Web application

Controversial tools call thousands of hackable websites – Illinois News Today


Caceres is free to admit that malicious hackers can use PunkSpider to identify websites to hack. But he claims that scanners that detect web vulnerabilities are always present. This only publishes the results. “You know that your customers can see it and your investors can see it, so you’re going to fix that shit quickly,” says Caceres.

Take 2

Caceres and Hopper’s Defcon talk is the second incarnation of PunkSpider.The idea of ​​the tool was born 10 years agoIn the summer of 2011, hacker group Anonymous and its fragment group LulzSec were in the midst of a data theft and tampering rampage, many of which were made possible by a simple web vulnerability. (I refrained from “Why is there SQL injection everywhere?” LulzSec Tribute Hip-Hop Song 1.. )

Caceres pointed out that even relatively unsophisticated hackers at the time seemed to have had no trouble finding the dominance of web bugs. He began to wonder if the only solution would be to reveal all web vulnerabilities with a large purge. So in 2012 he started building PunkSpider to do just that. He announced it at the Shmoocon hacking conference in early 2013.Also his small security R & D company, Hyperion Gray Funded by Darpa..

But from the beginning, the project faced challenges. The Shmoocon audience questioned whether Caceres enabled black hat hackers and in the process violated the Computer Fraud and Abuse Act. Soon after receiving reports of abuse from an angry web administrator, Amazon repeatedly launched him from the Amazon Web Services account he used to power up his search engine. He was forced to constantly create a new burner account to keep it running.

By 2015, Caceres was scanning the web for new vulnerabilities only once a year. He had a hard time keeping PunkSpider online and paying for it. Shortly thereafter, he expired the project.

Earlier this year, but Hyperion Gray Obtained by QOMPLX, And a larger startup has agreed to bring back a new and improved version of his web hacking search engine. Today, Caceres and Hopper say the improved tool scan is powered by a cloud-based cluster of hundreds of machines capable of scanning hundreds of millions of sites per day. User request. The old PunkSpider’s annual web-wide scan took nearly a week to complete.

Caceres didn’t reveal the name of the current hosting provider, but said he hopes to better understand PunkSpider’s motives with the company and prevent accounts from being banned again. He also reluctantly added the ability for web administrators to find PunkSpider probing based on user agents that help identify visitors to a website, email addresses and website tools. Included an opt-out feature that allows you to remove yourself from. Search. “Honestly, I’m not happy with that,” says Caceres. “I don’t like the idea that people can opt out of security issues and bury their heads in the sand, but it’s a matter of sustainability and balance.”

Punkspider Web

The reborn version of PunkSpider has already revealed the actual flaws in major websites. Caceres showed WIRED screenshots showing cross-site scripting vulnerabilities in both Kickstarter.com When LendingTree.com.. For LendingTree, Caceres used this vulnerability to create links that could host malware on the site or display phishing prompts on LendingTree’s own site if the user could be tricked into clicking on it. It states that there is a possibility of it. According to Caceres, a Kickstarter bug allows hackers to create links to display phishing prompts as well when the victim clicks, or to automatically pay for a Kickstarter project from a credit card. increase.

“Lending Tree employs multiple layers of control to protect the confidentiality and integrity of our site and consumer data,” the company said in a statement. “This includes web application firewalls, external penetration testing, static / dynamic code reviews to identify and fix vulnerabilities, and take reported security vulnerabilities seriously. KickStarter wrote to WIRED in an email that he was “actively addressing” a flaw in the web.


Read More:Controversial tools call thousands of hackable websites – Illinois News Today

Products You May Like