Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/GhostTroops/scan4all/llms.txt

Use this file to discover all available pages before exploring further.

Overview

scan4all supports custom POC development through two primary methods:

Go POCs

Native Go code for complex detection logic and maximum performance

YAML POCs

Declarative YAML templates for simpler web vulnerability detection

Creating Go POCs

Step 1: Add Fingerprint

First, ensure the target technology has a fingerprint in pkg/fingerprint/localFingerData.go: 
// Check if fingerprint exists
var FingerPrintData = map[string]string{
    "Apache Tomcat": "...",
    "Your-Technology": "detection-pattern",
}
If the fingerprint doesn’t exist, add it: 
"YourApp": `(?i)(YourApp|X-Powered-By: YourApp)`,

Step 2: Create POC File

Create a new directory and Go file in pocs_go/: 
mkdir -p pocs_go/yourapp
touch pocs_go/yourapp/CVE_2024_12345.go

Step 3: Write POC Function

package yourapp

import (
    "github.com/GhostTroops/scan4all/lib/util"
    "strings"
)

func CVE_2024_12345(url string) bool {
    // Build exploit URL
    exploitPath := "/api/vulnerable?param=test"
    targetURL := url + exploitPath
    
    // Send HTTP request
    req, err := util.HttpRequset(targetURL, "GET", "", false, nil)
    if err != nil {
        return false
    }
    
    // Check for vulnerability indicators
    if req.StatusCode == 200 && strings.Contains(req.Body, "vulnerable") {
        // Log the finding
        util.SendLog(targetURL, "CVE-2024-12345", "Vulnerability detected", "")
        return true
    }
    
    return false
}

Step 4: Register POC

Add detection logic to pocs_go/go_poc_check.go: 
func POCcheck(wappalyzertechnologies []string, URL string, finalURL string, checklog4j bool) []string {
    var technologies []string
    
    for tech := range wappalyzertechnologies {
        caseStr := strings.ToLower(wappalyzertechnologies[tech])
        
        switch caseStr {
        // ... existing cases ...
        
        case "yourapp":  // Match fingerprint name (case-insensitive)
            if yourapp.CVE_2024_12345(URL) {
                technologies = append(technologies, "exp-YourApp|CVE-2024-12345")
            }
            if yourapp.CVE_2024_54321(URL) {
                technologies = append(technologies, "exp-YourApp|CVE-2024-54321")
            }
        }
    }
    
    return technologies
}

Step 5: Import Package

Add import at the top of go_poc_check.go: 
import (
    // ... existing imports ...
    "github.com/GhostTroops/scan4all/pocs_go/yourapp"
)

Creating YAML POCs

Step 1: Verify Fingerprint

Ensure fingerprint exists in pkg/fingerprint/localFingerData.go.

Step 2: Create YAML File

Create a YAML file in pocs_yml/ymlFiles/ following the naming convention: Naming: {fingerprint}-{cve/vulnerability-id}-{description}.yml Example: yourapp-cve-2024-12345-rce.yml

Step 3: Write YAML POC

name: poc-yaml-yourapp-cve-2024-12345
manual: true
transport: http
set:
  rand: randomLowercase(8)
rules:
    v1:
        request:
            cache: true
            method: GET
            path: /api/check?param={{rand}}
            headers:
                User-Agent: "Mozilla/5.0"
        expression: |
            response.status == 200 && 
            response.body.bcontains(b"vulnerable")

YAML POC Components

name: poc-yaml-{target}-{vuln}
manual: true               # Requires manual verification
transport: http            # http, tcp, udp
set:                       # Variables
  var1: randomInt(1000, 9999)
  var2: randomLowercase(8)
  var3: "static value"

request:
    cache: true              # Cache HTTP response
    method: GET              # GET, POST, PUT, DELETE, etc.
    path: /api/endpoint      # URL path
    headers:                 # Custom headers
        Content-Type: application/json
        X-Custom: value
    body: |                  # Request body
        {"key": "value"}
    follow_redirects: false  # Follow redirects
Response Checks:
response.status == 200
response.status >= 200 && response.status < 300
response.body.bcontains(b"text")
response.body.contains("string")
response.body.matches("regex")
response.headers["server"].contains("Apache")
response.latency > 5000
String Functions:
string.contains(str, "sub")
string.startsWith(str, "prefix")
string.endsWith(str, "suffix")
Encoding:
base64.encode("text")
base64.decode("dGV4dA==")
url.encode("text")
md5("text")
sha256("text")
Random Generation:
randomInt(min, max)
randomLowercase(length)
randomUppercase(length)
randomString(length)
For SSRF/RCE detection with DNS callbacks:
set:
  reverse: newReverse()
  randStr: randomLowercase(8)

rules:
    v1:
        request:
            path: /fetch?url=http://{{reverse.domain}}/{{randStr}}
        expression: |
            reverse.wait(5)  # Wait for callback
Requires configuration:
export ceyeapi="your-api-key"
export ceyedomain="your.ceye.io"

Utility Functions

HTTP Request Helpers

req, err := util.HttpRequset(url, "GET", "", false, nil)

