see url: https://www.wired.com/story/punkspider-web-site-vulnerabilities/
see full story...is there a punk spider net near your web site...😉
Quote<<<
PunkSpider is back, and crawling hundreds of millions of sites for
vulnerabilities.
The web has long been a playground for hackers, offering up hundreds of
millions of public-facing servers to comb through for basic
vulnerabilities to exploit. Now one hacker tool is about to take that
practice to its logical, extreme conclusion: Scanning every website in
the world to find and then publicly release their exploitable flaws, all
at the same time—and all in the name of making the web more secure.
At the Defcon hacker conference next week, Alejandro Caceres and Jason
Hopper plan to release—or, rather, to upgrade and re-release after a
years-long hiatus—a tool called PunkSpider. Essentially a search engine
that constantly crawls the entire web, PunkSpider automatically
identifies hackable vulnerabilities in websites, and then allows anyone
to search those results to find sites susceptible to everything from
defacement to data leaks.
PunkSpider's creators say it will catalog hundreds of thousands of those
unpatched vulnerabilities at launch, making all of them publicly
accessible. Caceres and Hopper acknowledge that in doing so, their tool
could potentially expose those sites to real-world attacks. But they
hope that visibility will force the web's administrators to acknowledge
that their websites contain simple, glaring, and in some cases dangerous
flaws—and hopefully fix them.
The sort of web vulnerabilities that PunkSpider finds remain incredibly
common, despite years of warnings. In January of last year, for
instance, security researchers found that one such web vulnerability let
anyone take over Fortnite accounts, and earlier this year another web
bug allowed hacktivists to breach the right-wing social media site Gab
and leak 70 gigabytes of its backend data. Both have since been patched.
But Caceres argues that PunkSpider could spur web admins to finally fix
those sorts of ubiquitous bugs before hackers abuse them.
"I thought, 'Wouldn’t it be cool if I could scan the entire web for
vulnerabilities? And to make it even more fun, wouldn’t it be cool if I
released all those vulnerabilities for free?'" says Caceres, who along
with Hopper works as a researcher for cybersecurity startup QOMPLX. "I
knew it was going to have some kind of implications. And after I started
thinking about it, I really thought they might be good."
PunkSpider will automatically scan and "fuzz" sites for seven kinds of
exploitable bug, repeatedly trying variations of common hacking methods
to check if a site is vulnerable. That list includes SQL injection
vulnerabilities that allow hackers to enter commands into user input
fields on a website, sometimes causing it to spill the contents of its
backend databases; cross-site scripting vulnerabilities that let hackers
craft malicious links that, when a user clicks on them, load an altered
version of the website that can be used for phishing or serving up
malware; and path traversal vulnerabilities, in which a hacker can mess
with a site's URL to read or write sensitive files on the server that
hosts it. All those vulnerabilities are generally considered low-hanging
fruit in the hacker world, but still persist in vast swaths of the web.
>>>End of Quote
