Versions Compared

Old Version 21

changes.mady.by.user Alejandro Caceres

Saved on

compared with

New Version 22

changes.mady.by.user Alejandro Caceres

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

PunkSPIDER is a global-reaching web application vulnerability search engine. The goal is to allow the user to determine vulnerabilities in websites across the Internet quickly, easily, and intuitively. Please use PunkSPIDER responsibly. Our search patterns have recently changed, so please read this carefully!

How Can I See if a Website I Use is Vulnerable?

Searching for a specific website is easy! If you know the URL of your site you can simply type the URL or part of the URL in the search box (without http or https) and find your website. Once there you will be presented with the number of vulnerabilities present on the site.

Let's try an example together, let's say you're looking to check if our websites, the New York Times website http://www.hyperiongraynytimes.com has any vulnerabilities is vulnearble. You could type in hyperiongray www.nytimes.com in the search bar, and you should receive a result back that looks like the following:

Code Block
firstline1
Hyperion Gray, LLC
http://www.hyperiongraynytimes.com/

Timestamp: Mon Jan 21 04:26:03 GMT 2013

BSQLI
Scanned: 2014-05-18T12:30:55.000055Z
bsqli:0 | sqli:0 | xss:0 | trav:0 | mxi:0 | osci:0 | SQLIxpathi:0 | Overall XSSRisk:0

The first and second lines give line gives you the title and URL domain of the result respectively. The Timestamp field on line 4 2 is the time that the site was added to our system. Below that is the interesting part, the total number of SQLi, BSQLi, and XSS vulnerabilities found in a websitevulnerabilities found on the website. If you're non-technical, you can ignore almost every part of that and just look at the Overall Risk field - this will tell you the risk of visiting a website. As a rule of thumb anything with an Overall Risk of 1 should make you very wary, anything with an Overall Risk of greater than 1 you should stay away from entirely.

How Do I Get More Details On Vulnerabilities Found?

If you find a website has a vulnerability you can get details on it by clicking on the (+) sign show details next to the vulnerabilities.

Code Block
Example Title!!
http://example.net/

Timestamp: Tue Sep 18 22:00:49 GMT 2012

BSQLIwww.race360.com
Scanned: 2014-05-18T12:30:55Z
bsqli:0 | sqli:3 | xss:0 | trav:0 | mxi:0 | SQLIosci:10 | XSSxpathi:0 (-)| Overall Risk:2 hide details

Type: sqli
Protocol: http
Parameter: method
Protocol: http
   Vulnerability URL: http://www.race360.com/memberslogon.asp?r=%2Fclubs%2Fenrollment.asp%3F&method=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%23--%27%40%21%5C&f=y


Type: sqli
Protocol: http
Parameter: eventid
Vulnerability URL: http://examplewww.race360.netcom/marathonracesdetail.asp?feed=%27%29&p=1530
    Parameter: feedeventid=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%23--%27%40%21%5C


Type: sqli
Protocol: http
Parameter: r
Vulnerability URL: http://www.race360.com/memberslogon.asp?r=..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd%23--%27%40%21%5C&method=a&f=y

The first 2 lines give you the type of vulnerability and the protocol (http or https). The next two lines provide you with the exact URL in which the vulnerability was found along with the parameter that allowed the injection to take place - if you click this link, you are technically probing a website for this vulnerability, this may be considered impolite. When you're done you can click on the (-) hide details to collapse it.

...

Broad Searches and Advanced Searching

Searches with PunkSPIDER may function somewhat differently to what you are used to if you used PunkSPIDER 2.0. In particular, we are more focused on data reduction rather than data overload. This may be a bit counter intuitive for a first-time user, so please read this section before attempting to search PunkSPIDER and sending us an email that you can't find something (smile).

Wildcards

...

For added flexibility we allow * to represent an arbitrary number of any characters in your search term - it's a wildcard character. Let's say for example you want to search for google but for the life of you, you can't remember some of the vowels required to spell it. Happens to all of us every once in a while. Just hop over to the search bar and enter something like g*gl*. This will return all sites with the term google in it along with anything that might match with * representing any number of characters. You will get results like the following:

Code Block
专业生产钢板网,铝板网,冲孔网,不锈钢网的厂家-安平县正阳钢铝板网厂
 http://www.google-wiremesh.org/  Timestamp: Tue Sep 18 09:31:37 GMT 2012 
 BSQLI:0 | SQLI:0 | XSS:0   


Google Maps
 http://www.googlemaps.asia/  Timestamp: Tue Sep 18 10:41:24 GMT 2012 
 BSQLI:0 | SQLI:0 | XSS:0   


Gourmande sans gluten
 http://gourmandesansgluten.blogspot.com/  Timestamp: Wed Sep 19 01:47:15 GMT 2012 
 BSQLI:0 | SQLI:0 | XSS:0

 

...

& Title Searches

PunkSPIDER no longer allows wildcard searches - why you ask? We've greatly increased our set of results, we feel that allowing wildcard searches opens up the potential for people to do searches like [wildcard]bank[wildcard], that's not cool. So if you try to use a wildcard in your search, it won't work and you will get a warning from PunkSPIDER! We also no longer allow Title searches, because this also opens PunkSPIDER up to finding vulnerabilities on types of sites instead of specific sites.

If you're a security researcher interested in doing analysis on the dataset, we have the entire set available here. This dataset is every website we found that has a vulnerability, it does not include sites that we scanned that don't have vulnerabilities.

More on Advanced Searching/Understanding the Search Engine

For most searches, simply typing in what the domain of the URL you're looking for without thinking too much should work just fine (e.g. www.nytimes.com). For more advanced searching needs, however, it is important to note a few things about searching with PunkSPIDER:

  • Searches

...

