The next Defcon is still a few days away and some very eye-catching presentations are already anticipated. One of these presentations will be made by researchers Alejandro Caceres and Jason Hopper, who will reveal details about a hacking tool capable of scanning all the websites in the world to find security flaws and publicly disclose the finding of exploitable vulnerabilities.
The tool, dubbed PunkSpider, is an effort in which this team has invested a long time and will be released as an updated version after a two-year hiatus. Experts mention that PunkSpider will be able to automatically identify security flaws in websites, making the results available to any interested user in order to turn the Internet into a more secure environment.
While Caceres and Hopper are aware that publishing this information could expose some websites to severe attacks, they hope that the visibility of this information will allow administrators of online platforms to identify and address security flaws in their systems before this information reaches the cybercriminal community.
The tool will automatically scan the Internet for seven different types of vulnerabilities, including SQL injection flaws, cross-site scripting (XSS) vulnerabilities, and path traversal vulnerabilities, usually used against websites to extract information, modify their content, or arbitrarily access them. Although these flaws have become very common and even come to be considered low-risk, they continue to cause severe problems for IT administrators around the world.
As a complement to the tool, researchers will enable a website where all the information obtained by PunkSpider will be available, providing the possibility to search by type of vulnerability, severity of flaws or URL keywords. The plan also involves a Chrome plugin to check all the websites a user visits for exploited flaws.
This new version of PunkSpider has already proven its effectiveness, finding XSS flaws in websites like Kickstarter.com and LendingTree.com. According to Caceres, in the case of LendingTree the flaw could have been exploited to create malicious links that would redirect affected users to phishing or malware-infested websites.
Moreover, the vulnerability in Kickstarter would allow malicious hackers to redirect users to websites specially designed to steal their banking information or even steal this information from some legitimate projects on the platform. These flaws were duly notified and have already been corrected.
To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.
He is a cyber security and malware researcher. He studied Computer Science and started working as a cyber security analyst in 2006. He is actively working as an cyber security investigator. He also worked for different security companies. His everyday job includes researching about new cyber security incidents. Also he has deep level of knowledge in enterprise security implementation.