PunkSpider, the search engine for web exploits, is back

Image for article titled PunkSpider—the Search Engine for Web Exploits—Rises from the Dead

Photo: Sean Gallup (Getty Images)

One of the most controversial cybersecurity projects on the web is be brought back to life next week. PunkSpider – essentially a tool that crawls the internet to create a searchable database of hackable sites on the web – resurfaces at next week’s Defcon cybersecurity conference, WIRED reports. This is the first time people will be able to use the tool since it went black in 2015.

In a nutshell, PunkSpider works by automatically scanning sites on the open web and “fuzzyeach, essentially a hacker language for feeding data into the underlying code of a website to see what vulnerabilities emerge. In this case, PunkSpider will search for sites susceptible to some of the most common exploits in a hacker’s arsenal, such as SQL Injections and cross-site scripting attacks. Although they are considered pretty easy hacks to remove (and protect against) there are tons of sites on the web that leave themselves wide open.

In 2019, for example, HackerOne revealed that the main vulnerability reported by hackers through its bug bounty program was the aforementioned cross-site scripting – essentially exploits that allow hackers to inject malicious links into otherwise benign (and often overlooked) sites) sites. And more recently, we’ve seen high-profile sites like far-right haven Gab get hit with SQL injections; in Gab’s case, the site ended up leaking 70 gigabytes of its user’s data accordingly.

The original iteration of PunkSpider is launched ten years ago, the favorite project of software developer Alejandro Caceres and his software company, Hyperion Gray. But very quickly, Caceres was faced with technical and fiscal obstacles that meant that its tool only scanned the web once a year, before completely collapsing. Earlier this year however, Virginia-based tech company QOMPLX acquired Hyperion Gray and announcement it would be the PunkSpider reboot soon after.

The new project will include a database that users can search using the URL of a site or the type of vulnerability they are interested in, as well as a Chrome-based browser extension that checks websites that you visit to detect any apparent security flaws. Based on a site’s level of bugs, PunkSpider will rate a given site using a “dumpster fire” rating system that rates (as the name suggests) how safe this site is, in fact, a dumpster fire.

But with any of these types of hacker-friendly search engines, like PunchSpider, ShodanWhere Censys– there is always an ethical question that comes with their release to the public. On the one hand, being informed of a site’s vulnerability could convince the operator of that site to pull themselves together and close that gap. On the other hand, having a list of publicly available informationeasy-to-exploit sites mean anyone, good or bad, is free to dig.

This means that for all the good Caceres’ tool could do for the cybersecurity community as a whole, it’s very possible that it opens up some of these sites to harmful attacks they wouldn’t otherwise be hit with. At the very least, that’s motivation enough for these operators to start taking their security seriously.