Slashdot Mirror

← Back to Stories (view on slashdot.org)

PunkSPIDER Project Puts Vulnerabilities On (Searchable) Display

Posted by timothy on from the anarchist's-cookbook dept.

First time accepted submitter punk2176 writes "Recently I started a free and open source project known as the PunkSPIDER project and presented it at ShmooCon 2013. If you haven't heard of it, it's at heart, a project with the goal of pushing for improved global website security. In order to do this we built a Hadoop distributed computing cluster along with a website vulnerability scanner that can use the cluster. Once we finished that we open sourced the code to our scanner and unleashed it on the Internet. The results of our scans are provided to the public for free in an easy-to-use search engine. The results so far aren't pretty." The Register has an informative article, too.

85 comments

  1. How do you interpret the results? by Press2ToContinue · · Score: 0

    Guess I'm a 'tard 'cause I can't find the explanation for what the vulnerabilities mean.

    But I know what dusty rose on gray means. (It means "Welcome to the 70's.")

    --
    Sent from my ENIAC
    1. Re:How do you interpret the results? by Anonymous Coward · · Score: 0

      Guess I'm a 'tard 'cause I can't find the explanation for what the vulnerabilities mean.

      I would have to agree.

    2. Re:How do you interpret the results? by Anonymous Coward · · Score: 0

      WOW, you can use google!

      Now we should throw out all teachers ...

  2. Re:I think I got punked by Anonymous Coward · · Score: 0

    Try 'Google'

  3. Next - SE for houses without security systems by raymorris · · Score: 1

    Well hours next project be a search engine showing which houses don't have good security systems, or showing the weaknesses in each home's security? What an aweful way to attention whore - by giving criminals a list of defenseless people.

    1. Re:Next - SE for houses without security systems by Anonymous Coward · · Score: 2

      That's not a perfect metaphor and you know it, because if your house is insecure it puts you in danger. If your website is insecure it puts the users in danger. If your house has no security system, you're personally aware. If your website is insecure you likely do not.

      I'm not making an argument as to whether or not this is a good idea, but you're over simplifying things on purpose.

    2. Re:Next - SE for houses without security systems by __aajfby9338 · · Score: 1

      I don't see how this is different than publishing a searchable database of unlocked doors that I found in my neighborhood, with the claim that my purpose is to improve my neighborhood's security. I do not see this as oversimplification. A group (gaggle? herd?) of tweakers could use the database to find an unlocked house whose owners are on vacation and then squat there, using it as a base to burgle other houses in my neighborhood, just as malicious hackers could host malware on a vulnerable site. It's still a dick move to publish the list of unlocked doors for all to see.

    3. Re:Next - SE for houses without security systems by ArsonSmith · · Score: 1

      Yea, let's release a list of known non-gun owners.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    4. Re:Next - SE for houses without security systems by Jah-Wren+Ryel · · Score: 3, Insightful

      Well, at least one difference is that when a website gets hacked it is almost always the people visiting the website who are the target because the goal of the hacker is either to grab information about those users from the hacked system or to use the hacked system to distribute exploits to anyone that browses there.

      While when a house is broken into, it is basically a problem for the owners of the house and not really anyone else.

      So publishing a list of vulnerabilities on websites serves the purpose of shaming the website operators into better protecting their users.

      --
      When information is power, privacy is freedom.
    5. Re:Next - SE for houses without security systems by tibman · · Score: 2

      I view it as a list of dark alleys you shouldn't walk down.

      --
      http://soylentnews.org/~tibman
    6. Re:Next - SE for houses without security systems by BemoanAndMoan · · Score: 1

      So publishing a list of vulnerabilities on websites serves the purpose of shaming the website operators into better protecting their users.

      So by that logic, I assume you rape every woman you pass on a dark street, mug the elderly who don't go out in groups, and commit every other crime of opportunity to shame people into what *you* consider proper, minimum safe behavior. How brave and noble of you.

      I'm so tired of people dressing up shitty behavior under the guise of protecting them when really all they are doing is being selfish, self-satisfying little asshats.

      If this guy wasn't such a douche, he'd be emailing the websites a notice letting them know of the vulnerabilities, not making the list available for everybody. This would have been a good example of how decent behavior could have helped protect both visitors and the site owners, instead of what at best will become a life lesson taught through severe litigation and (if we are lucky) state prosecution.

    7. Re:Next - SE for houses without security systems by Kiwikwi · · Score: 1

      So by that logic, I assume you rape every woman you pass on a dark street, mug the elderly who don't go out in groups, and commit every other crime of opportunity to shame people into what *you* consider proper, minimum safe behavior. How brave and noble of you.

      Phew. For a moment I was worried this thread would descend into hyperbole and strawman arguments.

    8. Re:Next - SE for houses without security systems by Jah-Wren+Ryel · · Score: 0

      So by that logic, I assume you rape every woman you pass on a dark street, mug the elderly who don't go out in groups, and commit every other crime of opportunity to shame people into what *you* consider proper, minimum safe behavior. How brave and noble of you.

      Yes, in fact I make suire to rape and mug every chance I get!!

      The fact that you have to make such an absurd argument ought to be a clue that you have misunderstood the original point.

      --
      When information is power, privacy is freedom.
    9. Re:Next - SE for houses without security systems by Anonymous Coward · · Score: 0

      I'm not really sure what the point of your response is. You're claiming you don't see any reason for it to be different, yet you don't refute any of the reasons I listed in my post.

    10. Re:Next - SE for houses without security systems by Anonymous Coward · · Score: 0

      Or, it's like posting a map that shows where all of the registered gun owners live in N.Y. It's an invitation, and sites like this are a conduit for crime -- a dashboard/intelligence service for criminals.

  4. Ethics by gignac.adam · · Score: 3, Insightful

    Funny; my professor just told a networking class recently when discussing vulnerability scanners that it was seriously unethical to scan a system without permission - it would be like walking through a parking lot and checking which cars are unlocked. I think most people would agree with him. This project might have good intentions, trying to encourage the sysadmins to tighten up their security, but I think there's a better way to do it than public shaming.

