Skip to main content

Overview

scan4all supports custom POC development through two primary methods:

Go POCs

Native Go code for complex detection logic and maximum performance

YAML POCs

Declarative YAML templates for simpler web vulnerability detection

Creating Go POCs

Step 1: Add Fingerprint

First, ensure the target technology has a fingerprint in pkg/fingerprint/localFingerData.go: 
// Check if fingerprint exists
var FingerPrintData = map[string]string{
    "Apache Tomcat": "...",
    "Your-Technology": "detection-pattern",
}
If the fingerprint doesn’t exist, add it: 
"YourApp": `(?i)(YourApp|X-Powered-By: YourApp)`,

Step 2: Create POC File

Create a new directory and Go file in pocs_go/: 
mkdir -p pocs_go/yourapp
touch pocs_go/yourapp/CVE_2024_12345.go

Step 3: Write POC Function

package yourapp

import (
    "github.com/GhostTroops/scan4all/lib/util"
    "strings"
)

func CVE_2024_12345(url string) bool {
    // Build exploit URL
    exploitPath := "/api/vulnerable?param=test"
    targetURL := url + exploitPath
    
    // Send HTTP request
    req, err := util.HttpRequset(targetURL, "GET", "", false, nil)
    if err != nil {
        return false
    }
    
    // Check for vulnerability indicators
    if req.StatusCode == 200 && strings.Contains(req.Body, "vulnerable") {
        // Log the finding
        util.SendLog(targetURL, "CVE-2024-12345", "Vulnerability detected", "")
        return true
    }
    
    return false
}

Step 4: Register POC

Add detection logic to pocs_go/go_poc_check.go: 
func POCcheck(wappalyzertechnologies []string, URL string, finalURL string, checklog4j bool) []string {
    var technologies []string
    
    for tech := range wappalyzertechnologies {
        caseStr := strings.ToLower(wappalyzertechnologies[tech])
        
        switch caseStr {
        // ... existing cases ...
        
        case "yourapp":  // Match fingerprint name (case-insensitive)
            if yourapp.CVE_2024_12345(URL) {
                technologies = append(technologies, "exp-YourApp|CVE-2024-12345")
            }
            if yourapp.CVE_2024_54321(URL) {
                technologies = append(technologies, "exp-YourApp|CVE-2024-54321")
            }
        }
    }
    
    return technologies
}

Step 5: Import Package

Add import at the top of go_poc_check.go: 
import (
    // ... existing imports ...
    "github.com/GhostTroops/scan4all/pocs_go/yourapp"
)

Creating YAML POCs

Step 1: Verify Fingerprint

Ensure fingerprint exists in pkg/fingerprint/localFingerData.go.

Step 2: Create YAML File

Create a YAML file in pocs_yml/ymlFiles/ following the naming convention: Naming: {fingerprint}-{cve/vulnerability-id}-{description}.yml Example: yourapp-cve-2024-12345-rce.yml

Step 3: Write YAML POC

name: poc-yaml-yourapp-cve-2024-12345
manual: true
transport: http
set:
  rand: randomLowercase(8)
rules:
    v1:
        request:
            cache: true
            method: GET
            path: /api/check?param={{rand}}
            headers:
                User-Agent: "Mozilla/5.0"
        expression: |
            response.status == 200 && 
            response.body.bcontains(b"vulnerable")

YAML POC Components

name: poc-yaml-{target}-{vuln}
manual: true               # Requires manual verification
transport: http            # http, tcp, udp
set:                       # Variables
  var1: randomInt(1000, 9999)
  var2: randomLowercase(8)
  var3: "static value"

request:
    cache: true              # Cache HTTP response
    method: GET              # GET, POST, PUT, DELETE, etc.
    path: /api/endpoint      # URL path
    headers:                 # Custom headers
        Content-Type: application/json
        X-Custom: value
    body: |                  # Request body
        {"key": "value"}
    follow_redirects: false  # Follow redirects
Response Checks:
response.status == 200
response.status >= 200 && response.status < 300
response.body.bcontains(b"text")
response.body.contains("string")
response.body.matches("regex")
response.headers["server"].contains("Apache")
response.latency > 5000
String Functions:
string.contains(str, "sub")
string.startsWith(str, "prefix")
string.endsWith(str, "suffix")
Encoding:
base64.encode("text")
base64.decode("dGV4dA==")
url.encode("text")
md5("text")
sha256("text")
Random Generation:
randomInt(min, max)
randomLowercase(length)
randomUppercase(length)
randomString(length)
For SSRF/RCE detection with DNS callbacks:
set:
  reverse: newReverse()
  randStr: randomLowercase(8)

rules:
    v1:
        request:
            path: /fetch?url=http://{{reverse.domain}}/{{randStr}}
        expression: |
            reverse.wait(5)  # Wait for callback
Requires configuration:
export ceyeapi="your-api-key"
export ceyedomain="your.ceye.io"

Utility Functions

HTTP Request Helpers

req, err := util.HttpRequset(url, "GET", "", false, nil)

Response Handling

if req, err := util.HttpRequset(url, "GET", "", false, nil); err == nil {
    // Check status code
    if req.StatusCode == 200 {
        // Check body content
        if util.StrContains(req.Body, "pattern") {
            // Vulnerability confirmed
        }
    }
    
