Vulnerabilities served up

A new search engine for vulnerabilities is rubbing salt into the wound that is web application security. Security problems that endanger visitors' data, like cross-site scripting (XSS) attacks and SQL injections, are widespread. Punkspider systematically searches the entire internet for these vulnerabilities and documents its results publicly. Hyperion Gray's concept is simple: take a scalable Hadoop cluster, use many parallel spider scripts to scan millions of web sites for security vulnerabilities and make the results publicly accessible through a custom search engine.

The results available for .de domains are not particularly impressive at the moment. Out of an apparent 50,000 web sites that have been tested, the search engine says it found cross-site scripting vulnerabilities on about 50, SQL injection problems on 16 and blind SQL injection vulnerabilities, which are actually harder to detect, on about 120. Results for .co.uk domains showed even less success: 32,290 sites scanned, with 30 XSS vulnerabilities, 2 SQL injection problems, and 60 Blind SQL injection vulnerabilities. The quality of these results is all over the place. In random tests run by The H's associates at heise Security, some of the vulnerabilities could be immediately verified using a test URL; others, however, had no detailed information whatsoever (where the scanner might have crashed), while a couple were most likely false alarms.

The search engine delivers websites with typical vulnerabilities, like cross-site scripting (XSS), to users in the comfort of their own home

Hyperion Gray's method is unconventional at best and is the subject of heated debate at the moment, with "centralised vulnerability database for script kiddies" being one of the tamer accusations. The legal aspects also deserve attention – not only are sites being scanned for security vulnerabilities without prior consent, the results are also being widely published. The debate rages on.

Web admins have a difficult decision to make now. If they search for their site, they may be relieved to find no results, but worried that they have made themselves targets for future Punkspider scans. If they refrain, they have to wonder whether other people are looking at the results for their site – and finding something useful. There's no information on how an admin can exclude their own site from a punkscan, and heise Security's questions for the service's provider on this and other subjects have not yet received a response. According to CTO Alejandro Caceres, however, instructions in the robots.txt control file are checked and respected. Indeed, he considers his new service to be good rather than evil: "The goal of my project [is] to alert firms to such vulnerabilities – for free – so that they could have their web developers fix it."

(fab)