    1. Re:Ethics by DCisforBoners · · Score: 1

      Some of these sites are likely entrusted with sensitive user information. The car analogy is only apt if you borrowed $100 from a couple of your closest friends for rent and left that in the car you forgot to lock while you were getting a taco. As I see it, the benefit of this type of public shaming is it reinforces in end users the idea that you should be careful who you trust with your data. For admins, if the majority of listed sites use web technology "x", maybe if you're designing a new site you look for an alternative.

    2. Re:Ethics by kermidge · · Score: 1

      "....I think there's a better way to do it than public shaming."

      Ok, such as.... what?

            If someone puts up a web site I have to figure that it might be for people to visit. If that site has vulnerabilities, I have to give the owner benefit-of-doubt that they might likely want to know such, as I also have to figure that they wish for it to be safe from attack - to prevent defacement, hi-jacking for attack app insertion, making off with private infos, etc.
            Therefore I'd hazard a guess that, since everyone's means are limited, by their own knowledge and skill, time available, to do their own testing, or budget to hire it done, that whatever agency is able to easily and quickly point out a few of the more common vulns (and also the same ones used by many of the crims to make money) - that they'd welcome the info so they might fix their site.
            Punkspider seems to fit that bill.

            So, unethical. How so? Is it somehow more ethical to not test and have site open to attack, or is it both more moral and more practical to get information that'll help to protect the site?

    3. Re:Ethics by del_diablo · · Score: 1

      The analogy falls apart if the parking lot is a guarded parking lot that guarantees the cars safety.

    4. Re:Ethics by GrumpySteen · · Score: 2

      They're scanning large numbers of websites and putting vulnerability information up on a public website for anyone to view without notifying the website owners, much less giving them a chance to fix the problems before sending hackers their way. There's nothing ethical about that.

    5. Re:Ethics by GrumpySteen · · Score: 2

      I'm fairly sure those don't exist. Even the guarded parking lots have disclaimers that say they aren't responsible for theft and damage.

    6. Re:Ethics by Anonymous Coward · · Score: 0

      Why do I feel that most of the people claiming this is unethical are all the same person.

      In the past hackers used to notify the owners and give them a chance to fix problems and the owners would either do nothing or even threaten to sue. Any slashdot reader should know this.

      and chances are the hackers already have a system that does this and have long had this system. In fact, this is probably far behind what the hackers already have. Website owners who store user data have a responsibility to keep up with vulnerabilities and fix them ASAP.

    7. Re:Ethics by ArsonSmith · · Score: 1

      I think a better example may be someone going through stores and seeing which ones are posting people's credit card info on a large board behind the cashier for all to see or the ones that are actually trying to keep it hidden. That is seriously about how stupid many of these web sites are and if this was happening in meat space this list would be uncontested as a supreme public service.

      --
      Paying taxes to buy civilization is like paying a hooker to buy love.
    8. Re:Ethics by Anonymous Coward · · Score: 0

      There's nothing ethical about that.

      This makes it seem as though you believe there is one universal set of "ethics" that applies to everybody. Back in the real world, what's ethical for each person depends on what that person believes.

      If you want to say 'you find this behavior unethical', that's fine. Please though, lose the preposterous notion that your ethics are everybody's.

    9. Re:Ethics by raymorris · · Score: 5, Informative

      In the past hackers used to notify the owners and give them a chance to fix problems and the owners would either do nothing or even threaten to sue. Any slashdot reader should know this.

      Anyone claiming to know anything about the topic of web security should know the procedure used to remedy ~90% of all vulnerabilities. Those security updates you get each week don't appear out of nowhere. Someone like myself files a security ticket with the vendor or affected party. The vulnerability is confirmed and analyzed, then other vendors who are likely to have similar vulnerabilities are notified. A patch is pushed, THEN a CVE is issued. After that, more mainstream sites like slashdot pick up on, and link to, the CVE which explains what the vulnerability was is links to the update to fix it. That's typically about a week after the vulnerability is teported and 2-3 days after the fix is available. That's how securitu issues are normally handled, they aren't ignored. (If they were ignored we wouldn't average 100 security notices per week, would we?)

      When I found the PowerDNS vulnerability I could have come straight to Slashdot with "how to take down wikipedia and millions of other sites". If I were a scumball attention whore I would have done so. Instead, I reported it through proper channels. Wikipedia was patched within 36 hours, then other sites. The next day, the CVE went out, THEN you heard about it. I still get to brag - I just do it AFTER a) wikipedia and other responsive sites are safe and b) I have something worth bragging about, having protected wikipedia from being exploited.
      This jackass is merely attention whoting at other people's expense. He hasn't done anything special - just ran Nessus - but is advertising himself via the results rather than handling them responsibly.

      Suppose for a moment that some of the sites could leak sensitive information. Suppose also that sites which leak sensitive information should be slapped. Well, the slashvertised site, the cracker's search engine, is most certainly leaking sensitive information, ergo he should be slapped!

    10. Re:Ethics by kermidge · · Score: 1

      Thank you; I learned something. Several somethings, in fact.

    11. Re:Ethics by Anonymous Coward · · Score: 0

      I'm not defending what this person is doing, I agree he is going about it wrong. but some site owners have also been known in the past to be jerks.

    12. Re:Ethics by Jafafa+Hots · · Score: 2

      You professor is an idiot.

      This is more like going to a public parking lot and testing to find out whether the security cameras are real and working, not working, or fakes, and then telling people they shouldn't park their cars there if they want to park where there are security cameras.

      --
      This space available.
    13. Re:Ethics by punk2176 · · Score: 2, Informative

      Hmm, a few issues with this...

      1) The statement that we "just run Nessus" is incorrect. We wrote our own scanner that works on a Hadoop cluster. Why is this important? It means that we can handle a lot more scans than anyone else (several thousand per day with a small cluster) and it's also specifically made for mass scans. This is important in point 2 below.

      2) The process you're describing is for finding a vulnerability in a piece of software in general (e.g. a common CMS), not a specific vulnerability in an implementation of a piece of software (e.g. a specific website). That's a huge difference. You wouldn't put a CVE up for a SQL injection bug in a specific implementation of a site (you would only if it was common to an entire CMS for example). Anyway, what we hope is to build a community of like-minded security folks that can help those website owners fix their *specific issues* first and if applicable go through the process you describe when needed. We also want to provide this for free.

      3) What if the vulnerability is in a custom built site that no one cares enough about to do security research on. Who's letting them know their issues? We hope to provide a view of this to the website owner and yes, push them a little to get their security ducks in a row.

      4) We're not attention whores or jackasses. Calling people names isn't nice and makes us sad.

    14. Re:Ethics by Reemi · · Score: 1

      How about you borrowed your expensive camera to a friend and you noticed he left it visible inside his car on the parking lot. A parking lot known for many burglaries, in other words he was inviting somebody to steel your camera.

      Would it be ethical to check if he locked his car so you can protect YOUR OWN belongings?

      I agree with your statement, but looking at my log-files I wonder why the good guys should not be allowed to perform one scan while the bad ones are performing hundreds a day. Why should the bad ones have all the information?

    15. Re:Ethics by martin-boundary · · Score: 1
      The basic car analogy fails to capture that vulnerabilities in computer systems are often used as stepping stones for further attacks on other computer systems. In the car analogy proper, the only person affected by a break-in is the unlocked car's owner, while the other car owners are safe provided their car doors are locked.

      But say the criminal is a joyrider. He picks an unlocked car, and then drives around the parking lot smashing into other locked cars for fun, and then runs away. Now the question: is it wrong to check if some other car in the lot is unlocked and shame its owner? The chance that your car, even if locked, will be damaged due to some other car being unlocked and used as an attack vector is now non negligible.

    16. Re:Ethics by Anonymous Coward · · Score: 0

      I'm sorry you are only on this site to push your warez.

    17. Re:Ethics by blackest_k · · Score: 1

      On the other hand you could just check the sites you manage and design with this tool and see if it finds any problems. It is important your website is standards compliant and it is just as important that your site is secure. If you ever got hacked you will soon find your site blacklisted and a pile of work to rebuild the site and more importantly restore your reputation.

      Without this tool you will be hacked eventually if your site has vulnerabilities, it has to be a good thing for you to know beforehand so you can secure your site.

      It would be even better if after scanning a site that it sends an email to the site info@whatever.com is a fairly safe bet. If you haven't used the tool at least you know someone else has and you need to know hopefully before your site gets hacked.

      This tool might lower the bar for script kiddies but there are plenty of people who can hack your site without using this particular tool. You only need one to be successful.

      --
      Blarney Quality Restaurant, Plants
    18. Re:Ethics by Anonymous Coward · · Score: 0

      Calling people names isn't nice and makes us sad.

      Unauthorized port scans isn't nice and makes us pissed. Jackass.

    19. Re:Ethics by Thruen · · Score: 2

      Actually, it's less like telling people they shouldn't park there, and more like creating a searchable database of areas with no security cameras. It doesn't take much thought to realize the people looking for a place to park aren't going to search this database, it'll be used by the people looking for safer areas to steal those cars. Or to drop all this stupid analogy crap that never seems to have a positive effect on discussions, this is a searchable database that's only going to be used by people who are looking for vulnerabilities. Is the average user even going to know about this? Nope, but hackers everywhere will definitely know about it. Odds are, site owners aren't going to search it either, which may be a little irresponsible, but is nowhere near as bad as finding the vulnerabilities and trying to make sure everyone knows about it. They claim good intentions, and maybe they really have good intentions, but there's nothing good about this.

    20. Re:Ethics by BemoanAndMoan · · Score: 4, Insightful

      We hope to provide a view of this to the website owner and yes, push them a little to get their security ducks in a row.

      No, you don't. If you did you'd have built your system to make *them* aware first, instead of posting a "don't blame the messenger" shame tool that exposes their vulnerabilities.

      The hacking-promotes-security argument is weak sauce, even more so in your case. The vast percentage of people you've exposed (i.e. not anonymous mega-corps, but rather small mom-and-pops set up and left un-managed by unskilled sysadmins, innocuous self-hosting newbies, etc.) will likely never encounter your list, even after it provides scriptkiddies with an easily digestible list of opportunities who wipe their servers and turn them into warez hubs only to be rinse-repeated because they will *never* know any better.

      You are merely a new vector for the disease, selling itself as a cure. Where in this is your moment to feel proud?

    21. Re:Ethics by Thruen · · Score: 1

      I'll help resolve these issues for you.

      1) The software used is a very minor part of the point, and as far as the ethics argument goes means literally nothing.

      2) The start of the process he's describing, reporting the bug to the people who can deal with it, is the important step that doesn't change. Yes, it is different than dealing directly with software developers. It also means they probably aren't capable of fixing it so quickly. The software developers have a huge edge in that area. It does need to be dealt with differently, but public shaming without giving them a chance to fix it is not dealing with the problem it's exasperating it.

      3) If it's a custom site that no one cares to do security research on, chances are nobody's looking to attack that site anyway, until it's posted on a search engine calling it out as a target. As for who's letting them know, adding them to a search engine is NOT letting them know. Odds are these smaller sites aren't out there looking to see if anyone's found a vulnerability in their site. I didn't see anything that states you warn the site owner and even attempt to give them any time to fix it. If you want someone to get their security ducks in a row, step one is telling them everything you know about their problem, and step two is giving them time to fix it. If putting them in a searchable database is any step, it's much further along.

