The web has long been a playground for hackers, offering up hundreds of millions of public-facing servers to comb through for basic vulnerabilities to exploit. Now one hacker tool is about to take that practice to its logical, extreme conclusion: Scanning every website in the world to find and then publicly release their exploitable flaws, all at the same time—and all in the name of making the web more secure.
At the Defcon hacker conference next week, Alejandro Caceres and Jason Hopper plan to release—or, rather, to upgrade and re-release after a years-long hiatus—a tool called PunkSpider. Essentially a search engine that constantly crawls the entire web, PunkSpider automatically identifies hackable vulnerabilities in websites, and then allows anyone to search those results to find sites susceptible to everything from defacement to data leaks.
PunkSpider's creators say it will catalog hundreds of thousands of those unpatched vulnerabilities at launch, making all of them publicly accessible. Caceres and Hopper acknowledge that in doing so, their tool could potentially expose those sites to real-world attacks. But they hope that visibility will force the web's administrators to acknowledge that their websites contain simple, glaring, and in some cases dangerous flaws—and hopefully fix them.
The sort of web vulnerabilities that PunkSpider finds remain incredibly common, despite years of warnings. In January of last year, for instance, security researchers found that one such web vulnerability let anyone take over Fortnite accounts, and earlier this year another web bug allowed hacktivists to breach the right-wing social media site Gab and leak 70 gigabytes of its backend data. Both have since been patched. But Caceres argues that PunkSpider could spur web admins to finally fix those sorts of ubiquitous bugs before hackers abuse them.
"I thought, 'Wouldn’t it be cool if I could scan the entire web for vulnerabilities? And to make it even more fun, wouldn’t it be cool if I released all those vulnerabilities for free?'" says Caceres, who along with Hopper works as a researcher for cybersecurity startup QOMPLX. "I knew it was going to have some kind of implications. And after I started thinking about it, I really thought they might be good."
PunkSpider will automatically scan and "fuzz" sites for seven kinds of exploitable bug, repeatedly trying variations of common hacking methods to check if a site is vulnerable. That list includes SQL injection vulnerabilities that allow hackers to enter commands into user input fields on a website, sometimes causing it to spill the contents of its backend databases; cross-site scripting vulnerabilities that let hackers craft malicious links that, when a user clicks on them, load an altered version of the website that can be used for phishing or serving up malware; and path traversal vulnerabilities, in which a hacker can mess with a site's URL to read or write sensitive files on the server that hosts it. All those vulnerabilities are generally considered low-hanging fruit in the hacker world, but still persist in vast swaths of the web.
The site Caceres and Hopper have built provides a database that's searchable by URL keywords, type of vulnerability, or severity of those bugs. On top of their search engine, they've also built a Chrome plugin that checks every website a user visits for hackable flaws. Both the search tool and browser plugin give every website a "dumpster fire" score of one to five dumpster fires, depending on how many vulnerabilities it contains and how serious they are. "PunkSpider finds vulnerabilities, it does a little work on the backend to determine the likelihood they're exploitable, and then it releases them to the public immediately," says Caceres. "That last part is the part I get a little bit of shit for sometimes."
Even the generally hacker-friendly Electronic Frontier Foundation, for instance, wrote in a statement to WIRED that PunkSpider could have dangerous consequences. "The tool is full of good intentions—these vulnerabilities are leading to a lot of real-world problems, ransomware being one of them, and making them public might be the thing that pushes administrators to fix them. But we don't recommend it," EFF analyst Karen Gullo wrote to WIRED in an email. "Bad actors can exploit the vulnerabilities faster than administrators can plug them, leading to more breaches."
Caceres freely admits that malicious hackers could use PunkSpider to identify websites to hack. But he argues that scanners that find web vulnerabilities have always existed. This one just makes the results public. "You know your customers can see it, your investors can see it, so you’re going to fix that shit fast," says Caceres.
Caceres and Hopper's Defcon talk marks the second incarnation of PunkSpider. The idea for the tool was born a decade ago, in the summer of 2011, as the hacker collective Anonymous and its splinter group LulzSec were in the midst of data theft and defacement rampage, much of which was made possible by simple web vulnerabilities. ("Why is there SQL injection everywhere?" went the refrain of one LulzSec tribute hip-hop song.)
Caceres noted at the time that even relatively unsophisticated hackers seemingly had no trouble finding a preponderance of web bugs. He began to wonder if the only solution might be to reveal every web vulnerability in a massive purge. So in 2012 he started building PunkSpider to do exactly that; he presented it at the Shmoocon hacking conference in early 2013. His small security R&D firm, Hyperion Gray, also received funding from Darpa.
