The Website Scanner now takes the screenshot of the target website. You can find it in the output of “Server software and technologies” test.
A Scan Group is automatically generated when starting/scheduling multiple scans at once and allows for easier management of those related scans.
The screenshots of target websites generated by Website Recon are automatically embedded into the Attack Surface view.
We have added a new authentication method to the Website Scanner which allows you to record and replay the login steps so you can perform authenticated scans easier.
The Password Auditor now supports custom wordlists for usernames and passwords.
When adding/importing new targets, now you can automatically exclude the ones which are not alive. Very useful when adding IP ranges.
Now you can create your own custom wordlists and use them with URL Fuzzer (and soon with other tools also).
The individual scanners for GhostCat and SMBGhost have been deprecated as they have been included into the full OpenVAS scanner.
Authentication options can now be configured from the Targets page for the Website Scanner.
The scheduled scans are now being displayed by workspace. This can be configured from View Settings.
Now you can configure scan notifications directly from the Targets page, when you choose ‘Scan with Tool’. These allow you to receive emails when certain events occur.
The custom description of your targets is now automatically included in your scan reports.
When you mark a vulnerability as False Positive for a target, it will be automatically marked as False Positive for every future scan result for this target.
The Pentest Report (docx format) now has an appendix section containing the list of tools used during the test. Furthermore, we have added Low risk findings to the executive summary when no High/Medium issues are found.
When generating reports from tool results (individual scans), now you have more options to specify what to exclude from the reports: Ignored or Fixed findings, tool configuration details.
Now the VPN Agent can be downloaded also in VirtualBox format (besides VmWare and Hyper-V).
We have added new API methods for target management: add_target, update_target_description, start_scan_by_targetid. Furthermore, we have updated the get_scans method to return more granular results based on workspace_id and target_id.
We have added a new tool to detect the critical Remote Code Execution vulnerability in BIG-IP devices (CVE-2020-5902).
Multiple scan results can now be aggregated and exported into a single report. You can select which scan results to include in the report, both Vulnerability and Discovery scans.
Now you can configure email notifications when your scan matches certain conditions (is Finished, found High Risk, discovered some open port, etc). These notification filters also apply to Scheduled scans.
We have added the option to automatically group similar findings (obtained by multiple scans against the same target) in order to have a cleaner Findings view and to be easier to manage.
Now you can increase the security of your account with Two-Factor Authentication (2FA). Use your mobile device with any authenticator app to login with the second factor.
Besides VmWare, now you can also download the VPN Agent in Hyper-V format, for using it with the Microsoft virtualization solution.
Each finding/vulnerability produced by a scanner now has a unique identifier (ID). This can be used to easily compare scan results programmatically (exported as JSON or via API). These identifiers (vuln_id) look like WEBSCAN-00-0000012 or NETSCAN-01-0002349.
We have fixed a bug in the finding “Vulnerabilities found for server-side software” in order to set the CVSS score as the maximum of all vulnerabilities mentioned in the table (instead of ‘-1’). Furthermore, the CVE field is now populated with a comma-separated list of all CVEs from this finding (instead of ‘None’).
Now you can import targets from a file together with their descriptions. The target name and description must be comma separated, like: “www.example.com, Production web server”
We have added a new method to connect to the internal network in order to make internal scanning much easier. You just need to download the VPN Agent virtual machine and run it inside the internal network. It initiates a VPN tunnel automatically from our scanning servers to your network.
Paying users can upgrade or downgrade their current plan directly from Pentest-Tools.com (without interacting with FastSpring). Just pick the new plan and it will be modified instantly.
We have launched a dedicated support section on our website with multiple articles, product guides and answers to common questions.
We have added the Getting started page, which is an introduction to the platform to help customers get familiar with the platform.
Users have a new filtering method to display only the relevant findings in the Findings page. They now have the option to exclude False Positives, Informational or Ignored findings, such that the Findings view is cleaner and easier to manage.
This is a bug fix that now allows custom logos to appear in the header of a Docx report generated from the Findings page.
We have added advanced filters for the Attack Surface functionality in order to easily search for interesting ports, services or technologies.
Now you can download your invoices directly from the MyAccount page, without accessing the FastSpring payment provider.
The attack surface view aggregates hosts, ports, services and technologies from all the targets in the current workspace in order to show a summary view of the possible attack entry points.
We have rewritten the authentication module that performs automatic login with username and password. We have added support for Single Page Applications and improved the authentication logic.
We have added a WYSIWYG editor to add rich-text elements when creating a Manual Finding, such as images, tables, hyperlinks, code, bold, italic, underline, etc. All these elements are being properly translated to the .docx format, when you want to generate an editable pentest report.
Users can edit all the details of a finding produced by a tool/scanner by cloning it into a new manual finding. This new finding can be manually adjusted as needed (change name, description, risk level, etc).
Users can export scan results of any tool in JSON format. This allows easier data parsing and integration with external tools.
We are offering limited free penetration testing services for organizations fighting the COVID-19 outbreak to better secure their websites.
Users can generate Jira issues directly from our Findings page and automatically send them as tickets to prioritize important tasks.
We have added a new tool for detecting vulnerabilities in SSL/TLS servers, which deprecates the existing tools (Heartbleed, ROBOT, POODLE, DROWN scanners). Those deprecated tools have been disabled.
We added a new, dedicated scanner to detect the SMBGhost RCE vulnerability (CVE-2020-0796) in Windows 10, SMBv3.
We have added a new scanner to detect the Ghostcat vulnerability (CVE-2020-1938) that affects Apache Tomcat servers.
Now the TCP Port Scan and UDP Port Scan tools can be accessed programmatically through the API.
We have added a new API call – get_workspaces – which returns the list of workspaces of the current user. Furthermore, the start_scan function can be configured to start a scan in a specified workspace.
We have added a new, dedicated scanner on Pentest-Tools.com to detect the Citrix RCE vulnerability CVE-2019-19781.
Users can now delete multiple scheduled scans at the same time. The new improvement simplifies the workflow for those who use the Scheduler feature.