Category

Vulnerability Scanning

Inputs

Header(s) to include in HTTP requests
header-file
file
Header(s) to include in HTTP requests
web-technologies
file
required
JSONLines records of web technology discovery details from the Fingerprint Web Technologies module

Outputs

findingsweb-technologies

Scan for Technology-Specific Vulnerabilities

Description

Scan the identified technologies on your attack surface using tailored checks and methodologies for each. The currently supported technologies are:

  • WordPress
  • Microsoft IIS
  • Ivanti Pulse Secure
  • Joomla
  • GitLab
  • Jenkins
  • Spring Boot
  • Jira
  • Splunk
  • WebLogic

Features

  • Performs custom checks based on the identified technologies for a more targeted scan.
  • Detects related components and extensions, such as WordPress plugins and themes.
  • Can scan thousands of web servers simultaneously.

Inputs

Required

  • web-technologies: JSONLines records of web technology discovery details from the “Fingerprint Web Technologies” module.
{"asset": "https://foo.example.com", "technology": "WordPress"}

{"asset": "https://bar.example.com", "technology": "Microsoft IIS"}

{"asset": "https://baz.example.com", "technology": "Springboot Actuators"}

Optional

  • header: Header(s) to include in HTTP requests
  • header-file: File with header(s) to include in HTTP requests

Outputs

  • findings: JSONLines records of finding details.
{"finding": "Outdated WordPress Plugin", "location": "https://foo.example.com", "severity": "unknown", "hostname": "foo.example.com", "domain_name": "example.com", "method": "GET", "description": "Detected WordPress plugin \"elementor\" version 3.6.2"}

{"finding": "IIS Short File Name Enumeration", "location": "https://bar.example.com", "severity": "unknown", "hostname": "bar.example.com", "domain_name": "example.com", "method": "GET", "description": "The IIS server is vulnerable to an issue that reveals short names for files and directories using the 8.3 file naming scheme. By sending specially crafted requests containing the tilde \"~\" character, attackers can exploit this flaw to discover hidden files or directories, potentially exposing sensitive information"}

{"finding": "Spring Boot Actuators (Jolokia) XXE", "location": "https://baz.example.com/jolokia/exec/ch.qos.logback.classic:Name=default,Type=ch.qos.logback.classic.jmx.JMXConfigurator/reloadByURL/http:!/!/nonexistent:31337!/logback.xml", "hostname": "baz.example.com", "domain_name": "example.com", "severity": "high", "method": "GET", "description": "A vulnerability in Spring Boot Actuators's 'jolokia' endpoint allows remote attackers to perform an XML External Entities (XXE) attack and include content stored on a remote server as if it was its own. This has the potential to allow the execution of arbitrary code and/or disclosure of sensitive information from the target machine."}
  • web-technologies: JSONLines records of web component discovery details.
{"asset": "https://foo.example.com", "technology": "elementor WordPress plugin", "location": "https://foo.example.com/wp-content/plugins/elementor/", "context": "3.6.2"}

Changelog

  • v1.0.0
    • Initial release
  • v1.1.0
    • Added header-file input