      4) I can't say much about this point as it truly depends on your intentions. You may have good intentions and think this is a great thing to do, but you are most certainly going about it all wrong. You shouldn't be advertising this on Slashdot, you should be emailing webmasters everywhere to tell them about their vulnerabilites. And while I'm here, a feature suggestion: an option to search by software used rather than the specific address, that way people can search the software they're using and find out if any specific implementation is vulnerable without relying on their site already being in this database. And before you say it, yes, web developers could and should run these scans on their own, I'm not defending sloppy security at all, but the developers who aren't running the scans also aren't going to go search for their site on yours without being told they have a problem.

    22. Re:Ethics by Zapotek · · Score: 1

      The prof gave a wrong simile, you are an idiot. WebAppSec scanners can inject harmful payloads (like emptying whole DB tables harmful, a simple string like "or 1=1" in the wrong place can can cause loads of trouble) and should be never run again live/production websites.

      Also, those guys are overly excited about their own work to the point or arrogance but give them time. They'll either get to appreciate all the complexities of those types of systems and power on or just give up after a while.
      They got the attention they wanted now anyways...

    23. Re:Ethics by Anonymous Coward · · Score: 0

      I agree. YOU have no right to appoint yourself as guardian and watchdog. How much time do admins like myself spend hunting down
      dogs like this that fill my log files with their 'self-fulfilling need'. Nobody wants them. You are truly UNWANTED AND UNLOVED!

    24. Re:Ethics by Anonymous Coward · · Score: 0

      I'm really sorry but there are really several point of view regarding "Ethics". It's not because you are a security researcher that you do have the final word on this.

      Some people consider that 0-day should be released in the wild as early as possible and make as much damage as possible, because only then deciders will start to realize that security is a real concern and only then people will start to conceive systems that are, from the start, more resilient to exploits.

      As an example as far as I know I've only had to patch in emergency *two* server-side Java bugs allowing remote attacks on Java webapp servers in the last two years: one for the DoS concerning the infinite loop when parsing floating-point numbers (where I applied the unofficial patch that came out immediately, not by Oracle... Thanks to people releasing the exploit in the wild ASAP, also allowing 3rd party patch to come out *before* Oracle did move / MS patch tuesday / whatever) and one for the DoS concerning the query parameters degenerating into O(n) instead of O(1).

      I know Java on the client-side has been pretty miserable lately, but Java on the server-side is quite robust.

      So I'm sure I buy that the one procedure to remedy to 90% of all vulnerabilities consist in patching. Patching is giga-important.

      But before that the most important is to pick a technology which DOES NOT require to be constantly patched (hint: companies relying on patch tuesday ain't exactly qualifiying and shall keep having Vupen and all the others discover remote root exploits).

      Accepting that inferior systems which needs constant patching are a fatality is probably the number on security concern.

      I don't disagree that you should always patch. But when you have to patch each week then at one point some introspection is needed and you have to wonder if you shouldn't be using a more robust stack in the face of security exploits...

    25. Re:Ethics by WoOS · · Score: 1

      Now let's not get too harsh.

      How 'good' or 'bad' this database is depends IMHO partially on its query interface. If one can only ask for single (FQDN) URLs (with a query rate limit) and gets the vulnerabilities of that specific URL as an answer (plus maybe some pointers on what the vulnerable software likely is), it might actually be useful for the somewhat technically-inclined web owner. The proposed list of vulnerable software would probably not help them as they would have to remember which SW their site runs.

      If on the other hand one can simply search the database for "give me all sites suffering from vulnerability X", that is not helping a web site owner at all but a cracker very much.

      The OP's site seems to be slashdotted (seems Hadoop is not applied in the frontend) so I cannot check but from the comments here it seems it implements the second option. That is definitely something that should be changed.

      The other thing any web site owner should take from this article is that Mass vulnerability spidering has reached mainstream. Much better to announce that on slashdot (and as many other news sites, magazines, periodicals as possible) than have people discover it in a year on their own.
      Now the next useful topic on slashdot would be a discussion on: "Should I host my own site, blog, shop, ... or better use a service (doing all the security stuff)." But I have to check on my wordpress software version ;-)

    26. Re:Ethics by Thruen · · Score: 1

      I'm really not trying to be harsh, sorry for coming off that way. I'm probably a little biased because I have experience being a small business IT guy by default (as in no real training, just better with computers than the other people there), so that's really who I relate to the most. In my position I understood sometimes you need to seek help elsewhere, and I did, but I also learned that problems aren't as easy to fix as people think, nor are they always cheap, and money can be a big issue for a small business. I would've appreciated the help if PunkSPIDER sent me an email describing a vulnerability, and I would've tried to fix it quickly, but if I couldn't figure it out myself I'd have to call someone else in, which gets expensive and might take time to budget it. Instead, PunkSPIDER just puts it in their search engine, unbeknownst to me the lowly inexperienced IT guy, so instead of me being able to fix it before it becomes a problem I still don't find out about it until it's a bigger issue. I know, the heart of the problem is having an IT guy who doesn't have the proper training, but if you've ever worked at a small business during hard times you know spending more isn't always an option, sometimes you need to work with what you have, and that's what they did, I was there so they used me.

      On to everything else, it is actually closer to the first implementation you describe, although I don't know about the rate limit as I didn't test it when the site was still loading quickly earlier.

      To clarify my suggestion of searching by software, I didn't intend for it to list addresses, only vulnerabilities related to that software. As for the website owner not being able to remember what software they used, without getting into how one sets up and runs a web site without even knowing what software they're using, if they're that technically deficient they almost definitely won't be able to fix it themselves (if they even understand the information they're looking at) and should already be looking for someone to handle the technical end of things.

      And as for what they should take from the article, it is mainstream and people should know about it. However, to use a more extreme example, the same can be said for copyright infringement, but would advertising The Pirate Bay or isoHunt really be the right way to alert people to that fact?

