Cace Race freely acknowledges that malicious hackers can use a hacker to hack a website. But he argues that scanners that detect web vulnerabilities have always existed. This only reveals the results. “You know your customers can see it, your investors can see it, so you’re going to fix that shit fast,” says Caceres.

Take two

The deaf talk on the race and the hack shows another incarnation of the talk punk spider. The idea for the tool came about a decade ago, in the summer of 2011, as the hacker group Anonymous and its splinter group Lulzsek were caught between data theft and defacement rage, most of which was made possible by simple web vulnerabilities. (“Why are there SQL injections everywhere?” A Lulzac tribute avoided the hip-hop song.)

Caesarea noted at the time that even relatively unscrupulous hackers had no trouble finding the progress of web bugs. He began to wonder if the only solution might be to expose every web vulnerability on a large scale. So in 2012 he started making punkspiders to do exactly that; He introduced it at the Shmocon Hacking Conference in early 2013. His small security R&D company Hyperion Gray also received funding from Darpa.

From the beginning, however, the project has faced challenges. Smockon’s audience questioned whether the race was enabling black hat hackers – and in the process violated the Computer Fraud and Abuse Act. Immediately after receiving reports of abuse by angry web administrators, Amazon was repeatedly booting it out of the Amazon web services accounts it used to power search engines. To keep it going he was constantly forced to create new burner accounts.

As of 2015, Cace Race was scanning the web for new vulnerabilities only once a year. He struggled to keep the punkspider on the line and pay for it. After a while, let the project pause.

Earlier this year, however, Hyperion Gray was acquired by QoMPX, and major startups agreed to revive a newer and improved version of its web hacking search engine. Now Cace Race and Hop say that the scan of their improved tool is powered by a cloud-based cluster of hundreds of machines, capable of scanning millions of sites every day – to update its results for the entire web on a rolling basis or to scan the target URL. User request. The annual scan of the entire web of the old punkspider took about a week to complete.

Cace Race declined to name its current hosting provider, but says it has worked out an understanding with the company about Punkspider’s motivation, which it hopes will re-ban its accounts. He reluctantly, however, added a feature that allows web administrators to find probing based on Punkspider’s user agent that helps identify visitors to a website, and includes an email address and an opt-out feature that allows websites to remove themselves from the tool. Is finding. “I’m not happy about it, honestly,” says Race. “I don’t like the idea of ​​people being able to choose safety matters and bury their heads in the sand. But it’s a matter of stability and balance.”

Punkspider’s web

The reborn version of Punkspider has already revealed real bugs in major websites. The race featured wired screenshots showing cross-site scripting vulnerabilities in both and In the case of Landingtree, Cace Race says the vulnerability can be used to create links, if users can cheat them to click, host mal malware on the site or display a phishing prompt on Landingtree’s own site. The kickstarter error, he says, will allow hackers to craft a link, if a victim clicks it, it can display phishing prompts in the same way or automatically pay with their credit card in a kickstarter project.

“Lending employs multiple levels of control to protect the confidentiality and integrity of our site and customer data,” the company said in a statement. “This includes web application firewalls, out-of-the-box penetration testing and static / dynamic code review to identify and eliminate vulnerabilities. In addition, we take any reported security vulnerabilities seriously and monitor any issues encountered quickly.” Kickstarter wrote to Wired in an email that he was “actively addressing” his web faults.