In case you missed this controversial tool released at ShmooCon, we wanted to put out a little write-up on it. We’ve written about online tools such as Shodan, VPN Hunter, Exploit Search, and Nmap-Online before and the open source PunkSPIDER site fits right in.
The service basically crawls randomly around the web looking for vulnerable web applications. Particular attacks that the tool scans for includes blind SQL injection (BSQLi), traditional SQL injection (SQLi), and cross-site scrpting (XSS). Visitors have the option of searching by entering a URL or inputting keywords that might appear in a site’s title. It’s backed by fancy big data technologies like Apache Hadoop but the nice thing is that it’s all open source.
The idea is that anyone can search for a website that they regularly use to verify basic security practices are being done. Perhaps the results may motivate users to purchase from more secure competitors instead. Of course those with more nefarious purposes could use PunkSPIDER to search for sites with lax security that may make easy targets on which to plant malware. Websites do have the option to opt-out though. The spidering mechanism respects robots.txt files and admins can specifically block it through firewall or routing rules.
I did a quick title search on “infosec” … and it looks like we have good Google juice because an old URL for NovaInfosec.com came up in the top 4. Fortunately, PunkSPIDER didn’t show any vulnerabilities for us. @J4vv4D (aka, the infosec cynic) also made the top 4 and he’s free clear as well.
Enabling the bsqli, sqli, and xss options to just find vulnerable sites returned nothing.
Performing the same search on “cyber” on the other hand pulled back one site with 13 BSQLi, 2 SQLI, and 7 XSS vulnerabilities. Clicking the plus sign next to this site exposes the URLs that it fell victim to. Take a look at those parameters to get an idea of the type of scans PunkSPIDER performs.
I don’t know how they get around the legal ramifications of testing websites without their permission though. They say they only perform the most basic safe checks … but even a basic check could constitute an attack under US law. The operators of PunkSPIDER point out that checking for the existence of vulnerabilities is different from actually exploiting them in an attack. Mmm? I’d like to see that hold up in court…
Here’s some of the relevant points from the official PunkSPIDER about page.
PunkSPIDER is a global web application vulnerability search engine powered by PunkSCAN. What that means is that we have built a scanner and architecture that can handle a massive number of web application vulnerability scans, set it loose on the Internet, and made the results available to you. It runs off of an Apache Hadoop cluster and is able to handle tens of thousands of scans every day.
Current tools are able to perform a limited number of scans, and are not built for stability, they’re meant for single websites (they also crash a lot and often get caught in infinite loops, but we’ll stop complaining now). Because PunkSPIDER is built on an extremely scalable architecture and is built for stability, the number of scan results that the framework can produce per day unattended is virtually limitless.
There are various potential applications to PunkSPIDER. The first is to aid organizations in vulnerability detection and mitigation of their publicly available assets. Not every organization has access to a diligent security team that can perform regular vulnerability checks against their web apps. Using PunkSPIDER an organization can simply type in their URL and know whether they have critical vulnerabilities that need fixing.
For those interested in learning more about this online tool, check out the PunkSpider website. And if you’re a code monkey or interested in implementing an instance yourself, take a look at their downloads page.
What have your experiences been with PunkSPIDER? Let us know in the comments below. Today’s post pic is from HyperionGray.com. See ya!