Reboot of PunkSpider Tool at DEF CON Stirs Debate | Threatpost

Researchers will release a reboot of a controversial tool that crawls the web to identify back-end vulnerabilities in websites in the hopes that companies will quickly fix them and reduce security risks.

However, experts have mixed feelings about the tool called PunkSpider, created by the analytics firm QOMPLX. They fear the tool could be hijacked by hackers to exploit vulnerabilities before companies have time to patch them.

Alejandro Caceres, director of computer network exploitation at QOMPLX, and hacker Jason Hopper will introduce a revamped version of PunkSpider at the upcoming DEF CON gathering next week.
QOMPLX cited the rise of ransomware as one of the reasons for a reboot of PunkSpider, which provides “a simple and massively scalable monitoring tool that quickly identifies gaps in collective defenses by highlighting which websites can easily fall prey to attackers,” according to a press release.  The tool can provide internet users and the cyber community a “shared perspective” on the specific dangers of the web, the company said.

“We want everyone to be able to answer a simple question: how dangerous is the internet I use?” said Jason Crabtree, CEO of QOMPLX, said in a press statement “Our extensive research revealed a large but unfortunately not surprising number of basic vulnerabilities across the web. The common exploits that PunkSpider detects serve as a key proxy for risk overall, and frankly if website owners are not fixing the fundamentals it’s unlikely they’re fully addressing bigger vulnerabilities.”

Back by Popular Demand?

Caceres and Hopper said demand was another reason to update and reintroduce the tool after a years-long hiatus, adding that myriad issues and negative attention forced the tool, originally funded by the Defense Advanced Research Projects Agency, into hibernation.

“We’ve been getting asked a lot for ‘that tool that was like Shodan but for web app vulns,’” they wrote in a write-up for their session at DEF CON. “PunkSpider … was taken down a couple of years ago due to multiple … issues and threats. We weren’t sure in which direction to keep expanding, and it ended up being a nightmare to sustain.”

The new and improved PunkSpider is a “completely re-engineered” system that also expands the capabilities of the tool to find vulnerabilities, they wrote.

“It is not only far more efficient with real-time distributed computing and checks for way more vulns, we [also] had to take some creative ways through the woods,” Caceres and Hopper wrote.

The new tool in fact will have its own dedicated ISP and data center in Canada to integrate “freely available data that anyone can get but most don’t know is available,” they said. The data they refer to will be a massive collection of known web vulnerabilities.

Caceres and Hopper also plan to release tens of thousands of vulnerabilities at the conference and will ask for suggestions about what to search for to uncover even more.

Circa 2017: This message greeted visitors to PunkSpider’s website promoting its 3.0 version of its offensive cybersecurity testing tool.

Bug Bounty Bonanza?

As its creators know well, not everyone is thrilled about PunkSpider’s comeback, however.

In comments emailed to Wired, Electronic Frontier Foundation analyst Karen Gullo said that while the folks behind PunkSpider have “good intentions,” making the vulnerabilities public could backfire and have the opposite effect that its creators intended.

“Making them public might be the thing that pushes administrators to fix [these vulnerabilities]. But we don’t recommend it,” she told Wired. “Bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches.”

And while many on Twitter have voiced support for the tool—with cybersecurity expert Stephen Frei observing that “you can’t manage what you can’t measure”– critics also took to the social-media platform to express consternation about PunkSpider.

One suggested that it may limit the opportunity for ethical hackers to win rewards for finding vulnerabilities that companies currently give them. “Ok so maybe I’m dumb but doesn’t a tool like this make bug bounties pointless?” questioned Twitter user @thedragonisreal.

A reply to the Tweet countered that PunkSpider certainly won’t pick up every vulnerability, so there will still be plenty for ethical hackers and researchers to dig up and submit to company’s vulnerability-reward programs.

Another Twitter user raised an ethical issue with the tool, suggesting it is needlessly calling out site insecurities without proof that companies respond accordingly and make necessary changes to protect themselves.

“Not sure if exposing sites like this is a good idea without data showing it lead to meaningful changes the first time around,” tweeted a user called @cypnk who is in the medical hardware industry. “If it didn’t, then it’s needlessly malicious.”Threatpost Webinar Series Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs on Aug. 17 at 11 AM EST and find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.