PunkSPIDER: An Open Source, Scalable Distributed Fuzzing Project Targeting The Entire Internet

ShmooCon IX - 2013

Presented by: Alejandro Caceres
Date: Saturday February 16, 2013
Time: 17:00 - 17:50
Location: Regency B/C/D
Track: Belay It!

By combining the principles of offensive security and distributed computing we were able to build an extremely fast and scalable web application scanner, PunkSCAN. It is an extremely stable and fast web application scanner that runs on a Hadoop cluster and as part of this presentation we’re releasing it free and open source. PunkSPIDER, the main focus of this presentation, is the result of setting PunkSCAN loose on the Internet, and making the results searchable (also for free) through a web front end and REST API.

We expect PunkSPIDER will have many functions, but we are particularly hoping that by doing this, the general public becomes more aware of the security of the websites to which they are entrusting their critical data (hint: mostly they’re a mess). By holding those accountable that release these obviously insecure web applications, we hope that we will see a shift towards the average user steering clear of those websites, providing incentive for secure coding practices, or at the very least incentive for running basic vulnerability checks on a web application prior to deployment. We will be the stick that hits web app developers and web app administrators when they do something dangerously sloppy.

Alejandro Caceres

Alejandro Caceres is a Computer Network Operations Engineer and web application penetration testing subject matter expert with Lunarline Inc at his “real job” and is the owner/developer/engineer/everything of Hyperion Gray, LLC at his “not-so-real job.” Hyperion Gray is a small organization of coders interested in creating cool and hip offensive security tools for the open source community. He has an interest in creating applications that have a global impact through distributed computing and offensive security principles.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats