Home Platform updates OWASP & CWE vuln classifcation added, wordlist limit increased, and more updates

OWASP & CWE vuln classifcation added, wordlist limit increased, and more updates

by Ioana Rijnetu

Reading time

3 minutes

Reading Time: 3 minutes

This month we rolled out 5 platform improvements that streamline your pentests so you can do more of the work you most enjoy:

1. Website Scanner findings – OWASP 2013/2017 & CWE vuln info added

2. Wordlists limit increased: add more lists with 5X more words each

3. NEW: the Password Auditor now supports NTLM authentication

4. Filter URL Fuzzer results based on customer matches

5. Custom request timing options with the URL Fuzzer

Let’s unpack them!

1. Website Scanner findings include OWASP 2013/2017 & CWE vuln info

The findings’ descriptions you get from our Website Scanner now include the class of OWASP Top 10 of 2013 and 2017 they’re part of and their assigned CWE number.

To see this info, go to Findings and select the ones you need to see more details. You can also visualize it from Scans, where you check the scan results of your target. Just click on the Details to see Classification.  

Remember you can automatically pull these details in your reports when you choose which Findings to include in them.

Scan results classification details

2. Wordlist limit now increased up to 50.000 words

Good news! We increased wordlist limits from 10.000 words to 50.000 words. You can now add even more words (usernames, passwords, config files, etc.) to test against your targets from your Pentest-Tools.com account. 

For each wordlist you create, you can include up to 50.000 words, where each word has a maximum length of 200 characters.

Use default wordlists we provide or add your own for faster, smoother pentests.

Create your wordlist

3. The Password Auditor now supports NTLM authentication

We also improved the Password Auditor by adding support for the NTLM (New Technology LAN Manager) authentication protocol.

Authentication through NTLM uses a challenge-response protocol and, as a form of Single Sign-On (SSO), does not require users to send unprotected passwords over the network.

4. Filter URL Fuzzer results based on custom matches

Another improvement we made is the option to automatically filter URL Fuzzer results based on the conditions you choose.

Depending on your engagement, you can now:

  • ignore or match certain HTTP codes
  • ignore or match if the HTML contains a string
  • ignore or match certain conditions for Response Size.

5. The URL Fuzzer now includes custom request timing options

We’ve also added a custom request option to the URL Fuzzer, which allows you to define specific timing for your HTTP requests.

When you go to URL Fuzzer, add your URL target, and select Timing, you can define the number of parallel requests the tool will run for you.

You can also set a maximum of 10 retries per request.

Here’s a snapshot of the new option:

Log in to use the updates

Related Posts

new detection module

Detect Microsoft Exchange RCE #proxynotfound with our Network Vulnerability Scanner

pentest-tools.com april updates

New modules, methods & payload – April updates

0 comments

Comments

Subscribe to our Platform Updates

Please select how you would like to hear from Pentest-Tools.com:

Unsubscribe any time by clicking the link in the footer of our emails.
For information about our privacy practices, please visit https://pentest-tools.com/.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing.
Learn more about Mailchimp's privacy practices here.

View previous campaigns.