loading
loading
Vulnerabilities
A fully automated, accurate, and extensive scanner for finding the Log4Shell RCE, CVE-2021-44228.
overview
log4j-scan tests a target for CVE-2021-44228, the Log4Shell remote code execution flaw in Apache Log4j. It injects JNDI payloads into headers and parameters, then watches a DNS callback to confirm whether the target reached out, which is the signal that a vulnerable Log4j instance parsed and resolved the payload. Confirmation through an out-of-band callback keeps false positives low.
The scanner is built for breadth and evasion. It fuzzes many headers from a list, can run every available test per URL, and ships WAF-bypass payloads for targets behind a filter. You point it at one URL or a file of URLs, choose a DNS callback provider such as interact.sh or dnslog.cn, and it reports which hosts triggered a callback.
On Trickest, log4j-scan is a Vulnerabilities node that takes a URL or a target list and writes a file and a folder of results. Run it after a prober has narrowed a wide scope to live hosts, then route confirmed Log4Shell hits straight into triage.
use cases
Feed a file of live URLs and let log4j-scan inject JNDI payloads into each, confirming exposure only when a host calls back to the DNS provider.
Enable WAF-bypass payloads so the scan reaches Log4j instances sitting behind a filter that drops the standard JNDI strings.
Turn on run-all-tests to fuzz the full set of headers and request paths, catching vulnerable hosts that only parse the payload in one specific field.
Point the scan at a custom DNS callback host you control so confirmation signals land in your own infrastructure rather than a public service.
reference
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | Check a single URL. |
| url-list | FILE | -l | Check a list of URLs, the usual pipeline input. |
| waf-bypass | BOOLEAN | --waf-bypass | Extend scans with WAF bypass payloads. |
| run-all-tests | BOOLEAN | --run-all-tests | Run every available test on each URL. |
| headers-file | FILE | --headers-file | Custom header list to fuzz with payloads. |
| dns-callback-provider | STRING | --dns-callback-provider | DNS callback provider: dnslog.cn or interact.sh (default interact.sh). |
| custom-dns-callback-host | STRING | --custom-dns-callback-host | Custom DNS callback host you control. |
| request-method | STRING | --request-type | Request type, get or post (default get). |
Showing key inputs. log4j-scan exposes 10 inputs in total.
| Name | Type | Flag | Description |
|---|---|---|---|
| url | STRING | -u | Check a single URL. |
| url-list | FILE | -l | Check a list of URLs. |
| wait-time | STRING | --wait-time | Seconds to wait after all URLs are processed (default 5). |
| waf-bypass | BOOLEAN | --waf-bypass | Extend scans with WAF bypass payloads. |
| headers-file | FILE | --headers-file | Header fuzzing list. |
| run-all-tests | BOOLEAN | --run-all-tests | Run all available tests on each URL. |
| request-method | STRING | --request-type | Request type: get or post (default get). |
| dns-callback-provider | STRING | --dns-callback-provider | DNS callback provider: dnslog.cn or interact.sh (default interact.sh). |
| custom-dns-callback-host | STRING | --custom-dns-callback-host | Custom DNS callback host. |
| exclude-user-agent-fuzzing | BOOLEAN | --exclude-user-agent-fuzzing | Exclude the User-Agent header from fuzzing, useful to bypass weak User-Agent checks. |
example
# scan a list of live URLs, fuzz every header, and add WAF-bypass payloadspython3 log4j-scan.py -l live-urls.txt --run-all-tests --waf-bypass[•] CVE-2021-44228 - Log4j RCE Scanner[•] DNS callback: interact.sh[•] Loaded 3 URLs from live-urls.txt[•] URL: https://example.com | injecting JNDI payload into 15 headers[•] URL: https://app.example.com | injecting JNDI payload into 15 headers[•] Payloads sent to all URLs. Waiting for DNS OOB callbacks.[!!!] Target Affected: https://app.example.com (X-Api-Version header)[•] Scan complete: 1/3 targets vulnerable to Log4Shell.guidance
Use log4j-scan when you need to confirm Log4Shell exposure on a known set of URLs. It tests one specific CVE, so feed it live hosts from a prober like httpx rather than pointing it at raw discovery output, and enable WAF bypass when a filter sits in front of the target.
Same out-of-band style for the RSC/Next.js RCE. log4j-scan is the Log4j-specific equivalent.
Fingerprints one CVE on Citrix ADC. log4j-scan is the single-CVE scanner for Log4Shell.
Runs a broad template library including Log4Shell. log4j-scan goes deeper on header fuzzing and WAF bypass for this one flaw.
faq
related
A Go script for bypassing 403 forbidden responses.
An open-source tool that automates detecting and exploiting command injection.
Detect and abuse vulnerable implementations of stateless sessions.
A Python tool to find Cross-Origin Resource Sharing misconfigurations.
A tool to find HTTP splitting vulnerabilities.
Multi-threaded, IPv6-aware username enumeration via CVE-2018-15473.
A target list is probed by httpx, then log4j-scan injects JNDI payloads into the live hosts and writes the confirmed Log4Shell hits as a queryable output.
Facts on this page come from the live Trickest tool library.