Connect with us

Hi, what are you looking for?


Application Security

Core Security Upgrades Penetration Testing Solution

Core Security Technologies, a Boston based provider of IT security testing and measurement solutions, today introduced the latest version of its automated penetration testing solution, CORE IMPACT Pro version 11.

Core Security Technologies, a Boston based provider of IT security testing and measurement solutions, today introduced the latest version of its automated penetration testing solution, CORE IMPACT Pro version 11.

CORE IMPACT Pro helps assess the security of web applications, network systems, endpoint systems, email users and wireless networks, allowing users to replicate cyber attacks and reveal critical exposures.CORE Security Penetration Testing Tools

With the latest release the company added several new features, allowing customers to:

• Import web vulnerability scan results and validate them for exploitability

• Detect and exploit network router and switch vulnerabilities

• Exploit Persistent (or Stored) Cross-Site Scripting (XSS) vulnerabilities

• Exploit Cross-Site Scripting (XSS) vulnerabilities in Adobe Flash applications

• Reveal additional top web application vulnerabilities as defined by OWASP

Advertisement. Scroll to continue reading.

• Replicate wireless Man-in-the-Middle (MiTM) attacks

• Leverage expanded client-side phishing capabilities

With IMPACT Pro v11 penetration testing software, organizations can now assess their exposure to attacks carried out against network devices. To help security teams extend their testing capabilities and learn whether their network devices are vulnerable to attacks, CORE IMPACT Pro v11 adds the following testing capabilities:

• Information gathering and fingerprinting: As a part of Network Information Gathering, IMPACT Pro will scan a range of IP addresses and return a list of discovered network devices as well as any identifying attributes (e.g., manufacturer, device/model, OS).

• Detection and exploitation of configuration vulnerabilities: In order to verify that access to a network device has been achieved, IMPACT Pro offers testers several non-aggressive techniques to verify access, including configuration retrieval, device renaming, password cracking, access list piercing, and interface monitoring.

“Network security devices can be areas of vulnerability exposure if not properly configured, managed and patched,” said Diana Kelley, principal analyst at SecurityCurve. “That’s why a robust penetration testing plan includes these assets. Organizations need to understand if network device vulnerabilities exist and if these vulnerabilities can lead to data theft or other forms of compromise.”

Additionally, the latest release of CORE IMPACT Pro adds integration with web application scanning tools such as IBM Rational AppScan and HP WebInspect. By feeding the results of their web application scans directly into IMPACT Pro, customers are now able to:

• Prove the exploitability of web application vulnerabilities, eliminating false positives, to both prioritize and inform remediation efforts to minimize the time and money spent on re-coding efforts.

• Leverage CORE IMPACT’s privilege escalation and pivoting capabilities to gain administrative access on web servers and leverage them as beachheads for additional attacks against backend network systems – just as an attacker would.

• Use scan results to identify pages (URLs) to penetration test, in addition to utilizing CORE IMPACT’s own page identification capabilities.

Testing for Persistent Cross-Site Scripting Vulnerabilities in Web Applications

In addition to empowering users with its existing Reflective XSS attack capabilities, IMPACT Pro v11 enables them to exploit Persistent (or Stored) XSS vulnerabilities. Persistent XSS is an insidious form of attack because it implants the vulnerable web application with malicious code, which subsequently runs against end user browsers that load the application. For instance, an attacker could target a vulnerable blog by adding a comment containing exploit script. As end users view the blog in their browsers, the script would run against their systems. Since Persistent XSS doesn’t require phishing to target end users, it can affect a larger population in a much more subversive way.

Testing for Cross-Site Scripting Vulnerabilities in Adobe Flash Objects

Cross-Site Scripting (XSS) detection and exploitation for Adobe Flash objects is new for IMPACT Pro and extends the capabilities of the web application test vector by targeting dynamic Flash content in addition to static HTML applications.

Other improvements to the product’s web applications capabilities include enhanced web page crawling (i.e., to identify potential targets); additional web application firewall (WAF) evasion; and scheduling of web application tests – as well as new testing capabilities that provide additional coverage for the following OWASP top web applications risks:

• A3: Broken Authentication and Session Management

• A6: Security Misconfiguration

• A8: Failure to Restrict URL Access

With v11, CORE IMPACT Pro now provides penetration testing capabilities that address seven of the OWASP top 10 web applications risks (A1, A2, A3, A4, A6, A8 and A9).

New wireless MiTM testing capabilities in CORE IMPACT Pro v11 allow organizations to test their resiliency in several ways, notably by empowering testers to establish an imposter wireless access point and then launch tests against any systems that subsequently connect. Once a system connects to the access point, the tester is able to target it with IMPACT penetration tests and take the same steps an attacker would, including:

• Attempting to harvest usernames and passwords from wireless traffic or from endpoint systems connected to the IMPACT access point

• Inserting exploits into traffic sent and received by the connected machines

• Fingerprinting the machine

• Launching OS, services and application exploits

Once the connecting system is exploited, the user can leverage CORE IMPACT’s network testing capabilities to reveal and follow attack paths across other systems on the same network – allowing them to not only demonstrate how easily MiTM attacks compromise unsecured WiFi networks and clients, but also how far an attacker could proceed after the initial compromise.

With social engineering becoming an increasingly central aspect of today’s Advanced Persistent Threats (APTs), more Core Security customers than ever before are availing themselves of the product’s client-side testing capabilities. In IMPACT Pro v11, client-side assessments are even more useful and efficient, with the addition of new social engineering attack automation features, including:

• Information gathering enhancements that enable testers to find emails and other sensitive information in files posted to web sites.

• The ability for users to impersonate legitimate web forms with phishing “traps” to identify potential data leakage issues resulting from email recipients who click through to malicious forms.

More information is available at

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.