Burp Vulners Scanner

Scanner

Wanted to share with you what IMHO is the most promising Burp Suite plugin that just might transform it to the best penetration tool ever. It’s the Vulners plugin, available for free at github. Burp Suite Enterprise Edition The enterprise-enabled web vulnerability scanner. Burp Suite Professional The world's #1 web penetration testing toolkit. Burp Suite Community Edition The best manual tools to start web security testing. View all product editions. Vulners NSE plugin is a brilliant solution for full speed vulnerability scanning using NMAP. Using built-in sofware detection system of the scanner it correlates information with Vulners Database to detect vulnerable software and services nmap -sV -script vulners%target%. Burp Suite scanner plugin based on Vulners.com vulnerability database API. Posted by 3 years ago. You can browse the identified vulnerabilities marked with 'Vulners' which give you a easy viewable list of findings. 4 points 3 years ago edited 3 years ago.

What is the main idea of version-based vulnerability detection, especially for Web Applications? With an access to the HTTP response (html, headers, scripts, etc.), you can get the name and version of some standards web application (e.g. CMS, CRM, wiki, task tracker) or names and versions of software components that this web application uses: web server, libraries, frameworks, and so on.

Next step is to get all known vulnerabilities and exploits for this software. This is the typical task for Vulners.com – largest database and security content searching system (see “Vulners – Google for hacker“).

So, guys from Vulners Team made a set of useful regular expressions for detecting software names and versions – https://vulners.com/api/v3/burp/rules. You can use this rules in your own scripts and if you want something that will work out of the box, you can try existing plugins for Burp Suite and Google Chrome.

Burp Vulners Scanner

In this post I would like to show how the detection rules work, present new Vulners Burp API and vulnerability detection plugins for Burp Suite and Google Chrome.

Detection rules

Each rule has it’s own name, alias, that will be used in Vulners search request, regex for detecting the version of software and the rule type (“software” or “cpe”). Here are some different rules from the rule-file on github:

As you can see, “AngularJS” rule will check the scripts, “Apache Tomcat” will check the response headers and the last one, “Atlassian Confluence” is for html content. The regexp will return version of the software. If the rule type is “software”, we will search something like “Angular 1.11.4”, and if the type is “cpe” it will be “cpe:2.3:a:apache:tomcat:7.0.27” or “cpe:/a:atlassian:confluence:6.0”.

Vulners Burp API

Vulners Team presented special Burp API calls, different from the common search API calls that I reviewed earlier. With this new API you can specify the software name and version or the CPE id, and get the list of vulnerabilities in json. For example, try this urls:

Output of the last one:

Accuracy

Burp vulners scanners

It’s important to understand that vulnerability will be correctly detected only if there were no errors at all stages:

  1. Formalization of vulnerability description. What versions of the software are actually vulnerable? Can you say for sure that software is vulnerable by knowing only it’s version? In many cases installed patches, including various “cumulative” patches, should be take in into consideration. And you will not get this information from the unauthenticated scan only.
  2. Software detection (name and version). Were the software software name and version detected correctly? It’s pretty common situation when software was patched, real version of the software increased, but the version in software banner remained the same “vulnerable”.
  3. Version comparison. Sometimes it is tricky to say what version is bigger, because of the epoch numbers and so on.

Why am I writing this? Don’t be surprised if there will be false positives. Version-based detection always requires some post-processing.

Burp Suite plugin

Burp Vulners Scanner

Vulners plugin for Burp Suite is called “Software Vulnerability Scanner“. It is available only in Burp Suite Professional, that costs now $ 349.00 per user, per year.

You can install it in Extender tab -> BApp Store:

In Software Vulnerability Scanner tab you will see a link to json file with all detection rules. You can easily add your own set of rules as well:

Burp Vulners Scanner Software

There is a good video describing the work with Vulners Burp plugin. In this video Burp-user randomly opens sites from google search results in his web browser with configured Burp Proxy and Vulners Scanner detects vulnerabilities on these sites.

The output of plugin looks like this:

You can see here WordPress CMS version 4.7.5 and the list of vulnerabilities for this version. If you click on each vulnerability, you will get the detailed description and the links to other Vulners.com objects, including exploits.

You can also run Burp Suite with Software Vulnerability Scanner plugin in fully automatic mode. Here is an official manual “Using Burp As a Point-and-Click Scanner“. However, this manual is quite long and is a bit outdated. Here is my short version:

  1. Go to the Burp menu and choose “Restore defaults” for all options.
    Project options -> Restore defaults -> ALL.
  2. Copy url you want to scan (for example, https://corporation.com) in clipboard.
  3. Go to Repeater tab, right-click on the request panel to open the context menu, and select “Paste URL as request”.
  4. Press “Go” button.
  5. Open the same context menu again, and select “Add to site map”.
  6. Go to Target tab, and the Site map sub-tab. Select the domain name for your target application, right-click to open the context menu, and select “Add to scope”.
  7. Select the relevant location, right-click to open the context menu, and choose “Spider from here”.

Burp Vulners Scanner Reviews

Google Chrome plugin

Let’s see how to get similar functionality without Burp. Install Google Chrome web bowser. And then install Vulners Web Scanner Plugin.

That’s all. Just browse the Internet. If you see an active icon, click on it:

And see the list of vulnerabilities:

Logic Pro is the most advanced version of Logic ever. Sophisticated creative tools for professional songwriting, beat making, editing, and mixing are built around a modern interface that’s designed to get results quickly and also deliver more power whenever it’s needed. Logic Pro includes a massive collection of instruments, effects, loops and samples, providing a complete toolkit to create amazing-sounding. SPOTIFY Pianistaitaliano music journey:latest stable version of 'Logic 9' worked on osx Mountain. Does anyone know what the last version of Logic Pro X that can run on macOS 10.12.6 (Sierra) is? Stack Exchange Network Stack Exchange network consists of 176 Q&A communities including Stack Overflow, the largest, most trusted online community for developers to learn, share their knowledge, and build their careers. I have a Mac that I can't upgrade past High Sierra unless I update the graphics card. Is there a way to have the new Logic 10.5 release work on High. Logic pro x high sierra.

All links lead to the Vulners.com website. It’s pretty much like Burp Plugin, but it is completely free.

Burp Suite Vulners Scanner Plugin

In conclusion

Burp Vulners Scanner Video

  1. It works. 🙂 Vulners plugins for Chrome and Burp Suite can detect vulnerabilities.
  2. There are, however, plenty of false positives. You have to look through the list of vulnerabilities carefully, make a lot of additional clicks and checks.
  3. It’s not easy to automate it yet. Buying Burp Suite Professional only for this plugin seems to be an overkill. And the Chrome plugin is suitable only for casual use: “Look, this site is vulnerable, cool”.
  4. It would be great to make a separate scanner script in Python or NSE nmap plugin (upd. the did it, see “Vulners Nmap plugin“). As input, you can use Vulners collections (mainly NVD CVE and Exploits). This would allow to automate the work with such utility, for example, to analyze the entire perimeter of the organization. It would be possible to implement additional heuristics on top to reduce the number of false positives.

Burp Vulners Scanner Driver

Hi! My name is Alexander and I am an Information Security Automation specialist. You can read more about me here. Currently, the best way to follow me is my Telegram channel @avleonovcom. I update it more often than this site. If you haven’t used Telegram yet, give it a try. It’s great. You can discuss my posts or ask questions at @avleonovchat.