The web has long been a playground for hackers, offering up hundreds of millions of public-facing servers to comb through for basic vulnerabilities to exploit. Now one hacker tool is about to take that practice to its logical, extreme conclusion: Scanning every website in the world to find and then publicly release their exploitable flaws, all at the same time—and all in the name of making the web more secure.
At the Defcon hacker conference next month, Alejandro Caceres and Jason Hopper plan to release—or, rather, to upgrade and re-release after a years-long hiatus—a tool called PunkSpider. Essentially a search engine that constantly crawls the entire web, PunkSpider automatically identifies hackable vulnerabilities in websites, and then allows anyone to search those results to find sites susceptible to everything from defacement to data leaks.
PunkSpider’s creators say it will catalog hundreds of thousands of those unpatched vulnerabilities at launch, making all of them publicly accessible. Caceres and Hopper acknowledge that in doing so, their tool could potentially expose those sites to real-world attacks. But they hope that visibility will force the web’s administrators to acknowledge that their websites contain simple, glaring, and in some cases dangerous flaws—and hopefully fix them.
Low-Hanging Fruit
The sort of web vulnerabilities that PunkSpider finds remain incredibly common, despite years of warnings. In January of last year, for instance, security researchers found that one such web vulnerability let anyone take over Fortnite accounts, and earlier this year another web bug allowed hacktivists to breach the right-wing social media site Gab and leak 70 gigabytes of its backend data. Both have since been patched. But Caceres argues that PunkSpider could spur web admins to finally fix those sorts of ubiquitous bugs before hackers abuse them.
“I thought, ‘Wouldn’t it be cool if I could scan the entire web for vulnerabilities? And to make it even more fun, wouldn’t it be cool if I released all those vulnerabilities for free?'” says Caceres, who along with Hopper works as a researcher for cybersecurity startup QOMPLX. “I knew it was going to have some kind of implications. And after I started thinking about it, I really thought they might be good.”
PunkSpider will automatically scan and “fuzz” sites for seven kinds of exploitable bug, repeatedly trying variations of common hacking methods to check if a site is vulnerable. That list includes SQL injection vulnerabilities that allow hackers to enter commands into user input fields on a website, sometimes causing it to spill the contents of its backend databases; cross-site scripting vulnerabilities that let hackers craft malicious links that, when a user clicks on them, load an altered version of the website that can be used for phishing or serving up malware; and path traversal vulnerabilities, in which a hacker can mess with a site’s URL to read or write sensitive files on the server that hosts it. All those vulnerabilities are generally considered low-hanging fruit in the hacker world, but still persist in vast swaths of the web.
The site Caceres and Hopper have built provides a database that’s searchable by URL keywords, type of vulnerability, or severity of those bugs. On top of their search engine, they’ve also built a Chrome plugin that checks every website a user visits for hackable flaws. Both the search tool and browser plugin give every website a “dumpster fire” score of one to five dumpster fires, depending on how many vulnerabilities it contains and how serious they are. “PunkSpider finds vulnerabilities, it does a little work on the backend to determine the likelihood they’re exploitable, and then it releases them to the public immediately,” says Caceres. “That last part is the part I get a little bit of shit for sometimes.”
Even the generally hacker-friendly Electronic Frontier Foundation, for instance, wrote in a statement to WIRED that PunkSpider could have dangerous consequences. “The tool is full of good intentions—these vulnerabilities are leading to a lot of real-world problems, ransomware being one of them, and making them public might be the thing that pushes administrators to fix them. But we don’t recommend it,” EFF analyst Karen Gullo wrote to WIRED in an email. “Bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches.”