      As for the discussion about whether you should host your own site or blog, it seems pretty straightforward to me. If you have the technical know-how and understand what you're doing as well as the costs involved, go ahead and run it yourself. But if you lack that knowledge, it's a silly question to ask. It's like anything else, just because you can make something work doesn't mean it's a good idea to do it yourself. I've been in that position, trying to fix something that's over my head, and while I could generally make it work, it was never as good as having the professionals fix it. If you want an analogy (because those are popular here) you can really swap out web development with any other skill in the world. Just because you can figure out how to (fix your car, plumb/wire your house, build any sort of structure, sew your own clothes, stitch your own cut, tow a car) doesn't mean you should do it yourself instead of leaving it to the professionals. And yes, I know I pointed out why that's not always easy or in the budget, it may not always be an option for people, but if it is an option it's the right one.

      I drifted a bit off the real topic in the end here, my bad.

    27. Re:Ethics by gawdric · · Score: 1

      Public shaming has its place. Think back, if you were involved then, to the mid to late 90s. Smurf attacks were the in thing. Places like powertech.no and others began listing networks that had smurfable broadcast addresses. For a while, this did the work for the script kiddies but eventually the networks made it a point to remove themselves from the database and now the problem is nearly gone. I can see this database having a similar impact.

    28. Re:Ethics by GrumpySteen · · Score: 1

      > Why do I feel that most of the people claiming this is unethical are all the same person.

      Because dismissing all of the people who are telling you that you're wrong as one nutcase with multiple accounts is far easier than acknowledging that you're actually wrong and everyone knows it.

    29. Re:Ethics by Anonymous Coward · · Score: 0

      Attention whoting much?

      Why do we care about some vulnerability you found?

    30. Re:Ethics by Anonymous Coward · · Score: 0

      Ain't got ethics in that!

    31. Re:Ethics by Anonymous Coward · · Score: 0

      He can whote if he eants to

      he can reave your rends behind

      Because yore rends don't whote

      and if they don't whote

      Well their no rends of his.

    32. Re:Ethics by Dextrously · · Score: 1

      I see a note on the punkspider site to opt out of having your site scanned. Is there a specific way to opt in as well? I would be interested in seeing what results could come out of scanning a few of my sites. I've tried using Skipfish in the past, and a few other scanning utilities, and got a lot of false positives, and also a lot of missed positives. Things I knew were vulnerable and just wanted to see if the scanner would pick up on it.

      Thanks for the great work! I look forward to seeing the results, even if some people don't like it. Perhaps sending a notice to "webmaster@domain.tld" would suffice? Possibly even a month or so. Just something along the lines of:

      Hey, found some vulnerabilities on your site, this is what they are......
      DOMAIN.TLD is currently in queue to be listed in our database on 00/00/2013: click here to request a time extension (or possibly a removal from the list completely) before listing, or click here to queue up another scan of your site when the vulnerabilities are patched.
      If you would like assistance in fixing these vulnerabilities, feel welcome to come to our forums or read [link to OWASP info] more information.

      I know I would personally appreciate such an automated approach.

      Personally, I don't think there should be a removal from the list option if adequate time is given. That's just my opinion though. I feel like if you've done your due diligence to notify the maintainers, after a month or two of time, the public should have a right to know so that they can be avoided.

  5. uncheck some boxes by Bananatree3 · · Score: 1

    try "The" or "and" or other basic title searches - and also uncheck some of the vulnerability boxes, and you'll see examples.

  6. Can you tell me... by Anonymous Coward · · Score: 0

    Which banks are vulnerable, and how to hack them? I want to know this for the lulz.

    KTHNXBYE.

  7. Law suit by Anonymous Coward · · Score: 0

    Are you trying to get sued? Even if you're doing nothing illegal you are going to get some people in hot water or get their systems exploited. Both of which could lead to you getting sued into oblivion or having some not so nice police taking all your stuff in the middle of the night and putting you in handcuffs.

    While the act is intended to be noble, you may not have thought through how this works in the real world and what the social reaction to be.

  8. Maybe. 99% are not by raymorris · · Score: 1

    some of the of sites are likely entrusted

    And 99.97% are some guy trying to make ends meet by offering online chemistry lessons or showing you how to hook up your home theatre. IF there were any sites found that held personal information, the right thing to do would be to contact those sites, not encourage people to hack the personal information.

    Certainly it does no good whatsoever to give script kiddies a list of sites to deface. The most popular hosting is Godaddy, with their $10 / month hosting account. (35% of sites are Godaddy sites.) The sites with hosting budgets of around $10-$50 month make up 95% of all sites. So that's mostly who is affected - some elementary school art teacher selling used computer parts online in his spare time.

    1. Re:Maybe. 99% are not by Anonymous Coward · · Score: 0

      But website owners can be jerks and have been in the past, often either ignoring people personally informing them of vulnerabilities or even threatening them with lawsuits or whatever.

    2. Re:Maybe. 99% are not by DCisforBoners · · Score: 1

      That's a fine point, but if you were that consumer shopping to implement a prefab site, wouldn't you like to know if the technical foundations are sound? If 1000 GoDaddy sites are hacked in a day maybe that prompts a response from the host.

  9. The truth is... by Anonymous Coward · · Score: 1

    It's a tool. Tools can be used for good and evil, it just depends on who's hands the tool is in. Take Metasploit for example -- it's used widely by both whitehat security researchers and blackhat criminals.

    As a security researcher, I'll add that PunkSPIDER doesn't shine light on anything that the bad guys don't already know. I'm glad to see another tool that helps enable those who are charged with defending web applications.

  10. Couldn't find any - the results so far ARE pretty by G3ckoG33k · · Score: 1

    Tried two dozen sites that I visit regularly. No issues. Most are top 100,000 on alexa but a few below 1,000,000.

  11. Re:Couldn't find any - the results so far ARE pret by Anonymous Coward · · Score: 0

    Tried two dozen sites that I visit regularly. No issues. Most are top 100,000 on alexa but a few below 1,000,000.

