Platform Updates

December updates: 6 new ways to make your workflow smoother

Updated at
Reading time
read
Article tags

Hope 2022 is off to a great start for you!

Supporting your security efforts is what we do, so here’s a fresh batch of platform updates we rolled out at the end of 2021.

Why check them out

Because they’ll help you get more work done, faster with the same tools and features you know (and hopefully love!). 

TL;DR

  1. Exploit 4 new RCEs with Sniper Automatic Exploiter

  2. Detect a high-risk XSS in Microsoft with our Network Scanner

  3. Discover weak credentials in Redis service with our Password Auditor   

  4. Control the delay between login attempts with the Password Auditor

  5. Find Broken Authentication & Ruby code injection issues with the Website Scanner

  6. Add specific info about your targets to your focused scans    

Here’s how everything works

1. Automatically confirm exploitability for these critical CVEs with Sniper

No rest for our vulnerability research team! They built 4 new exploit modules while everyone else was easing into their holidays. 

This means you can now automatically validate, exploit, and do post-exploitation in under 2 minutes with Sniper Auto-Exploiter for: 

  1. the RCE vulnerability in Laravel PHP framework – CVE-2021-3129 

  2. another high-risk RCE found in Exim Mail Server that enables malicious actors to execute arbitrary commands via an especially crafted email – CVE-2021-10149

  3. the Tomcat RCE vulnerability discovered in Apache Tomcat HTTP Server that lets attackers upload a JSP file to the server via a crafted request  – CVE-2017-12617

  4. the RCE deserialization vulnerability in multiple Apache OFBiz versions – CVE-2021-26295

Try Sniper

2. Detect this critical XSS in Microsoft with the Network Scanner (+ Log4Shell)

Run our Network Vulnerability Scanner against your targets and check if they are vulnerable to the critical pre-auth POST-based reflected XSS vulnerability (CVE-2021-41349) in Microsoft Exchange Server. 

Try the Full Scan option from our Network Vulnerability Scanner and get a ready-to-use report with rich, useful findings.

PRO Tip: Don’t forget you can use Pentest-Tools.com to find targets impacted by the Log4J RCE vulnerability (CVE-2021-44228). 

With both the Website Scanner and the Network Scanner tools, you can effectively detect Log4Shell in your pentesting engagements. We even provide a faster option: the ready-to-use Log4Shell pentest robot!   

Curious about how our detection techniques for the Log4J vuln work? We shared all about it

3. Discover weak credentials in Redis

If you’re using Redis, you can now run the Password Auditor to automatically discover weak and default credentials in it. 

Go to Password Auditor, add your URL target, and enable the service. Sounds easy? It’s because we made it so.

find weak credentials with Password Auditor

Find weak credentials

4. Control the delay between login attempts with the Password Auditor

Now you have the option to control the delay between two successive authentication attempts you make with the Password Auditor. Make sure to add up to 43.200 delays between attempts.

Here’s where to find the option:

Control the delay with the Password Auditor

5. Two more detection modules make the Website Scanner even stronger

Our Website Scanner gets better each month! We recently added two new detection modules that search for Broken Authentication and Ruby code injection in your web apps.

To use them, go to Website Scanner, add your URL target, and select Full Scan. Expand the Attack options, choose the Active checks tab and enable Broken Authentication or Ruby code injection.

new detection modules for Website Scanner

 Scan your web app

6. Add specific info about your targets when running focused scans

Having all the information you need in one place saves a lot of time and energy. Here’s how we help you keep things simple and efficient.

Our team has improved the Pentest-Tools.com dashboard interface by adding the option to easily visualize the target description for all your scans, including scheduled ones. 

To enable it, go to Scans, navigate to View Settings and check Show target description

Here’s how to do it:

target description for scans

Each pentesting report you’ll generate combines your targets’ description with scan results. Useful, right? 

Hope these updates help improve your pentesting workflow every day! 

Get future pentesting guides!

We won't spam you with useless information.

Ready to apply what you read?

Use our free tools

Related articles