Response Handling

if req, err := util.HttpRequset(url, "GET", "", false, nil); err == nil {
    // Check status code
    if req.StatusCode == 200 {
        // Check body content
        if util.StrContains(req.Body, "pattern") {
            // Vulnerability confirmed
        }
    }
    
    // Access headers
    serverHeader := req.Header.Get("Server")
    
    // Access final URL (after redirects)
    finalURL := req.RequestUrl
}

Logging Functions

// Send vulnerability finding
util.SendLog(url, "CVE-XXXX-XXXXX", "Description", "Additional info")

// Log POC execution
util.POClog(fmt.Sprintf("Testing %s with payload %s", url, payload))

// Standard logging
log.Println("Debug information")

Testing POCs

Local Testing

1

Build Project

go build
2

Test Against Target

./scan4all -host http://vulnerable-target.com
3

Enable Verbose Output

./scan4all -v -host http://vulnerable-target.com
4

Check Results

Look for your POC output in the results

Unit Testing

Create test file yourapp/CVE_2024_12345_test.go: 
package yourapp

import (
    "testing"
)

func TestCVE_2024_12345(t *testing.T) {
    // Test against known vulnerable instance
    vulnerableURL := "http://vulnerable-test-instance.local"
    
    if !CVE_2024_12345(vulnerableURL) {
        t.Errorf("Failed to detect vulnerability on known vulnerable instance")
    }
    
    // Test against patched instance
    patchedURL := "http://patched-test-instance.local"
    
    if CVE_2024_12345(patchedURL) {
        t.Errorf("False positive on patched instance")
    }
}
Run tests: 
go test ./pocs_go/yourapp/

Best Practices

Precise Detection

Use specific vulnerability indicators to minimize false positives

Error Handling

Always handle network errors and edge cases gracefully

Performance

Keep POCs fast - they execute on every matching target

Documentation

Document POC purpose, affected versions, and references

Security Considerations

  • Never include actual exploits that could cause damage
  • Detection only - POCs should detect, not exploit
  • Minimize impact - Use non-destructive payloads
  • Respect rate limits - Don’t overwhelm targets

Code Quality

// Good
func CVE_2024_12345_RCE(url string) bool

// Bad
func check(u string) bool

// Validate input
if url == "" {
    return false
}

// Parse URL
if u, err := url.Parse(url); err != nil || u.Host == "" {
    return false
}

// Check response
if req == nil || req.Body == "" {
    return false
}

// CVE_2024_12345 detects authentication bypass in YourApp <= 1.2.3
// Vulnerability allows unauthenticated access to admin panel
// Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12345
func CVE_2024_12345(url string) bool {
    // Build exploit URL with bypass parameter
    exploitPath := "/admin?bypass=true"
    
    // Send request
    req, err := util.HttpRequset(url+exploitPath, "GET", "", false, nil)
    if err != nil {
        return false
    }
    
    // Check for admin panel indicators
    return req.StatusCode == 200 && 
           util.StrContains(req.Body, "Admin Dashboard")
}

Examples from Codebase

Simple Detection

// From pocs_go/tomcat/CVE_2017_12615.go
func CVE_2017_12615(szUrl string) bool {
    if req, err := util.HttpRequset(szUrl+"/vtset.txt", "PUT", "test", false, nil); err == nil {
        if req.StatusCode == 204 || req.StatusCode == 201 {
            util.SendLog(szUrl, "CVE-2017-12615", "Found vuln Tomcat", "")
            return true
        }
    }
    return false
}

Complex Detection

// From pocs_go/Springboot/CVE-2022-22965.go
func CVE_2022_22965(u string) bool {
    if oU, err := url.Parse(u); nil == err && oU.Host != "" {
        szUrl := oU.Scheme + "://" + oU.Host
        
        // Test for vulnerability pattern
        if req, err := util.HttpRequset(
            szUrl+"?class.module.classLoader%5b1%5d=1", 
            "GET", "", false, nil); err == nil {
            
            if req.StatusCode == 500 {
                // Confirm with second request
                if req2, err := util.HttpRequset(
                    szUrl+"?class.module.classLoader=1", 
                    "GET", "", false, nil); err == nil {
                    
                    if req2.StatusCode == 200 {
                        util.SendLog(szUrl, "CVE-2022-22965", 
                            "Spring4Shell detected", "")
                        return true
                    }
                }
            }
        }
    }
    return false
}

Troubleshooting

Possible causes:
  • Fingerprint not detected
  • Case mismatch in switch statement
  • POC not registered in go_poc_check.go
  • Package not imported
Solutions:
# Check fingerprint detection
./scan4all -v -host target.com | grep -i "fingerprint"

# Verify POC registration
grep -i "yourapp" pocs_go/go_poc_check.go
Solutions:
  • Add more specific detection criteria
  • Verify multiple indicators
  • Test against patched versions
  • Check for edge cases
Common issues:
# Import cycle
# Solution: Reorganize package structure

# Undefined function
# Solution: Import required packages

# Syntax error
# Solution: Run go fmt and fix syntax

Go POCs

Explore existing Go POC implementations

Xray POCs

Learn about YAML POC structure

Fingerprinting

Understand fingerprint detection system

Development

Learn about scan4all architecture