[ad_1]
Caceres freely accepts that malicious hackers can use PunkSpider to identify hacked websites. But he says scanners that find web vulnerabilities have always existed. This makes the results public. “You know your customers can see it, your investors can see it, so you’re going to fix that shit quickly,” Caceres says.
Take Two
Caceres and Hopper’s Defcon talk marks the second incarnation of PunkSpider. The idea for the tool was born a decade agoIn the summer of 2011, when the collective hacker Anonymous and his unknown group LulzSec were involved in data theft and deflation, many of them were made possible by mere web vulnerabilities. (“Why is there SQL injection everywhere?” A LulzSec tribute hip-hop song.)
At the time, Caceres noted that even fairly apparent hackers had no problem finding the predominance of web bugs. The only solution was to think about whether revealing all the weaknesses of the web could be revealed in a massive cleanup. So in 2012 he started building PunkSpider for just that; He presented at the Shmoocon hacking conference in early 2013. Its security R&D company Hyperion Gray is also small He received a grant from Darpa.
From the beginning, however, the project faced challenges. Shmoocon viewers questioned whether Caceres allowed blackhat hackers and in the process violated the Computer Scams and Abuses Act. Soon, Amazon repeatedly launched it from the Amazon Web Services accounts it used to turn on the search engine after receiving reports of angry webmaster abuse. They were forced to constantly create new burner accounts to keep them running.
By 2015, Caceres was looking for new vulnerabilities about once a year. He made efforts to keep PunkSpider online and cover costs. Shortly afterwards, he let the project expire.
Earlier this year, however, it was Hyperion Gray Acquired by QOMPLX, and the larger startup agreed to retrieve a new and better version of its web hacking search engine. Now Caceres and Hopper have said that scanning their revamped tool has hundreds of cloud-based sets of machines capable of scanning hundreds of millions of sites every day – as a way to update results across the web or a user’s request to scan target URLs. The old PunkSpider took an entire year of scanning around the web to take about a week to complete.
Caceres declined to be named as the current hosting provider, but says he has worked with the company to understand PunkSpider’s motivations as he hopes to prevent his account from being banned again. In addition, reluctantly, it added a feature that allows webmasters to detect PunkSpider tests based on a user agent that helps them identify visitors to a website, and added an email address and opt-out feature that allows websites to remove themselves from the tool. searches. “I’m not happy, actually,” Caceres says. “I don’t like people putting safety things aside and burying their heads in the sand. But it’s about perseverance and balance.”
PunkSpider’s Web
The reincarnated version of PunkSpider has already revealed real flaws on the major websites. Caceres showed WIRED screenshots showing the weaknesses of the script across both Kickstarter.com and LendingTree.com. In the case of LendingTree, Caceres says the vulnerability could be used to create links if users were tricked into clicking on them, would host malware on the site, or display phishing warnings on LendingTree’s website. Kickstarter bugs, Caceres says, would allow hackers to create a link if a victim clicks on them to also display phishing notes or automatically make a payment from their credit card to a Kickstarter project.
“LendingTree uses multiple layers of control to protect the confidentiality and integrity of our site and consumer data,” the company said in a statement. “This includes web application firewalls, external access testing, and static / dynamic code review to identify and resolve vulnerabilities. In addition, we take the security vulnerabilities we report seriously and quickly investigate any issues found.” KickStarter wrote in an email to WIRED that it is “actively correcting” its web bug.
[ad_2]
Source link
