One of the web’s most controversial cybersecurity projects is being brought back to life next week. PunkSpider—essentially a tool that crawls the internet to create a searchable database of hackable sites across the web—is being resurfaced at next week’s Defcon cybersecurity conference, WIRED reports. This is the first time people will be able to use the tool since it went dark in 2015.
In a nutshell, PunkSpider works by automatically scanning sites on the open web and “fuzzing” each one—essentially hacker-speak for feeding data into the code underlying a website to see what vulnerabilities jump out. In this case, PunkSpider will be looking for sites susceptible to some of the more common exploits in a hacker’s arsenal, like SQL injections and cross-site scripting attacks. Despite the fact that these are considered pretty easy hacks to pull off (and protect against), there are tons of sites across the web that leave themselves wide open.
Back in 2019, for example, HackerOne revealed that the top vulnerability that white-hat hackers were reporting through its bug bounty program was the aforementioned cross-site scripts—essentially exploits that let hackers inject malicious links into otherwise benign (and often neglected) sites. And more recently, we’ve seen some high-profile sites like the far-right refuge Gab get hit by SQL injections; in Gab’s case, the site ended up leaking 70 gigabytes of its user’s data as a result.
PunkSpider’s original iteration launched ten years ago, the pet project of software dev Alejandro Caceres and his software firm, Hyperion Gray. But pretty soon, Caceres was facing technical—and fiscal—roadblocks that resulted in his tool only scanning the web once a year, before collapsing entirely. Earlier this year though, the Virginia-based tech firm QOMPLX acquired Hyperion Gray and announced it would be rebooting PunkSpider not long after.
The new project will feature a database that users can search using a site’s URL or the type of vulnerability they’re curious about, along with a Chrome-based browser extension that checks the websites you’re visiting for any apparent security flaws. Depending on how riddled with bugs a site might be, PunkSpider will assign a rating to a given site using a “dumpster fire” rating system that rates (as the name suggests) how much of a dumpster fire that site’s security actually is.
But with any of these sorts of hacker-friendly search engines—like PunchSpider, Shodan, or Censys—there’s always an ethical question that comes with releasing them to the public. On one hand, being tipped off about a site vulnerability might convince that site’s operator to get their shit together and close that gap. On the other, having a list of publicly accessible, easily exploitable sites means that anyone, good or bad, is free to poke around.
That means for all the good Caceres’s tool might be doing for the cybersecurity community writ large, there’s the very real possibility that it will open some of these sites to harmful attacks that they wouldn’t otherwise be struck with. At the very least, this is ample motivation for these operators to start taking their security seriously.