    Just type partials, like ".org" and check the boxes, you will get some results.

  12. :) Law & Society Trust by Anonymous Coward · · Score: 0

    Law & Society Trust
    http://www.lawandsocietytrust.org/
    Timestamp: Fri Aug 10 09:47:28 GMT 2012
    BSQLI:0 | SQLI:52 | XSS:0

    Law & Society Trust? LOL

    1. Re::) Law & Society Trust by Anonymous Coward · · Score: 0

      You're doing better than me, I don't think the URL search really works. I tried a URL search for http://www.mycompanythatiwontmentionhere.com/ and got nothing at all for that domain but pages of not-really-related results that mention MyCompanyThatIWontMentionHere somewhere else within their URL.

  13. Re:Ethics, over zealous by Anonymous Coward · · Score: 0

    What if PunkSPIDER had notified the sites of vuls. and as is typical with site owners/hosts they simply do not care, unless it grabbed the attention of the media/press and users that actually cared were pissed/worried about it.

    I do not know if PunkSPIDER had reported vuls, to sites, if they did, and they saw no response to patch them, then this project of there's will surely grab some attention by shaming.. There are other orgs out there that you could ask to handle this (legally) but they are more concerned with larger impending matters (and rightful so).

  14. Lawsuits and ethics. by sdsucks · · Score: 1

    I hope you've got a good lawyer and money to keep him or her happy. The first exploit you publish about a large (organization|government|important person) is going to give you a really, really, really big headache - at best.

    Also... ethics - you have none. For this, as someone who has spent past lives working in IS, I hope you rot in a miserable existence.

    Fame grasping by a very amateur security "expert".

  15. Re:Couldn't find any - the results so far ARE pret by punk2176 · · Score: 3, Informative

    So one thing that we've been trying to make clear is that the project is *on track* to scan the entire Internet, we haven't scanned everything yet. We have scanned about 70k sites and have under 4 million indexed. Our next version is going to be clearer on what is and is not scanned - currently we just say 0 vulnerabilities if we haven't scanned it, indicating that we have not found vulnerabilities in it yet - not necessarily that it doesn't have any. This was all part of our ShmooCon presentation which just hasn't been released to everyone yet! The system is self-sustaining at this point so these numbers are constantly going up. The "not pretty" comes from the fact that we have over 100,000 vulnerabilities from just scanning about 70,000 sites (some sites have multiple vulnerabilities).

  16. 90% of everything is crud. by Tenebrousedge · · Score: 1

    The most popular hosting is Godaddy, with their $10 / month hosting account. (35% of sites are Godaddy sites.) The sites with hosting budgets of around $10-$50 month make up 95% of all sites.

    As a web developer I may say categorically, fuck them. If you put a site on the web, it is your responsibility to make sure that it is secure. If you are not able to do that to a professional standard, you should not do it. In point of fact, there is a need for a licensing organization to prevent amateurs from practicing web development. The problem isn't that this website is exposing poor security practices, it's that it's not promoting professionalism.

    We have passed the point where it's okay for the layman to host a site. Even if you're not collecting information about your users, you can still be attacked or used as an attack vector. The era of democratization of the web is over.

    --
    Those who advocate genocide deserve every protection afforded by law, and none afforded by common human decency.
    1. Re:90% of everything is crud. by Anonymous Coward · · Score: 1

      Could you please post a list of your client's websites? :)

    2. Re:90% of everything is crud. by Anonymous Coward · · Score: 0

      Lol, Web Developer speaking from authority. You take life as seriously as a locksmith. AOL and Apple have tried walled gardens before. People have spoken and they are willing to accept risk in exchange for the diversity of choices produced. Good luck with your campaign to censor TCP/IP. Silk Road and the Pirate Bay say you'll make TONS of headway on that battle.

      http://www.youtube.com/watch?v=z5Otla5157c

    3. Re:90% of everything is crud. by Zmobie · · Score: 1

      Actually I do somewhat agree with the spirit of this post here. Software Engineering is a discipline that can affect large amounts of people and where not many people actually understand it. This is very similar to any other type of engineering (civil, nuclear, electrical, etc.) and to practice those other disciplines generally you have to have a P.E. or at least a P.E. signs off on the work done. Under current models, this is not in any way required for software and while most of your real software engineers don't really need to have this, for every one of them there are 10 or more idiots that picked up a "Complete Idiot's Guide to PHP" and started throwing websites up. The entire point of the license model is to ensure quality of work because engineers are working on things that affect the public tremendously.

      Now, playing devil's advocate to my own point, you can also argue that the no license required is how the web and software grew like it did. There have been plenty of great projects and ideas put out there that would not have been if a P.E. were required to sign off on the work. Indie development would all but die under this kind of model or at best the cost would increase significantly because of needing a P.E. to review everything after the fact and point out the real problems.

      Kind of a double edged sword honestly, but there is a valid point in Tenebrousedge's post.

    4. Re:90% of everything is crud. by fast+turtle · · Score: 1

      and the god damn license isn't worth the paper it's printed on. What makes the difference is that an Engineer is Legaly Liable for any screwups. In other words, they've got a bit more at risk then Joe Sixpack who's throwing shit at the web to see what in hell is going to stick. Until the liability issue changes for web developers, nothing is going to change

      --
      Mod me up/Mod me down: I wont frown as I've no crown
    5. Re:90% of everything is crud. by Anonymous Coward · · Score: 0

      lol. You're a funny guy.

      There are very few disciplines that require the strict enforcement you are talking about, web dev is not one of them all that often.

      When it is, it's not people who react like you to these issues that are the ones in the hot-seat, it's the open thinkers who have a head on their shoulders and enough knowledge to know shit goes wrong sometimes and it's out of most people's hands. Granted, they do their fucking damnedest to prevent anything they do from being attacked, but they don't shoot the person who's stuff they have to fix and fix now for making the mistake.

