Slashdot Mirror

← Back to Stories (view on slashdot.org)

DEF CON Hackers Unveil a New Way of Visualizing Web Vulnerabilities

Posted by timothy on from the follow-the-bouncing-ball dept.

punk2176 writes "Hacker and security researcher Alejandro Caceres (developer of the PunkSPIDER project) and 3D UI developer Teal Rogers unveiled a new free and open source tool at DEF CON 21 that could change the way that users view the web and its vulnerabilities. The project is a visualization system that combines the principles of offensive security, 3D data visualization, and 'big data' to allow users to understand the complex interconnections between websites. Using a highly distributed HBase back-end and a Hadoop-based vulnerability scanner and web crawler the project is meant to improve the average user's understanding of the unseen and potentially vulnerable underbelly of web applications that they own or use. The makers are calling this new method of visualization web 3.0. A free demo can be found here, where users can play with and navigate an early version of the tool via a web interface. More details can be found here and interested users can opt-in to the mailing list and eventually the closed beta here."

9 of 57 comments (clear)

  1. "Unity web player"? by mysidia · · Score: 4, Informative

    When I visit the demo site it prompts me to install some software I never heard of, before showing the demo.

    Seriously.... they make a malware visualization demo requiring me install some browser malware in order to view it?

    1. Re:"Unity web player"? by punk2176 · · Score: 2

      Erm. Unity is a well-known 3D gaming engine, dude.... http://unity3d.com/

    2. Re:"Unity web player"? by ThatAblaze · · Score: 3, Informative

      A little research indicates that Unity is a 3D engine. It's used a lot for 3D games. http://unity3d.com/unity/

    3. Re:"Unity web player"? by bobstreo · · Score: 2

      Erm. Unity is a well-known 3D gaming engine, dude....

      Could of fooled me. As far as I know, Unity is a very expensive product from Cisco for providing voicemail integrated with Microsoft Outlook and Exchange.

      So apparently there is some niche product that is a 3D engine of some sort, and I get that.
      But the publisher should still not be doing something that requires me to install software, to view it.

      If they're posting it online, they should use a standard format such as HTML5.

      Nah Unity is the value subtracted interface to Gnome in the latest versions of Ubuntu

  2. Re: Web 3.0 by robmv · · Score: 2

    Web 3.0 and uses a plugin? at least do something real web before starting new buzzwords

  3. Re:Sounds like Acunetix by punk2176 · · Score: 2

    Ask and you shall receive :-). I have more information on that than you'd probably like to know. The back-end is actually quite similar to the PunkSPIDER project's back-end and uses all of the same principles, most of the same open software as its base, and even reuses some of the code (in fact, once it's done I'll probably make the back-end of web 3.0 a part of PunkSPIDER 2.0 - free and open source of course). So with that said here's info on how PunkSPIDER was built, which should give you a solid start to how we're building the web 3.0 back-end:

    (1) A link to the talk at ShmooCon on PunkSPIDER which gives more info than you'd ever want to know about the back-end: http://www.hyperiongray.com/shmoocon
    (2) If you're in a rush you can read some basic stuff about it here: http://www.hyperiongray.com/node/18
    (3) If you really want to get into it you can download PunkSCAN (the PunkSPIDER back-end) on bitbucket and take a look: https://bitbucket.org/punkspider/punkscan

    And last but not least, if you want to know even more feel free to contact Hyperion Gray at punkspider@hyperiongray.com or follow me (Alejandro) at @DotSlashPunk on Twitter. Oh and thanks for the feedback on the buzzy name, it's meant to be a little over the top, but we'll keep your comment in mind!

    Alex

  4. Re:Wow by punk2176 · · Score: 2

    Free and open source, dude. Just not released yet because it's funded by DARPA CFT and still ongoing research: http://www.wired.com/dangerroom/2011/11/darpa-fast-track/

  5. Re:Clever it might be, but the UI sucks big time by davesag · · Score: 2

    Be that as it may, it's profoundly useless if you can't edit the root URL however.

    Also, given the UI swiftly becomes a morass of swirling links, pinning one down to doubly click on it is next to impossible. The back end of this might be great but the UI is total shit.

    --
    I used to have a better sig than this, but I got tired of it
  6. #checks it out, to see a whole new understanding. by MickLinux · · Score: 2

    Aah. It requires unity plgin. Okay.

    ##imagination runs wild#
    After finding and installing the plugin, AND after a heated discussion with the wife about having lost one's job over some inappropriate tweets, AND having a talk with the Department of homeland security about pressure cookers, AND after receiving an Amazon gift subscription paid on my own credit card, along with a note that iif it doesn't suit, I can return it and the next purchase will be forbitcoins that will be used for a purchase from the Rayon Way,

    Why yes, yes, I can see how this would work to help me visualize security in a whole new way.

    --
    Correct Horse Battery Staple: 72 bits of entropy. Enter "Correct H" into google. When it generates the phrase, that's