p0dalirius
commented
2 years ago The root cause of this lies in a few hardcoded URLs in the functions:
I'm fixing it and publishing next release 2.3.2
Closed s3curityb3ast closed 2 years ago
p0dalirius
commented
2 years ago The root cause of this lies in a few hardcoded URLs in the functions:
I'm fixing it and publishing next release 2.3.2
p0dalirius
commented
2 years ago Hey @s3curityb3ast
ApacheTomcatScanner release 2.3.2 now supports both HTTP and HTTPs by default. But you can still choose to use only one of them with these options:
--only-http Scan only with HTTP scheme. (default: False, scanning with both HTTP and HTTPs)
--only-https Scan only with HTTPs scheme. (default: False, scanning with both HTTP and HTTPs)I've also added an option to support self signed certificates
--no-check-certificate Do not check certificate. (default: False)Best regards,
s3curityb3ast
commented
2 years ago HI Brother,
Thanks a lot for quick response
apachetomcatscanner -v -C -tt xxx.xxx.xxx.xxx -tp 443 --no-check-certificate --only-https
Apache Tomcat Scanner v2.3.2 - by @podalirius_
[debug] Loading targets from --target options
[+] Targeting 1 ports on 1 targets
[+] Searching for Apache Tomcats servers on specified targets ...
[>] [Apache Tomcat/8.5.13] on xxx.xxx.xxx.xxx:443 (manager:not accessible)
[+] All donebut still confuse, I am not getting any vuln/CVE's status. is this suppose to be like this or tomcat 8.5.13 dont have any vulns sorry getting lazy to check in CVE Details..
HI p0dalirius,
Once again I am here to bother you, I am trying to assess the tomcat which is https://xxx.xxx.xx.xx/ when I scan it says the below.
while if you see in the backend
To dig more into it i started the burp proxy and it gives me the reason why tool failed to detect.
Burp shows me that the request is starting with http & not https hence its failing.
Is there anything which i am missing here or its going to be a new improvement? ;)
$3curityb3ast