Vulnerability Module

The vulnerability module performs active security testing to identify exploitable weaknesses. This module requires explicit authorization as it performs intrusive testing.

⚠️ Important Warning

LEGAL NOTICE: This module performs active security testing that may:

• Send malicious payloads to targets

• Attempt to exploit vulnerabilities

• Trigger security alerts

• Potentially cause service disruption

Only use with explicit written authorization.

Why This Order of Tests?

Vulnerability checks run last in reconFTW's pipeline for important reasons:

1. Dependency Chain: Tests require data from previous phases:

   • URLs from web analysis → XSS, SQLi, LFI testing

   • Parameters from param_discovery → Injection point testing

   • JavaScript analysis → Prototype pollution candidates

2. Detection Risk: Vuln scanning generates suspicious traffic:

   • SQL injection payloads like ' OR 1=1--

   • XSS payloads with <script> tags

   • SSRF callbacks to external servers

   Running this phase last means all passive/semi-active recon is complete before potential detection.

3. Resource Intensity: Fuzzing and exploitation testing consume significant resources. Running them on a refined target list (after filtering) is more efficient than testing everything.

Callback Servers for Blind Vulnerabilities

Some vulnerabilities don't show direct responses. Blind SSRF, out-of-band XXE, and blind command injection require callback detection.

reconFTW supports:

• interactsh: ProjectDiscovery's callback server (default)

• Burp Collaborator: If configured

Configure in reconftw.cfg:

Module Overview

Configuration Options

Nuclei Scanning

nuclei_check - Full Vulnerability Scanning

Nuclei is the primary vulnerability scanner, checking for thousands of known vulnerabilities.

Template Categories:

• CVEs (known vulnerabilities)

• Exposures (sensitive files, directories)

• Misconfigurations

• Default credentials

• Takeovers

• Technologies

How It Works:

Output:

Sample Output:

Configuration:

Excluding Templates:

Injection Vulnerabilities

xss - Cross-Site Scripting

Tests for XSS vulnerabilities using Dalfox.

How It Works:

XSS Types Tested:

• Reflected XSS

• DOM-based XSS

• Blind XSS (with callback server)

Output:

Sample Output:

Configuration:

sqli - SQL Injection

Tests for SQL injection using SQLMap and optionally Ghauri.

How It Works:

SQLi Types:

• Error-based

• Union-based

• Blind (Boolean/Time-based)

• Stacked queries

Output:

Sample Output:

Configuration:

ssti - Server-Side Template Injection

Tests for template injection vulnerabilities.

How It Works:

Payloads Tested:

Output:

Configuration:

lfi - Local File Inclusion

Tests for LFI/path traversal vulnerabilities.

How It Works:

Payloads Tested:

Output:

Configuration:

command_injection - Command Injection

Tests for OS command injection using Commix.

How It Works:

Injection Techniques:

• Classic injection (;, |, &)

• Blind injection (time-based)

• File-based injection

Output:

Configuration:

Server-Side Vulnerabilities

ssrf_checks - Server-Side Request Forgery

Tests for SSRF vulnerabilities using callback servers.

How It Works:

Requires: Collaborator server (interactsh, Burp Collaborator)

SSRF Payloads:

Output:

Configuration:

cors - CORS Misconfiguration

Tests for CORS misconfigurations that allow unauthorized cross-origin access.

Issues Detected:

• Wildcard origin (*)

• Reflected origin

• Null origin allowed

• Credentials with wildcard

How It Works:

Output:

Sample Output:

Configuration:

crlf_checks - CRLF Injection

Tests for HTTP header injection via CRLF.

How It Works:

Output:

Configuration:

Advanced Vulnerabilities

prototype_pollution - Prototype Pollution

Tests for JavaScript prototype pollution in client-side code.

How It Works:

Output:

Configuration:

smuggling - HTTP Request Smuggling

Tests for HTTP request smuggling vulnerabilities.

Techniques Tested:

• CL.TE (Content-Length vs Transfer-Encoding)

• TE.CL

• TE.TE

Output:

Configuration:

webcache - Web Cache Poisoning

Tests for web cache poisoning vulnerabilities.

Issues Detected:

• Cache key manipulation

• Unkeyed header poisoning

• Parameter cloaking

Output:

Configuration:

Bypass Techniques

open_redirect - Open Redirect

Tests for open redirect vulnerabilities.

How It Works:

Output:

Sample Output:

Configuration:

4xxbypass - 403/401 Bypass

Attempts to bypass access controls returning 403/401 responses.

Techniques:

• Header manipulation (X-Forwarded-For, etc.)

• Path manipulation

• HTTP method changes

• Protocol downgrades

How It Works:

Output:

Sample Output:

Configuration:

SSL/TLS Analysis

test_ssl - SSL/TLS Security

Full SSL/TLS security analysis.

Issues Detected:

• Expired certificates

• Weak ciphers

• Protocol vulnerabilities (POODLE, BEAST, etc.)

• Certificate chain issues

• HSTS misconfigurations

Output:

Configuration:

Credential Testing

spraying - Password Spraying

Attempts common passwords against discovered services.

Services Tested:

• SSH

• FTP

• HTTP Basic Auth

• Database ports

• And more...

How It Works:

Output:

Configuration:

⚠️ Warning: Password spraying can lock out accounts. Use with caution.

Parameter Fuzzing

fuzzparams - Parameter Value Fuzzing

Fuzzes parameter values with nuclei templates.

How It Works:

Output:

Configuration:

Broken Links

brokenLinks - Broken Link Hijacking

Identifies broken links that could be hijacked.

How It Works:

Output:

Configuration:

Enabling Vulnerability Scanning

Vulnerability scanning is disabled by default. To enable:

Method 1: Use -a Flag

Method 2: Enable in Config

Method 3: Selective Enabling

Output Summary

Best Practices

1. Authorization First: Always have written permission before scanning

2. Rate Limiting: Use -q flag to avoid overwhelming targets

3. Scope Awareness: Use -x to exclude out-of-scope targets

4. Verification: Manually verify findings before reporting

5. Responsible Disclosure: Follow responsible disclosure practices

6. Callback Servers: Set up proper callback infrastructure for blind vulns

Next Steps

• Host Module - Port scanning and host analysis

• Output Interpretation - Understand results