The reincarnated version of PunkSpider has already revealed real flaws in major websites. But it’s a sustainability and balance thing." "I don’t like the idea of people being able to opt out of security things and bury their head in the sand. "I’m not happy about it, honestly," Caceres says. He has also, albeit reluctantly, added a feature that allows web administrators to spot PunkSpider's probing based on the user agent that helps identify visitors to a website, and included an email address and an opt-out feature that lets websites remove themselves from the tool's searches. The old PunkSpider's annual scans of the entire web took close to a week to complete.Ĭaceres declined to name his current hosting provider, but he says he's worked out an understanding with the company as to PunkSpider's motivations, which he hopes will prevent his accounts from being banned again. Now Caceres and Hopper say their revamped tool's scans are powered by a cloud-based cluster of hundreds of machines, capable of scanning hundreds of millions of sites per day-updating its results for the entire web on a rolling basis, or scanning target URLs at a user's request. "Bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches."Įarlier this year, however Hyperion Gray was acquired by QOMPLX, and the larger startup agreed to revive a new and improved version of his web hacking search engine. But we don't recommend it," EFF analyst Karen Gullo wrote to WIRED in an email.
Defcon vegas full#
"The tool is full of good intentions-these vulnerabilities are leading to a lot of real-world problems, ransomware being one of them, and making them public might be the thing that pushes administrators to fix them. "That last part is the part I get a little bit of shit for sometimes."Įven the generally hacker-friendly Electronic Frontier Foundation, for instance, wrote in a statement to WIRED that PunkSpider could have dangerous consequences. "PunkSpider finds vulnerabilities, it does a little work on the backend to determine the likelihood they're exploitable, and then it releases them to the public immediately," says Caceres. Both the search tool and browser plugin give every website a "dumpster fire" score of one to five dumpster fires, depending on how many vulnerabilities it contains and how serious they are. On top of their search engine, they've also built a Chrome plugin that checks every website a user visits for hackable flaws. The site Caceres and Hopper have built provides a database that's searchable by URL keywords, type of vulnerability, or severity of those bugs. “I’m just hoping people see we're trying to do the right thing.” But they hope that visibility will force the web's administrators to acknowledge that their websites contain simple, glaring, and in some cases dangerous flaws-and hopefully fix them. Caceres and Hopper acknowledge that in doing so, their tool could potentially expose those sites to real-world attacks. PunkSpider's creators say it will catalog hundreds of thousands of those unpatched vulnerabilities at launch, making all of them publicly accessible. Essentially a search engine that constantly crawls the entire web, PunkSpider automatically identifies hackable vulnerabilities in websites, and then allows anyone to search those results to find sites susceptible to everything from defacement to data leaks.
Defcon vegas upgrade#
Now one hacker tool is about to take that practice to its logical, extreme conclusion: Scanning every website in the world to find and then publicly release their exploitable flaws, all at the same time-and all in the name of making the web more secure.Īt the Defcon hacker conference next week, Alejandro Caceres and Jason Hopper plan to release-or, rather, to upgrade and re-release after a years-long hiatus-a tool called PunkSpider. Notes: The current error page you are seeing can be replaced by a custom error page by modifying the "defaultRedirect" attribute of the application's configuration tag to point to a custom error page URL.The web has long been a playground for hackers, offering up hundreds of millions of public-facing servers to comb through for basic vulnerabilities to exploit. This tag should then have its "mode" attribute set to "Off". It could, however, be viewed by browsers running on the local server machine.ĭetails: To enable the details of this specific error message to be viewable on remote machines, please create a tag within a "web.config" configuration file located in the root directory of the current web application. The current custom error settings for this application prevent the details of the application error from being viewed remotely (for security reasons). Runtime Error Description: An application error occurred on the server. Runtime Error Server Error in '/' Application.