Skip to main content
scan4all provides extensive vulnerability detection capabilities with over 15,000 POCs (Proof of Concepts) from multiple sources including nuclei templates, vscan POCs, and custom scan4all POCs. The detection engine automatically runs after service discovery and fingerprinting.

POC Coverage

scan4all integrates three major POC sources for comprehensive vulnerability coverage:

Nuclei Templates

Embedded nuclei templates provide the largest coverage with 3922 YAML-based POCs.

Top 10 Statistics

By Tag

TagCount
cve1430
panel655
edb563
lfi509
xss491
wordpress419
exposure407
cve2021352
rce337
wp-plugin316

By Severity

SeverityCount
info1474
high1009
medium818
critical478
low225
unknown11

Coverage by Category

DirectoryFilesDescription
cves1407CVE exploits and checks
exposed-panels662Admin panel detection
vulnerabilities509Known vulnerability checks
technologies282Technology-specific checks
exposures275Information disclosure
misconfiguration237Config errors
token-spray230Token/credential checks
workflows189Multi-step checks
default-logins103Default credentials
file76File-based checks
Total: 281 directories, 3922 files

VScan POCs

Integrated vscan engine includes:
  • 300+ xray 2.0 POCs - Covering web vulnerabilities and framework exploits
  • Custom Go POCs - Native Go implementations for specific vulnerabilities
  • Enhanced matching - Advanced detection logic for complex vulnerabilities

Scan4all Custom POCs

scan4all includes custom Go-based POCs for critical vulnerabilities: 
// CVE-2022-22965 - Spring4Shell RCE
// Spring Framework RCE via Data Binding on JDK 9+

// CVE-2022-22947 - Spring Cloud Gateway RCE
// Affects: 3.1.1+ and 3.0.7+
View the complete POC list in the source repository at static/pocs.md

Vulnerability Detection Process

scan4all’s vulnerability detection follows an intelligent workflow:
1

Service Fingerprinting

After port scanning, services are fingerprinted to identify technology stacks, versions, and frameworks.
2

POC Selection

Relevant POCs are selected based on:
  • Detected technologies (Weblogic, Spring, etc.)
  • Service types (HTTP, database, etc.)
  • Fingerprint matches
  • Version information
3

POC Execution

Selected POCs are executed with:
  • Rate limiting to prevent DoS
  • Custom headers and cookies
  • Timeout controls
  • Error handling
4

Result Validation

Responses are validated against POC-specific criteria:
  • Status codes
  • Response body patterns
  • Headers
  • Response timing
5

Reporting

Confirmed vulnerabilities are reported with:
  • CVE/vulnerability ID
  • Severity level
  • Affected URL
  • Payload used
  • Remediation guidance

Configuration

Enabling/Disabling POC Checks

# Skip POC detection entirely
scan4all -host example.com -np

Custom Headers and Cookies

POC checks support custom headers for authentication: 
# Add authentication cookie
Cookie='PHPSESSID=abc123;token=xyz' scan4all -host example.com

# Cookie works with all POC engines
Cookie='session=12345' scan4all -host example.com -v
Custom cookies are compatible with nuclei, httpx, go-poc, x-ray POC, filefuzz, and HTTP Smuggling detection.

DNSLOG Integration

Many POCs require DNS logging for out-of-band detection:

Ceye.io Configuration

# Configure DNSLOG credentials
scan4all -host example.com \
  -ceyeapi YOUR_API_KEY \
  -ceyedomain YOUR_SUBDOMAIN.ceye.io
Why DNSLOG is important:
  • Detects blind SSRF vulnerabilities
  • Identifies remote code execution through DNS queries
  • Validates deserialization vulnerabilities
  • Confirms XXE (XML External Entity) issues
scan4all includes privacy protection: Unlike the original log4j-scan, target information is NOT sent to DNS log servers, preventing vulnerability exposure.

Log4j Scanner Integration

scan4all links with a customized log4j-scan for comprehensive Log4Shell detection:
1

Install log4j-scan

mkdir ~/MyWork/
cd ~/MyWork/
git clone https://github.com/hktalent/log4j-scan
2

Automatic Integration

scan4all automatically detects and uses log4j-scan when available
3

Enhanced Features

Custom version includes:
  • Privacy protection (no data leakage to DNS servers)
  • Elasticsearch result storage
  • Batch processing support
  • Enhanced payload generation

Nuclei Template Customization

Custom DSL Helpers

scan4all enhances nuclei with custom DSL functions: 
# substr - Extract substring
{{substr(input, start, length)}}

# aes_cbc - AES CBC encryption
{{aes_cbc(plaintext, key, iv)}}

# Example template using custom helpers
id: custom-check
info:
  name: Custom Vulnerability Check
  severity: high

requests:
  - raw:
      - |
        GET /api/{{substr({{BaseURL}}, 8, 20)}} HTTP/1.1
        Host: {{Hostname}}
        Token: {{aes_cbc("data", "key", "iv")}}

Template Locations

Nuclei templates are embedded in the binary but can be customized: 
# Embedded path (automatic)
config/nuclei-templates/

# External templates (override in config.json)
{
  "nucleiTemplates": "/path/to/custom/templates"
}

Vulnerability Categories

Remote Code Execution (RCE)