    // Access headers
    serverHeader := req.Header.Get("Server")
    
    // Access final URL (after redirects)
    finalURL := req.RequestUrl
}

Logging Functions

// Send vulnerability finding
util.SendLog(url, "CVE-XXXX-XXXXX", "Description", "Additional info")

// Log POC execution
util.POClog(fmt.Sprintf("Testing %s with payload %s", url, payload))

// Standard logging
log.Println("Debug information")

Testing POCs

Local Testing

1

Build Project

go build
2

Test Against Target

./scan4all -host http://vulnerable-target.com
3

Enable Verbose Output

./scan4all -v -host http://vulnerable-target.com
4

Check Results

Look for your POC output in the results

Unit Testing

Create test file yourapp/CVE_2024_12345_test.go: 
package yourapp

import (
    "testing"
)

func TestCVE_2024_12345(t *testing.T) {
    // Test against known vulnerable instance
    vulnerableURL := "http://vulnerable-test-instance.local"
    
    if !CVE_2024_12345(vulnerableURL) {
        t.Errorf("Failed to detect vulnerability on known vulnerable instance")
    }
    
    // Test against patched instance
    patchedURL := "http://patched-test-instance.local"
    
    if CVE_2024_12345(patchedURL) {
        t.Errorf("False positive on patched instance")
    }
}
Run tests: 
go test ./pocs_go/yourapp/

Best Practices

Precise Detection

Use specific vulnerability indicators to minimize false positives

Error Handling

Always handle network errors and edge cases gracefully

Performance

Keep POCs fast - they execute on every matching target

Documentation

Document POC purpose, affected versions, and references

Security Considerations

  • Never include actual exploits that could cause damage
  • Detection only - POCs should detect, not exploit
  • Minimize impact - Use non-destructive payloads
  • Respect rate limits - Don’t overwhelm targets

Code Quality

// Good
func CVE_2024_12345_RCE(url string) bool

// Bad
func check(u string) bool

// Validate input
if url == "" {
    return false
}

// Parse URL
if u, err := url.Parse(url); err != nil || u.Host == "" {
    return false
}

// Check response
if req == nil || req.Body == "" {
    return false
}

// CVE_2024_12345 detects authentication bypass in YourApp <= 1.2.3
// Vulnerability allows unauthenticated access to admin panel
// Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-12345
func CVE_2024_12345(url string) bool {
    // Build exploit URL with bypass parameter
    exploitPath := "/admin?bypass=true"
    
    // Send request
    req, err := util.HttpRequset(url+exploitPath, "GET", "", false, nil)
    if err != nil {
        return false
    }
    
    // Check for admin panel indicators
    return req.StatusCode == 200 && 
           util.StrContains(req.Body, "Admin Dashboard")
}

Examples from Codebase

Simple Detection

// From pocs_go/tomcat/CVE_2017_12615.go
func CVE_2017_12615(szUrl string) bool {
    if req, err := util.HttpRequset(szUrl+"/vtset.txt", "PUT", "test", false, nil); err == nil {
        if req.StatusCode == 204 || req.StatusCode == 201 {
            util.SendLog(szUrl, "CVE-2017-12615", "Found vuln Tomcat", "")
            return true
        }
    }
    return false
}

Complex Detection

// From pocs_go/Springboot/CVE-2022-22965.go
func CVE_2022_22965(u string) bool {
    if oU, err := url.Parse(u); nil == err && oU.Host != "" {
        szUrl := oU.Scheme + "://" + oU.Host
        
        // Test for vulnerability pattern
        if req, err := util.HttpRequset(
            szUrl+"?class.module.classLoader%5b1%5d=1", 
            "GET", "", false, nil); err == nil {
            
            if req.StatusCode == 500 {
                // Confirm with second request
                if req2, err := util.HttpRequset(
                    szUrl+"?class.module.classLoader=1", 
                    "GET", "", false, nil); err == nil {
                    
                    if req2.StatusCode == 200 {
                        util.SendLog(szUrl, "CVE-2022-22965", 
                            "Spring4Shell detected", "")
                        return true
                    }
                }
            }
        }
    }
    return false
}

Troubleshooting

Possible causes:
  • Fingerprint not detected
  • Case mismatch in switch statement
  • POC not registered in go_poc_check.go
  • Package not imported
Solutions:
# Check fingerprint detection
./scan4all -v -host target.com | grep -i "fingerprint"

# Verify POC registration
grep -i "yourapp" pocs_go/go_poc_check.go
Solutions:
  • Add more specific detection criteria
  • Verify multiple indicators
  • Test against patched versions
  • Check for edge cases
Common issues:
# Import cycle
# Solution: Reorganize package structure

# Undefined function
# Solution: Import required packages

# Syntax error
# Solution: Run go fmt and fix syntax

Go POCs

Explore existing Go POC implementations

Xray POCs

Learn about YAML POC structure

Fingerprinting

Understand fingerprint detection system

Development

Learn about scan4all architecture

Build docs developers (and LLMs) love

Get started for freeTalk to us