PunkSpider is back and crawling hundreds of millions of sites for vulnerabilities
PunkSpider is scanning every website in the world to find and then publicly release their exploitable flaws all at the same time in the name of making the web more secure. PunkSpider automatically identifies hackable vulnerabilities in websites, and then allows anyone to search those results to find sites susceptible to everything from defacement to data leaks. This tool has been upgraded and re-released after a years-long hiatus and it will catalog hundreds of thousands of those unpatched vulnerabilities at launch, making all of them publicly accessible.
PunkSpider could potentially expose those sites to real-world attacks with hope that the visibility will force web administrators to acknowledge the simple, glaring, and in some cases dangerous flaws in their sites and fix them. The reincarnated version of PunkSpider has already revealed real flaws in major websites and if this leads them to fix their bugs, then their goal when creating the site was achieved.
PunkSpider will automatically scan and “fuzz” sites for seven kinds of exploitable bugs, repeatedly trying variations of common hacking methods to check if a site is vulnerable which includes SQL injection vulnerabilities. The site provides a database that’s searchable by URL keywords, type of vulnerability, and the severity of those bugs. They’ve also built a Chrome plugin that checks every website a user visits for hackable flaws. The search tool and browser plugin give every website a “dumpster fire” score of one to five dumpster fires, depending on how many vulnerabilities it contains and how serious they are. The concern is that that a malicious hacker could use the site to identify websites to hack.
However, the inventors of PunkSpider argue that scanners that find web vulnerabilities have always existed and this one just makes the results public, so if you see the flaw, you’re going to want to fix it. The inventors admit that PunkSpider could have unintended consequences but they stand by his belief that its value for the web’s defense outweighs any harm it could cause.