Spring Framework

  • CVE-2022-22965 (Spring4Shell)
  • CVE-2022-22947 (Gateway RCE)

Apache Log4j

  • CVE-2021-44228 (Log4Shell)
  • JNDI injection variants

Weblogic

  • Multiple deserialization RCEs
  • T3/IIOP protocol exploits

JBoss

  • CVE-2017-12149
  • Deserialization vulnerabilities

Authentication Bypass

Checked vulnerabilities:
- Weblogic Console (CVE-2020-14882/14883)
- Jenkins (CVE-2018-1000110, Groovy script)
- Default credentials (103+ templates)
- Token spray attacks (230+ checks)

Information Disclosure

  • Exposed panels: 662 admin interface checks
  • File exposure: .git, .svn, backups, configs
  • Error messages: Stack traces, debug info
  • API endpoints: Swagger, GraphQL, API docs

Deserialization Vulnerabilities

Supported frameworks:
- Java (Weblogic, JBoss, Tomcat)
- Fastjson (≤ 1.2.62)
- Apache Shiro (≤ 1.2.4)
- Python Pickle

Performance Optimization

Concurrent POC Execution

scan4all uses goroutine pools for parallel POC execution: 
// Configurable worker threads
-c 25  // Default: 25 concurrent POC checks
-c 50  // Faster: 50 concurrent checks
-c 10  // Conservative: 10 concurrent checks

Rate Limiting

Prevent overwhelming targets: 
# Control request rate
scan4all -host example.com -rate 100  # 100 requests/second

Timeout Configuration

# Adjust POC timeout
scan4all -host example.com -timeout 5000  # 5 second timeout

Output and Reporting

JSON Output Format

{
  "vulnerability": "CVE-2022-22965",
  "name": "Spring4Shell RCE",
  "severity": "critical",
  "url": "https://example.com:8080",
  "payload": "class.module.classLoader.resources...",
  "evidence": "Tomcat version detected in response",
  "timestamp": "2026-03-05T10:30:00Z"
}

Elasticsearch Integration

Store results in Elasticsearch for centralized management:
1

Start Elasticsearch

docker run --restart=always \
  --ulimit nofile=65536:65536 \
  -p 9200:9200 -p 9300:9300 \
  -d --name es \
  -v $PWD/logs:/usr/share/elasticsearch/logs \
  -v $PWD/data:/usr/share/elasticsearch/data \
  hktalent/elasticsearch:7.16.2
2

Initialize Indices

./config/initEs.sh
3

Query Results

# Search by target
curl "http://127.0.0.1:9200/vuln_index/_search?q=url:example.com"

# Search by CVE
curl "http://127.0.0.1:9200/vuln_index/_search?q=vulnerability:CVE-2022-22965"

Advanced Detection Features

Technology-Specific Checks

scan4all automatically enables POCs based on fingerprinting: 
# Weblogic detected → T3/IIOP protocol checks enabled
# Spring Boot detected → Spring-specific CVEs checked
# WordPress detected → 419 WP-specific POCs executed

Workflow Templates

Multi-step vulnerability detection: 
workflows/wordpress-workflow.yaml:
1. Detect WordPress installation
2. Enumerate plugins
3. Check plugin versions
4. Run plugin-specific POCs
5. Test default credentials
6. Check for exposed backups

Supply Chain Scanning

Automated dependency vulnerability detection:
  • Identifies software components and versions
  • Matches against CVE databases
  • Checks for outdated libraries
  • Detects vulnerable dependencies

Example Workflows

# Complete scan with all POCs
scan4all -host example.com \
  -ceyeapi YOUR_KEY \
  -ceyedomain YOUR_DOMAIN.ceye.io \
  -v

Best Practices

Legal and Ethical Considerations:
  • Only scan systems you own or have explicit permission to test
  • Respect rate limits and avoid DoS conditions
  • Be aware of local laws regarding security testing
  • Some POCs may cause service disruption
1

Start with Fingerprinting

Let scan4all identify technologies before POC execution:
scan4all -host example.com -np  # Fingerprint only
2

Enable DNSLOG

Configure DNS logging for complete coverage:
scan4all -host example.com \
  -ceyeapi KEY -ceyedomain DOMAIN.ceye.io
3

Use Appropriate Rate Limits

Avoid overwhelming targets:
scan4all -host example.com -rate 100 -c 10
4

Review Results Carefully

Validate findings before reporting:
  • Check for false positives
  • Verify exploitability
  • Document reproduction steps

Troubleshooting

No Vulnerabilities Found

  1. Check fingerprinting: Ensure technologies were correctly identified
  2. Enable verbose mode: scan4all -host example.com -v
  3. Verify POCs enabled: Check that -np flag is not set
  4. Review logs: Check for POC execution errors

False Positives

  • Web Application Firewalls (WAF) may trigger false positives
  • Use -proxy flag to route through Burp/ZAP for analysis
  • Check response bodies manually for verification

Rate Limiting

If POCs are being blocked:
  • Reduce rate: -rate 50
  • Decrease concurrency: -c 5
  • Increase timeout: -timeout 10000

Build docs developers (and LLMs) love

Get started for freeTalk to us