Searches are always looking to fully match parts of a URL. A part of a URL is defined as a uniform series of characters not separated by a dot or other special characters. By uniform, we mean of the same type - types can be integer, string, or special character. In other words, a search for googl as a URL will return the following:

Code Block
			
جادوگر
 http://www.googl63.blogsky.com/  Timestamp: Sat Jan 12 20:43:44 GMT 2013 
 BSQLI:0 | SQLI:0 | XSS:0   


جادوگر
 http://googl63.blogsky.com/  Timestamp: Sun Jan 13 00:13:37 GMT 2013 
 BSQLI:0 | SQLI:0 | XSS:0   


Googleページランクの実験
 http://googl.web.fc2.com/  Timestamp: Sun Jan 13 11:00:05 GMT 2013 
 BSQLI:0 | SQLI:0 | XSS:0   


 m_ID == app_Applications_Google_Chrome.app  m_ID == app_Applications_
 http://app-0x16e930-m-id-app-applications-googl.mac.informer.com/  Timestamp: Tue Nov 13 16:14:17 GMT 2012 
 BSQLI:0 | SQLI:0 | XSS:0

Note that the various URLs all contain the term googl in them, but this would NOT match searches like google.com. The reason for this is that it is trying to fully match a part of a URL for the string googl. This is why googl63.net comes up -  it is looking for a full match on uniform characters, the switch from string to integer makes googl a URL part in this URL. http://googl.web.fc2.com/ comes up for the same reason, googl is a full part of the URL, it is enclosed by dots. From this you should be able to understand why the next URL is returned.

Though this might be a bit confusing at first, it is done in order to reduce the number of search records and allow you to find only the records that you want. If you want this search to match googl and google.com you should enter the term googl* in the search bar, this will match both. As a general rule of thumb, when in doubt, and you want a lot of records, be liberal with the use of wildcards!

...

  • can be changed to be additive (AND) or non-additive (OR) in terms of vulnerability filters. In other words if you have OR along with BSQLI and XSS checked, you will find results with BSQLI or XSS vulnerabilities
  • Broad searches are purposefully difficult in PunkSPIDER, searching for bank for example will not give you anything with the word bank in the domain, our algorithm searches the beginning and end of a domain, so searching for bank will give you stuff like bank-bank-kan.hi5.com but not www.bankofamerica.com (because it starts with www)

I'm A Pen Tester or Security Researcher, How Can I Use This?

Cool. Part of what we're doing here is allowing you to find obvious bugs in sites that you might be pen testing. I'm hoping PunkSPIDER can both save you a little bit of time if you're doing web applications tests and also allow you to gather active reconnaissance data by using passive reconnaissance techniques (i.e. searching PunkSPIDER as opposed to fuzzing them yourself). Simply type in the domain or domains of the organization you are testing and check the vulnerability boxes one by one to see if they have any SQL, BSQL, or XSS bugs that PunkSCAN has picked up.

...

Aren't quite getting the results you want? We're doing a LOT of vulnerability scans (the Internet is big) so we're not able to conduct a full crawl on every single website. Instead we get a sample of links and test those. If you're looking for deeper scanning against a massive number of websites, one option is to hop over to our our PunkSCAN deployment page and deploy your own scanner using our engine. If you have an existing Hadoop cluster, you can be up and running in just a few minutes. PunkSCAN allows you to scan through a Hadoop Cluster and keep your vulnerability results continuously up to date. You can access your results through the Apache Solr API.Let us know! We scan a massive corpus of websites, fairly representative of the entire Internet's web apps, but it's also possible for us to miss stuff.

If you're interested in programmatic access to our PunkSPIDER results, shoot us an email at punkspider@hyperiongray.com requesting access to our PunkSPIDER APIthe API is completely open. We ask that you don't crush us with traffic, limiting your requests to about 1 per second or so.

I'm Not In the Security Field, I Don't Know What SQLi, BSQLi,

...

XSS, etc. Means

No worries, here's what those terms mean. SQLi and BSQLi stand for SQL injection and Blind SQL injection. SQL or Structured Query Language is an extremely common language that is used to retrieve information from a database.

SQLi and BSQLi vulnerabilities allow attackers to steal information form a website's database. For sites that contain any of your sensitive information including any personally identifiable information such as name and address/mother's maiden name, credit card numbers, usernames, passwords SQL or BSQL injection bugs are extremely dangerous. For sites that do not contain any of your sensitive information, these bugs can allow attackers to steal the administrative credentials to a website and edit its contents to spread malware or generally cause a ruckus. Either way, this bug is one of the worst kinds out there and websites with SQL injection bugs should be avoided at all costs. For more information check out this link.

XSS bugs are an extremely common vulnerability. XSS stands for cross site scripting and it is essentially a vulnerability that allows an attacker to insert client-side script (i.e. actions that will be performed by your browser) into a web page in some form or fashion. Though XSS itself is not always an indication that your information can be compromised if you use the website (though this sometimes is the case), it is usually a good indicator of the care that a website owner has taken to properly secure themselves against various other attacks.  For more information check out this link.you don't have to. All you need to know: they're bad. They allow others to potentially steal your sensitive information and you don't want them on your site or a site that you visit.

I Want to Use PunkSPIDER to "Hack the Planet"

...

First, check this page out. If you still have more questions, no worries, shoot us an email at punkspider@hyperiongray.com and request to join the mailing list, we can answer all of your questions there! If you would please put something to indicate that you're a human so we'll know you're not a spam bot - a quick sentence or a haiku is always nice. If you have a private question just email it to punkspider@hyperiongray.com and we'll respond as soon as possible.

...

Cool, same process as above. Shoot us an email at punkspider@hyperiongray.com requesting to join our mailing list.