With the release of CORE Impact v2014 R1, Core Security has made major enhancements to:
- Web Services component of mobile and web based applications
- Support for the most current OWASP Top Ten vulnerabilities as defined by the OWASP working group
- An update to Impact Pro’s “SCADA Pack” that includes over 60+ specific SCADA exploits
- Support for the new CVE syntax standard as defined by the CVE Editorial Board
- Support for Microsoft Windows 8.1 as a supported platform for Impact Pro and as a exploit target
- Enhancements to the deployable Impact Pro agent on the Linux Platform
Testing of Web Services Used by Mobile applications
A Web Service is a method of communications between servers and applications across the enterprise and the World Wide Web. In the previous release, Impact Pro introduced support for the testing and exploitation of “Web Service” primarily driven by browser based applications.
As the use of mobile devices (iOS and Android) increases throughout the enterprise, Impact Pro has added support for the interactive crawling of a mobile application Web Services backend. This is done by configuring your mobile device to use CORE Impact as a proxy and then by simply using your mobile application. As you use the mobile application, CORE Impact will harvest the requests being made on the server and use these requests as a baseline to the target specific backend web services.
Support for the Most Current OWASP Top Ten
The Open Web Application Security Project (OWASP) is an open community dedicated to enabling organizations to develop, purchase, and maintain applications that can be trusted. Core Security wholly supports these efforts and has updated Impact Pro to reflect the most current of OWASP Top 10 application vulnerability categories. The following table summarizes the changes from 2010 to 2013.
Support for the New CVE Identifier Syntax
Due to the ever increasing volume of public vulnerability reports, the CVE Editorial Board and MITRE determined that the Common Vulnerabilities and Exposures (CVE®) project should change the syntax of its standard vulnerability identifiers so that CVE can track more than 10,000 vulnerabilities in a single year. The old CVE Identifier (CVE-ID) syntax used since the inception of CVE in 1999, CVE-YYYY-NNNN, only supported a maximum of 9,999 unique identifiers per year, requiring the change. The new CVE-ID syntax was determined in a vote by the CVE Editorial Board, details of which are available in the CVE Editorial Board Discussion List Archives.
This new identifier format allows Impact Pro to import data from other products (predominantly scanners) in order to perform more detailed penetration testing. In addition, all reporting and CVE references in the product have been updated.
Enhancements to SCADA Exploit Pack 1.5
Securing critical infrastructure such as power plants, water supply and reprocessing systems, manufacturing facilities, to name just a few, is of paramount importance because they control vital elements of what we depend on every day.
This recent update brings a host of new exploits for SCADA technologies including:
- Mitsubishi Electric Automation
- Moore Industries
- UCanCode ActiveX Controls
For more details on SCADA solutions go to: http://www.coresecurity.com/scada-security-testing-core-security.
Support for Microsoft Windows 8.1 (32bit & 64bit) Platform
In addition to all the other certified platforms Impact Pro currently supports, Microsoft Window 8.1 has been added to the list:
Windows 8.1 (32-bit or 64-bit)
Windows 7 Ent. SP1 (32-bit or 64-bit)
Windows Vista Enterprise SP2
Windows 8 (32-bit or 64-bit)
Windows Vista Ultimate SP2
Windows Server 2003 R2 SP2
Windows Server 2008 SP2
Windows Server 2008 R2 SP1
Windows Vista Business SP2
Windows Server 2003 SP2
Windows Server 2012