server_header

This plugin GETs the server header and saves the result to the knowledge base. Nothing strange, just do a GET request to the url and save the server headers to the kb. A smarter way to check the server type is with the hmap plugin. Plugin type Infrastructure Options This plugin doesnt have any us...

wordpress_fullpathdisclosure

This plugin try to find the path in the server where WordPress is installed. Plugin type Crawl Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the...

cache_control

This plugin analyzes every HTTPS response and reports instances of incorrect cache control which might lead the users browser to cache sensitive contents on their system. The expected headers for HTTPS responses are: Pragma: No-cache Cache-control: No-store Plugin type Grep Options This plugin...

finger_bing

This plugin finds mail addresses in Bing search engine. One configurable parameter exist: resultlimit This plugin searches Bing for : "@domain.com", requests all search results and parses them in order to find new mail addresses. Plugin type Infrastructure Options Name | Type | Default Value |...

wsdl_greper

This plugin greps every page for WSDL definitions. Not all wsdls are found appending "?WSDL" to the url like crawl.wsdlfinder plugin does, this grep plugin will find some wsdls that arent found by the crawl plugin. Plugin type Grep Options This plugin doesnt have any user configured options. Sour...

url_session

This plugin finds URLs which contain a parameter that stores the session ID. This configuration leaves the session id exposed in browser and server logs, and is also leaked through the HTTP referrer header. Plugin type Grep Options This plugin doesnt have any user configured options. Source For...

halberd

This plugin tries to find if an HTTP Load balancer is present. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood:...

xssed_dot_com

This plugin searches the xssed.com database and parses the result. The information stored in that database is useful to know about previous XSS vulnerabilities in the target website. Plugin type Infrastructure Options This plugin doesnt have any user configured options. Source For more informatio...

archive_dot_org

This plugin does a search in archive.org and parses the results. It then uses the results to find new URLs in the target site. This plugin is a time machine ! Plugin type Crawl Options Name | Type | Default Value | Description | Help ---|---|---|---|--- maxdepth | integer | 3 | Maximum recursion...

code_disclosure

This plugin greps every page in order to find code disclosures. Basically it greps for ?.? and %.% using the re module and reports findings. Code disclosures are usually generated due to web server misconfigurations, or wierd web application "features". Plugin type Grep Options This plugin doesnt...

frontpage_version

This plugin searches for the FrontPage Server Info file and if it finds it will try to determine the version of the Frontpage Server Extensions. The file is located inside the web server webroot. For example: http://localhost/vtiinf.html Plugin type Infrastructure Options This plugin doesnt have...

password_profiling

This plugin creates a list of possible passwords by reading responses and counting the most common words. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understa...

os_commanding

This plugin will find OS commanding vulnerabilities. The detection is performed using two different techniques: Time delays Writing a known file to the HTML output With time delays, the plugin sends specially crafted requests that, if the vulnerability is present, will delay the response for 5...

blind_sqli

This plugin finds blind SQL injections using two techniques: time delays and true/false response comparison. Only one configurable parameters exists: eqlimit Plugin type Audit Options Name | Type | Default Value | Description | Help ---|---|---|---|--- eqlimit | float | 0.9 | String equal ratio 0...

mx_injection

This plugin will find MX injections. This kind of web application errors are mostly seen in webmail software. The tests are simple, for every injectable parameter a string with special meaning in the mail server is sent, and if in the response I find a mail server error, a vulnerability was found...

feeds

This plugin greps every page and finds rss, atom, opml feeds on them. This may be usefull for determining the feed generator and with that, the framework being used. Also this will be helpful for testing feed injection. Plugin type Grep Options This plugin doesnt have any user configured options...

shift_out_in_between_dots

This evasion plugin insert between dots shift-in and shift-out control characters which are cancelled each other when they are below so some ".." filters are bypassed Example: Input: ../../etc/passwd Output: .%0E%0F./.%0E%0F./etc/passwd Plugin type Evasion Options This plugin doesnt have any user...

hash_analysis

This plugin identifies hashes in HTTP responses. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly whats under the hood: Plugin source code...

user_defined_regex

This plugin greps every response for a user defined regex. You can specify a single regex or an entire file of regexes each line one regex, if both are specified, the singleregex will be added to the list of regular expressions extracted from the file. A list of example regular expressions can be...

strange_http_codes

Analyze HTTP response codes sent by the remote web application and report uncommon findings. Plugin type Grep Options This plugin doesnt have any user configured options. Source For more information about this plugin and the associated tests, theres always the source code to understand exactly...