From the beginning, though, the project faced challenges. The Shmoocon audience questioned whether Caceres was enabling blackhat hackers—and violating the Computer Fraud and Abuse Act in the process. Soon Amazon was repeatedly booting him from the Amazon Web Services accounts he used to power the search engine, after receiving abuse reports from angry web administrators. He was forced to constantly create new burner accounts to keep it running.
By 2015, Caceres was scanning the web for new vulnerabilities only about once a year. He struggled to keep PunkSpider online and cover its costs. Not long after, he let the project lapse.
Earlier this year, however Hyperion Gray was acquired by QOMPLX, and the larger startup agreed to revive a new and improved version of his web hacking search engine. Now Caceres and Hopper say their revamped tool's scans are powered by a cloud-based cluster of hundreds of machines, capable of scanning hundreds of millions of sites per day—updating its results for the entire web on a rolling basis, or scanning target URLs at a user's request. The old PunkSpider's annual scans of the entire web took close to a week to complete.
Caceres declined to name his current hosting provider, but he says he's worked out an understanding with the company as to PunkSpider's motivations, which he hopes will prevent his accounts from being banned again. He has also, albeit reluctantly, added a feature that allows web administrators to spot PunkSpider's probing based on the user agent that helps identify visitors to a website, and included an email address and an opt-out feature that lets websites remove themselves from the tool's searches. "I’m not happy about it, honestly," Caceres says. "I don’t like the idea of people being able to opt out of security things and bury their head in the sand. But it’s a sustainability and balance thing."
The reincarnated version of PunkSpider has already revealed real flaws in major websites. Caceres showed WIRED screenshots that demonstrated cross-site scripting vulnerabilities in both Kickstarter.com and LendingTree.com. In LendingTree’s case, Caceres says the vulnerability could be used to create links that, if users could be tricked into clicking them, would host malware on the site or display phishing prompts on LendingTree’s own site. Kickstarter’s bug, Caceres says, would allow hackers to craft a link that, if a victim clicked it, could similarly display phishing prompts or automatically make a payment from their credit card to a Kickstarter project.
"LendingTree employs multiple layers of control to protect our site and the confidentiality and integrity of consumer data," the company said in a statement. "This includes web application firewalls, outside-in penetration testing and static/dynamic code review to identify and remediate vulnerabilities. Additionally, we take any reported security vulnerabilities seriously and rapidly investigate and address any issues found.” KickStarter wrote in an email to WIRED that it’s “actively addressing” its web flaw.
"If it causes a company like Kickstarter to fix their bugs, that's exactly the kind of thing we'd hope to have as an outcome," says Hopper.
The legality of PunkSpider's probing, meanwhile, remains uncertain. Well-known web hacker and Bit Discovery founder Jeremiah Grossman, for instance, says he would never try the sorts of tests on a website that PunkSpider carries out without the site owner's permission. "You can crawl the website, but the moment you really try to elicit a vulnerability with malicious content, that would seem to me to cause a call from a district attorney somewhere, and that's not the call that you want," says Grossman. Testing a hacking technique by trying malicious commands in an address field on a website, for instance, might by some measures qualify as illegal hacking under the Computer Fraud and Abuse Act. The EFF, which frequently defends hackers from legal threats, and even advised PunkSpider in its first years online, voiced a similar concern to WIRED: "In a perfect world, exposing vulnerabilities wouldn't open one up to lawsuits, but we're not there," writes the EFF's Gullo.
Caceres says they'll take their chances. "I don't not think about" the legal risks, he says. "I’m just hoping people see we're trying to do the right thing."
But when it comes to the ethics of revealing the generally abysmal state of web security, PunkSpider is on solid ground, argues Katie Moussouris, CEO of Luta Security and a respected voice in hacker community debates over vulnerability research and disclosure. “A lot of people who are very unaware and naive about these types of vulnerabilities are going to cry, ‘Think of the children,’” Moussouris says. “But definitely be skeptical of that. Vulnerabilities themselves are what would lead to the hacking of websites. A tool like this just makes those vulnerabilities visible.”
Caceres himself admits that PunkSpider could have unintended consequences. But he stands by his belief that its value for the web's defense outweighs any harm it could cause. "It's a controversial project. It’s not black and white. But we need to try something new," Caceres says. "If I created a monster here, it’s because I had to try something."