Never Trust Your Victim: Weaponizing Vulnerabilities in Security Scanners
This exposes a critical security flaw for penetration testers and attackers, challenging common assumptions in cybersecurity.
The paper demonstrates that security scanners are vulnerable to counter-attacks, falsifying the belief that scanning is risk-free, by testing 78 systems and finding 36 vulnerable to XSS, including a severe vulnerability in Metasploit Pro.
The first step of every attack is reconnaissance, i.e., to acquire information about the target. A common belief is that there is almost no risk in scanning a target from a remote location. In this paper we falsify this belief by showing that scanners are exposed to the same risks as their targets. Our methodology is based on a novel attacker model where the scan author becomes the victim of a counter-strike. We developed a working prototype, called RevOK, and we applied it to 78 scanning systems. Out of them, 36 were found vulnerable to XSS. Remarkably, RevOK also found a severe vulnerability in Metasploit Pro, a mainstream penetration testing tool.