Platform updates

OWASP & CWE vuln classifcation added, wordlist limit increased, and more updates

Updated at

This month we rolled out 5 platform improvements that streamline your pentests so you can do more of the work you most enjoy:

1. Website Scanner findings – OWASP 2013/2017 & CWE vuln info added

2. Wordlists limit increased: add more lists with 5X more words each

3. NEW: the Password Auditor now supports NTLM authentication

4. Filter URL Fuzzer results based on customer matches

5. Custom request timing options with the URL Fuzzer

Let’s unpack them!

1. Website Scanner findings include OWASP 2013/2017 & CWE vuln info

The findings’ descriptions you get from our Website Scanner now include the class of OWASP Top 10 of 2013 and 2017 they’re part of and their assigned CWE number.

To see this info, go to Findings and select the ones you need to see more details. You can also visualize it from Scans, where you check the scan results of your target. Just click on the Details to see the Classification.  

Remember you can automatically pull these details in your reports when you choose which Findings to include in them.

vulnerability CWE details

Scan results classification details

2. Wordlist limit now increased up to 50.000 words

Good news! We increased wordlist limits from 10.000 words to 50.000 words. You can now add even more words (usernames, passwords, config files, etc.) to test against your targets from your account. 

For each wordlist you create, you can include up to 50.000 words, where each word has a maximum length of 200 characters.

Use default wordlists we provide or add your own for faster, smoother pentests.

Create your wordlist

3. The Password Auditor now supports NTLM authentication

We also improved the Password Auditor by adding support for the NTLM (New Technology LAN Manager) authentication protocol.

Authentication through NTLM uses a challenge-response protocol and, as a form of Single Sign-On (SSO), does not require users to send unprotected passwords over the network.

4. Filter URL Fuzzer results based on custom matches

Another improvement we made is the option to automatically filter URL Fuzzer results based on the conditions you choose.

Depending on your engagement, you can now:

  • ignore or match certain HTTP codes

  • ignore or match if the HTML contains a string

  • ignore or match certain conditions for Response Size.

URL Fuzzer filter results

5. The URL Fuzzer now includes custom request timing options

We’ve also added a custom request option to the URL Fuzzer, which allows you to define specific timing for your HTTP requests.

When you go to URL Fuzzer, add your URL target, and select Timing, you can define the number of parallel requests the tool will run for you.

You can also set a maximum of 10 retries per request.

Here’s a snapshot of the new option:

URL Fuzzer - request options

Log in to use the updates

Get fresh security research

In your inbox. (No fluff. Actionable stuff only.)

I can see your vulns image

Related articles

Discover our ethical hacking toolkit and all the free tools you can use!

Create free account


© 2013-2024 has a LinkedIn account it's very active on

Join over 45,000 security specialists to discuss career challenges, get pentesting guides and tips, and learn from your peers. Follow us on LinkedIn! has a YouTube account where you can find tutorials and useful videos

Expert pentesters share their best tips on our Youtube channel. Subscribe to get practical penetration testing tutorials and demos to build your own PoCs!

G2 award badge recognized as a Leader in G2’s Spring 2023 Grid® Report for Penetration Testing Software. Discover why security and IT pros worldwide use the platform to streamline their penetration and security testing workflow.

OWASP logo is a Corporate Member of OWASP (The Open Web Application Security Project). We share their mission to use, strengthen, and advocate for secure coding standards into every piece of software we develop.