      Good try, though. I'm sure the MPAA and their allies would love to have a soul like you onboard. It's the same mentality.

    6. Re:90% of everything is crud. by Zmobie · · Score: 1

      I'm a little confused here, your post kind of contradicts itself. You say the license isn't worth the paper it is printed on, but then say

      an Engineer is Legaly Liable for any screwups

      The license is what allows someone to legally be an engineer for most disciplines. We went over this when I took my engineering ethics course back in college, and there have been numerous (some very frivolous in fact) lawsuits to keep people from using the term or actually practicing any form (of licensed) engineering. The only current exception to this is software engineers can legally use the term without a valid license because one doesn't exist.

      The entire point of what I said in the first half of my post is that a P.E. would in fact make those software engineers legally liable for their work (within reason, even in other engineering disciplines things happen you just have to show that they took reasonable steps and practices to try and prevent it) therefore doing precisely what you said and shifting the liability on to these web developers.

  17. Re:Couldn't find any - the results so far ARE pret by Sqr(twg) · · Score: 2

    Typing * in the search box gets you everything, it seems.

      762 pages (times 10 sites per page) for "bsqli"
      77 pages for "sqli"
      421 pages for "xss"

  18. Wellcome to the gray area. by Anonymous Coward · · Score: 0

    Broadcasting yourself playing a game is something that could be view as broadcasting somebody copyright material. Similar to broadcasting parts of a movie.

    Game companies allow it, because is free ads, more people buy these games, because of the videos. But... like modding, is something that may one day change, would put a creativity activity in shaking terrain.

    Consider yourself warned. I will say "I told you so".

    1. Re:Wellcome to the gray area. by Anonymous Coward · · Score: 0

      Commenting on the wrong story again, Mr. AC?

  19. SF? by Anonymous Coward · · Score: 0

    So where is the connection to San Fransisco? More specifically, the viewers of this site who are in the bay are for the next week?

    Why would they put this up, Now?

  20. TL;DR by thejynxed · · Score: 1

    Most web sites aren't written with security in mind, but pageviews, rankings, and advertising revenue. News at 11.

    How about that NASCAR race?

    --
    @Mindless Drivel: 100% of Twitter posts ever Tweeted.
  21. How many times have researchers found things by Anonymous Coward · · Score: 0

    Only to be "blown off" & nothing gets fixed? Answer = Plenty of times.

    (This forces those sites into action, especially since it proves those sites are @ risk & guilty of negligence putting their viewers @ risk of infestation by malware/malicious script injections etc./et al).

    APK

    P.S.=> I understand YOUR point on "responsible disclosure" though - I really do: IF you approach a site with an issue & they don't fix it though (and yes, that happens too)?

    However/Then, a responsible website would "brush up" on things like using binding of variables to query strings and then using stored procedures for database query access for the sake of their viewing public too, on the "flip side" of things, for security's sake, in their own & that of their users!

    Otherwise - it IS blatant negligence & essentially refusing to "patch" (after all - OS vendors have to do it or should, why not websites also?)...

    (All that above should be done, as well additionally inspecting what the state of security is on the adbanners they float too, since this report from CISCO blows the lid off that too -> More dangerous to click on an online advertisement than an adult content site these days, Cisco said: -> http://www.securityweek.com/easier-get-infected-malware-good-sites-shady-sites-cisco-says )

    ... apk

  22. You found that: Was fixed - this wasn't by Anonymous Coward · · Score: 0

    Continuing on my last posts' premise -> http://it.slashdot.org/comments.pl?sid=3489093&cid=42994773 where I found an issue in hosts files after 12/09/2008 MS "Patch Tuesday" in VISTA onwards (Windows 7 &/or Server 2008 r2 + beyond) where hosts files could no longer use the faster to load into memory 0 blocking "ip address", an analog to a DROP request in a firewall pretty much (due to smaller files resulting) & faster to parse line-by-line as well (via the tcpip.sys built-in DNS resolver loading hosts & referencing it, FIRST, before anything else by default -> http://support.microsoft.com/kb/172218 ).

    Fact is - I reported this to Microsoft during their "Engineering Windows 7" blog, here -> http://blogs.msdn.com/b/e7/archive/2009/02/25/feedback-and-engineering-windows-7.aspx?CommentPosted=true&PageIndex=3#comments

    In addition to THAT?

    Here on /., I literally also got their VP of the "Windows Client Performance Division" to concede my point that using 0 as a blocking "IP address" is superior (faster/more efficient) vs. the 6 characters-per-line larger & slower 0.0.0.0 even (worse yet, vs. the larger by 2-8 characters per line to parse loopback adapter address of 127.0.0.1) & that it would be slower, to LOAD & PARSE that larger custom hosts file result, ala his words quoted next below:

    ---

    PERTINENT QUOTE/EXCERPT:

    "Of course, larger files take longer to load." - by Foredecker (161844) * on Wednesday December 09, @10:34PM (#30384666) Homepage

    FROM -> http://slashdot.org/comments.pl?sid=1467692&cid=30384918

    ---

    Quite a bit faster results happens with smaller blocking addresses noted below, due to smaller filesize for looped programmatic reads by the IP stack of the hosts file, & NOTICEABLY SO!

    (As it's linearly related to the diff here between these filesizes being read in, where large size differentials result):

    ---

    BLOCKING ADDRESSES USED & FILESIZE VARIANCE:

    0 = ~ 42mb size

    0.0.0.0 = ~ 53mb size

    127.0.0.1 = ~ 58mb size

    ---

    Using a custom hosts file with each above having 1,934,453++ entries largely composed of KNOWN malicious sites online to be blocked out (what I use now).

    ---

    * See my point? It NEVER got fixed... & ought to be!

    (Linux doesn't have this issue & it's 1 thing I will DEFINITELY hand it over Windows in fact - hearing that from ME, the "poster child for Windows' fanboy on /." is a rarity, mind you...)

