hopper will introduce a revamped version of PunkSpider at the upcoming DEF CON event next week.
Gaps in Collective Defences
QOMPLX cited the rise of ransomware as 1 of the reasons for a reboot of Punk Spider, which provides “a simple & massively scalable monitoring tool that quickly identifies gaps in collective defences by highlighting which websites can easily fall prey to attackers,” according to a press release.
The tool can provide internet users & the cyber community a “shared perspective” on the specific dangers of the web, the company stated.
“We want everyone to be able to answer a simple question: how dangerous is the internet I use?” explained Jason Crabtree, CEO of QOMPLX, in a press statement
“Our extensive research revealed a large but unfortunately not surprising number of basic vulnerabilities across the web. The common exploits that PunkSpider detects serve as a key proxy for risk overall, & frankly if website owners are not fixing the fundamentals it’s unlikely they’re fully addressing bigger vulnerabilities.”
Back by Popular Demand?
Caceres & Hopper observed demand was another reason to update & reintroduce the tool after a years-long gap, adding that many issues & negative attention forced the tool, originally funded by the Defence Advanced Research Projects Agency, into ‘hibernation’.
“We’ve been getting asked a lot for ‘that tool that was like Shodan but for web app vulns,’” they wrote in a write-up for their session at DEF CON. “PunkSpider was taken down a couple of years ago due to multiple … issues and threats. We weren’t sure in which direction to keep expanding, & it ended up being a nightmare to sustain.”
The new & improved PunkSpider is a “completely re-engineered” system that also expands the capabilities of the tool to find vulnerabilities, they wrote.
Dedicated ISP & Data Centre
“It is not only far more efficient with real-time distributed computing & checks for way more vulns, we [also] had to take some creative ways through the woods,” Caceres & Hopper wrote.
The new tool in fact will have its own dedicated ISP & data centre in Canada to integrate “freely available data that anyone can get but most don’t know is available,” they explained. The data they refer to will be a massive collection of known web vulnerabilities.
Caceres & Hopper also plan to release 10s of 1,000s of vulnerabilities at the conference, & will ask for suggestions about what to search for to uncover even more.
Bug Bounty Bonanza?
As its creators know well, not everyone is thrilled about PunkSpider’s comeback, however.
In comments emailed to Wired, Electronic Frontier Foundation analyst Karen Gullo said that while the folks behind PunkSpider have “good intentions,” making the vulnerabilities public could backfire & have the opposite effect that its creators intended.
“Making them public might be the thing that pushes administrators to fix [these vulnerabilities]. But we don’t recommend it,” she told Wired. “Bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches.”
While many on Twitter have voiced support for the tool—with cyber-security expert Stephen Frei observing that “you can’t manage what you can’t measure”– critics also took to the social-media platform to express consternation about PunkSpider.
One suggested that it may limit the opportunity for ethical hackers to win rewards for finding vulnerabilities that companies currently give them. “Ok so maybe I’m dumb but doesn’t a tool like this make bug bounties pointless?” questioned Twitter user @thedragonisreal.
A reply to the Tweet countered that PunkSpider certainly won’t pick up every vulnerability, so there will still be plenty for ethical hackers & researchers to dig up & submit to company’s vulnerability-reward programs.
Another Twitter user raised an ethical issue with the tool, suggesting it is needlessly calling out site insecurities without proof that companies respond accordingly & make necessary changes to protect themselves.
“Not sure if exposing sites like this is a good idea without data showing it lead to meaningful changes the 1st time around,” tweeted a user called @cypnk who is in the medical hardware industry. “If it didn’t, then it’s needlessl0y malicious.”