Core Security Technologies introduced the latest version of its automated penetration testing solution, CORE IMPACT Pro 11.
CORE IMPACT Pro enables users to conduct real-world assessments across a broad spectrum of risk areas, including network systems, endpoint systems, end users, web applications, wireless networks – and now, network devices.
The latest round of new features allows customers to:
- Detect and exploit network router and switch vulnerabilities
- Import web vulnerability scan results and validate them for exploitability
- Exploit Persistent (or Stored) Cross-Site Scripting (XSS) vulnerabilities
- Exploit Cross-Site Scripting (XSS) vulnerabilities in Adobe Flash® applications
- Reveal additional top web application vulnerabilities as defined by OWASP
- Replicate wireless Man-in-the-Middle (MiTM) attacks
- Leverage expanded client-side phishing capabilities.
With IMPACT Pro 11 organizations can assess their exposure to attacks carried out against network devices. For instance, given control of a router’s configuration, an attacker could gain access to other networks that otherwise would not be detectable. An attacker with command of a switch could quietly steal and manipulate data, as well as inject their own malicious data into switch traffic.
IMPACT Pro v11 adds the following testing capabilities:
Information gathering and fingerprinting: As a part of Network Information Gathering, IMPACT Pro will scan a range of IP addresses and return a list of discovered network devices as well as any identifying attributes (e.g., manufacturer, device/model, OS).
Detection and exploitation of configuration vulnerabilities: In order to verify that access to a network device has been achieved, IMPACT Pro offers testers several non-aggressive techniques to verify access, including configuration retrieval, device renaming, password cracking, access list piercing, and interface monitoring.
In addition to empowering users with its existing Reflective XSS attack capabilities, IMPACT Pro 11 enables them to exploit Persistent (or Stored) XSS vulnerabilities.
Persistent XSS is an insidious form of attack because it implants the vulnerable web application with malicious code, which subsequently runs against end user browsers that load the application. For instance, an attacker could target a vulnerable blog by adding a comment containing exploit script. As end users view the blog in their browsers, the script would run against their systems. Since Persistent XSS doesn’t require phishing to target end users, it can affect a larger population in a much more subversive way.