    Lastly: 0 STILL WORKS, oddly enough, on Windows 2000 SP#2 onwards, into XP, & right into Windows Server 2003 though too, oddly enough - whereas, again, by comparison, it doesn't on Windows VISTA, 7, Server 2008 r2 & beyond!

    ("Will wonders NEVER cease"?)

    APK

    P.S.=> You got lucky, & yours was DIRECTLY "security-related" + got fixed...

    Needed it, since DNS has issues (worst of all being largely MOSTLY unpatched vs. the Kaminsky redirect poisoning bug for 1/2 a decade++ now mostly worldwide & worst of all, @ the ISP level):

    ---

    5 years after major DNS flaw is discovered, few US companies have deployed long-term fix (vs. Kaminsky Bug above...):

    http://www.networkworld.com/news/2013/012913-dnssec-266197.html?page=3

    ---

    Which custom hosts files actually SECURE against it by using hardcoded favorites reverse DNS resolved vs. the in arpa addr 'tld' that houses that info

    1. Re:You found that: Was fixed - this wasn't by Thruen · · Score: 1

      So are you saying your argument in favor of the name & shame strategy is pointing out times where companies were named and shamed and still didn't fix it? I see a flaw in your argument... Which is sad because it's a valid point that you're trying to make, sometimes the name & shame strategy does work. But that's not really what this search engine does anyway, it's not as if they're posting on their front page that a site has vulnerabilities, you still need to go out of your way to check a specific site to find the vulnerabilities, which means it's not likely that the general public will hear about the problem, hard to call it the name & shame strategy when they're not doing much to make it publicly known. Beyond that, you point out that the first thing to do is to alert the developers and give them some time to fix it, and while I have looked, I haven't found anything that suggests this site does either of those. You have a very valid point in that in many cases just alerting the developer gets nothing done, but it holds little meaning in regards to this search engine as it doesn't really do any of those things you think should be done.

  23. Re:Couldn't find any - the results so far ARE pret by Zapotek · · Score: 1
    There are a few assumptions being made here that should be addressed for people unfamiliar with the field:
    • It would be impossible for results of that magnitude to be manually verified in order to weed out false-positives, which are a real problem.
    • Just because that scanner hasn't found any vulns it doesn't mean there aren't any.
    • As others have pointed out, this is highly unethical. Scanning a site can be disruptive (and even devastating under some circumstances) which is why every such vendor discourages use of their software against live/production websites.

    I imagine you saw HD Moore's nmap scan of the internet and thought to yourself "Wow, we got to get us some of that!" but this is a really bad idea and I imagine you already know that. The only way to have gone forward with this is after weighting the bad (ethical issues, fallout from site owners, possible legal troubles, etc.) and the good (getting attention) and here we are.

  24. In favor of it IF you reported it 1st to adversely by Anonymous Coward · · Score: 0

    Affected vendor, as I did (& the parent poster to my post too) -> http://it.slashdot.org/comments.pl?sid=3489093&cid=42995009

    "Which is sad because it's a valid point that you're trying to make, sometimes the name & shame strategy does work." - by Thruen (753567) on Sunday February 24, @09:19AM (#42995051)

    It does & CAN, especially if you do it FAIRLY (as I stated in my subject-line above - confront the adversely affected vendor, first... only right & fair to do, imo @ least!).

    THAT, is truly "responsible disclosure"

    So, yes - I agree, 110%: It IS or can be, something that works...

    NOW - what I noted on MS' IP stack & custom hosts files?

    Hey, on MY part??

    That's NOT the only "fix" I've helped make with vendors over time!

    (Even giving them code to do it as with UltraDefrag64 more recently -> (A 64-bit FREE defragger for Windows), in showing them code for how to do Process Priority Control @ the GUI usermode/ring 3/rpl 3 level in their program (good one too), & being credited for it by their lead dev & his team... see here -> http://ultradefrag.sourceforge.net/handbook/Credits.html or here http://sourceforge.net/tracker/?func=detail&aid=2993462&group_id=199532&atid=969873 (I could've posted BETTER code too, lol, but it works in concept porting from Delphi Object-Pascal to C/C++ easily enough).

    Which ended up fixing a "bug" for them later, here -> http://sourceforge.net/p/ultradefrag/bugs/136/ via its implementation (partially, NOT fully yet as I outline it & use in my applications such as this one -> http://www.start64.com/index.php?option=com_content&id=5851:apk-hosts-file-engine-64bit-version&Itemid=74 )

    ---

    ALSO as I did with FireFox/Mozilla folks years beforehand who came right into NTCompatible.com with us, & helped fix it with the site's owner/webmaster, Philip.

    Thus: BOTH issues were patched with my suggestions & notifying them...

    From smaller vendors too!

    ---

    BOTH companies in FF & UltraDefrag64 were better about it by FAR, unlike MS, whom I notified YEARS AGO, though... & right to the head of the division concerned with PERFORMANCE too, no less!

    (& that IS performance gains I proved & he even conceded... nothing was done!).

    APK

    P.S.=> So, do I agree with "name & shame" tactics? Yes, but... ONLY if you report it validly to the concerned software maker 'oem', first! Only fair...

    ... apk

  25. Re:Couldn't find any - the results so far ARE pret by Anonymous Coward · · Score: 1

    Please publish your scanning IP so it can be blocked by people that wish to opt out of this

  26. Java vs .NET by sproketboy · · Score: 1

    Java 96, .NET 20247. LOL.

  27. Perhaps a Suggestion by utkonos · · Score: 1

    I was at your talk at ShmooCon and was quite impressed. What if for any domains that you discovered vulnerabilities on you were to automatically pull whois data (if the TLD has whois servers or web based whois without a captcha) and send a quick email about your findings to any emails listed? A shameless plug: ruby whois is the best programmatic whois client and parser out there IMHO. It would make the above suggestion quite simple.