Core Security Adds Network Device Assessment, Web App Scanner Integration to Automated Penetration Testing Solution

Note: ESJ’s editors carefully choose vendor-issued press releases about new or upgraded products and services. We have edited and/or condensed this release to highlight key features but make no claims as to the accuracy of the vendor's statements.

Core Security Technologies has introduced the latest version of its automated penetration testing solution, Core Impact Pro version 11.

The latest round of new features allows customers to:

  • Detect and exploit network router and switch vulnerabilities

  • Import Web vulnerability scan results and validate them for exploitability

  • Exploit persistent (or stored) cross-site scripting (XSS) vulnerabilities

  • Exploit cross-site scripting (XSS) vulnerabilities in Adobe Flash applications

  • Reveal additional top Web application vulnerabilities as defined by OWASP

  • Replicate wireless man-in-the-middle (MiTM) attacks

  • Leverage expanded client-side phishing capabilities

To help security teams extend their testing capabilities and learn whether their network devices are vulnerable to attacks, Core Impact Pro v11 adds the following testing capabilities:

  • Information gathering and fingerprinting: As a part of network information gathering, Impact Pro will scan a range of IP addresses and return a list of discovered network devices as well as any identifying attributes (e.g., manufacturer, device/model, OS).

  • Detection and exploitation of configuration vulnerabilities: To verify that access to a network device has been achieved, Impact Pro offers testers several non-aggressive techniques to verify access, including configuration retrieval, device renaming, password cracking, access list piercing, and interface monitoring.

Core Impact Pro has long featured integration with multiple network vulnerability scanners to help customers filter results and identify their most significant points of exposure, and the latest release adds integration with Web application scanning tools such as IBM Rational AppScan and HP WebInspect. By feeding the often voluminous results of their Web application scans directly into Impact Pro, customers can now:

  • Prove the exploitability of Web application vulnerabilities, with no false positives, to both prioritize and inform remediation efforts.

  • Leverage Core Impact's privilege escalation and pivoting capabilities to gain administrative access on Web servers and leverage them as beachheads for additional attacks against backend network systems.

  • Use scan results to identify pages (URLs) to penetration test, in addition to utilizing Core Impact's own page identification capabilities.

Impact Pro v11 enables users to exploit Persistent (or Stored) XSS vulnerabilities. Persistent XSS is an insidious form of attack because it implants the vulnerable Web application with malicious code, which subsequently runs against end user browsers that load the application. For instance, an attacker could target a vulnerable blog by adding a comment containing exploit script. As end users view the blog in their browsers, the script would run against their systems. Since Persistent XSS doesn't require phishing to target end users, it can affect a larger population in a much more subversive way.

Cross-Site Scripting (XSS) detection and exploitation for Adobe Flash objects is new for Impact Pro and extends the capabilities of the Web application test vector by targeting dynamic Flash content in addition to static HTML applications.

For more information, visit http://www.coresecurity.com/content/core-impact-v11.