Core Security Adds Web Application Penetration Testing Capabilities to CORE IMPACT



CORE IMPACT v7.5 Becomes First Product to Integrate the Testing of Servers, Desktop Systems, End Users and Web Applications Against Real-World Information Security Threats

BOSTON - October 16, 2007 - Core Security Technologies today announced the addition of web application penetration testing capabilities to CORE IMPACT, the most comprehensive product for performing enterprise security assurance testing. With the addition of web application testing to its comprehensive network and end-user security testing capabilities, CORE IMPACT v7.5 now will enable users to safely assess an organization’s security posture against the top three attack methods that jeopardize

data today:

  • penetration of network defenses via exploits designed to compromise vulnerabilities in server operating systems and services, as well as client applications that run on

    desktop systems
  • deception of employees, contractors and other end users via email-based social engineering attacks, such as phishing and spear phishing
  • manipulation of web applications to access backend data via SQL injection and remote file inclusion techniques

"As web application vulnerabilities become more ubiquitous, cybercriminals are increasingly taking advantage of the trust that organizations place in e-commerce, customer self-service, ERP and other web applications," said Charles Kolodgy, research director, for Secure Content and Threat Management research at IDC. "Attackers don’t segment their vectors, they combine all the weaknesses they can find into a given attack. Organizations must test accordingly and do so following a safe, repeatable and consistent methodology."

Leveraging the product’s automated Rapid Penetration Test methodology, users can go beyond scanning to identify and interact with at-risk web applications to expose backend data – just as a potential attacker could.  IMPACT’s web application security testing capabilities enables users to:

  • identify weaknesses in web applications, web servers, web browsers and associated databases
  • dynamically generate exploits that can prove the existence of security weaknesses
  • demonstrate the potential consequences of a

    successful attack
  • help address security issues and prevent data incidents

The product’s unified interface provides a consistent methodology for replicating attack attempts that spread among these attack vectors. For instance, IMPACT can replicate an attack that initially compromises a web server or end-user workstation and then propagates to backend network systems. Only IMPACT allows users to test information security in such an integrated, comprehensive, in-depth and seamless fashion with a consistent and repeatable methodology.

"With the addition of web application vulnerability testing capabilities to CORE IMPACT, Core Security continues to provide us easy and safe ways to test the security of our environment against the latest threats," said Nikk Gilbert, Security Director, Alstom Transport. “By adding web application testing to its existing capabilities IMPACT saves us from having to use disparate, stand-alone tools for each part of our IT infrastructure. It’s good to know that we can now rely on an established, trusted vendor to help us face our security challenges in this area

as well.”  

Going Beyond Scanning to Identify Real Threats to Web, Network and End-User Systems

Mitigating web application vulnerabilities typically requires developers to rework code, so it’s critical that web application security testing pinpoint actual threats and eliminate false positives. IMPACT both identifies potential vulnerabilities and validates them with dynamically generated exploits that enable users to replicate the actions of a real-world attacker against custom and customized web applications.

"Web applications, while seemingly isolated, are eventually 

attached to systems and information that organizations must protect," said Paul Paget, CEO of Core Security Technologies. "Consequently, a compromised web application opens the door to other network and information assets, thereby compounding the damage caused by the initial breach. The integration of web application testing with IMPACT’s network and spear phishing testing capabilities adds another major attack vector that our customers have been asking for." 

The Web Application Rapid Penetration Test

CORE IMPACT’s Web Application Rapid Penetration Test (RPT) reduces the time and technical skill required to effectively test the security of web applications. The RPT brings speed and efficiency to the entire security testing process, allowing customers to accurately and safely identify security weaknesses, demonstrate the potential consequences of an attack, and get the information they need to prevent actual data incidents.

The new Web Application RPT process maintains the consistency and methodology that has already made IMPACT’s network and client-side testing capabilities a success. Through a set of straightforward wizards, the RPT guides the user through every step of the testing process, starting with the Information Gathering stage. During this discovery phase of the RPT, IMPACT crawls through web pages and identifies pages to test.

IMPACT v 7.5 currently tests web applications against two types of attacks: SQL Injection and Remote File Inclusion (RFI). For each, the product first analyzes which pages identified during Information Gathering may be vulnerable to attack. Based on the results, IMPACT then dynamically creates SQL Injection and RFI attacks to prove whether the vulnerabilities pose actual threats.

  • SQL Injection: SQL Injection attacks inject SQL commands into web application databases through web forms, page parameters and cookie fields. Through its vulnerability analysis capabilities, CORE IMPACT safely identifies these potential paths of attack. The product then dynamically creates and injects SQL queries in an attempt to retrieve output from the SQL database. If successful, IMPACT creates a SQL Agent, which testers can leverage to replicate the actions of an attacker, such as retrieving database information and gaining direct access via a SQL console. A range of additional, database-specific actions are available for further vulnerability validation.

  • Remote File Inclusion: To test web applications against Remote File Inclusion (RFI) attacks on PHP applications, IMPACT dynamically manipulates PHP templates in an attempt to retrieve commands from a remote web server controlled by the tester that runs within the IMPACT framework. If successful, the manipulation is recorded as an IMPACT RFI Agent for PHP, which allows testers to open a command shell or a PHP console to interact with compromised web servers and applications, demonstrating the potential consequences of a data breach.

Core has extended the concept of Agents and Command Shell Consoles to bring a new level of simplicity and ease of use to web application security testing. Upon successful verification that vulnerabilities in a web application exist and are exploitable, CORE IMPACT’s new SQL Injection and RFI Agents and command consoles can be used to deploy the product’s traditional Network Agent on the servers hosting the web application or its databases. This allows security professionals to leverage the server as a beachhead from which to run automated network penetration tests against other systems on the network, just as an actual attacker could. Understanding how vulnerabilities – in different layers of the network and exploited through different attack vectors­ – can be combined to build attack paths into an organization is invaluable to devising effective mitigation mechanisms.

Through its reporting capabilities, IMPACT provides security professionals, web developers and database administrators with critical information about confirmed security weaknesses, revealing possible fixes and helping them to prioritize remediation efforts. IMPACT maintains audit trails of all web application penetration tests performed, servers and databases accessed, and all actions taken during testing. Like all IMPACT reports, web application test reports can be exported to HTML, PDF and Microsoft Word for further customization

and distribution.

IMPACT does not install or run any code on compromised web servers during web application penetration testing. The testing process is therefore self-contained and safe for

production systems.

CORE IMPACT v7.5 will be available within 30 days. Additional information about CORE IMPACT 7.5 can be found at

About Core Security Technologies

Core Security Technologies develops strategic solutions that help security-conscious organizations worldwide develop and maintain a proactive process for securing their IT infrastructure. The company’s flagship product, CORE IMPACT, is the most comprehensive product for performing enterprise security assurance testing. IMPACT evaluates servers, desktop systems, end users and web applications by identifying what resources are exposed. It enables organizations to determine if current security investments are detecting and preventing attacks. Core augments its leading technology solution with world-class security consulting services, including penetration testing and software security auditing. Based in Boston, MA and Buenos Aires, Argentina, Core Security Technologies can be reached at 617-399-6980 or on the Web at


Tim Whitman or Tiffany Archambault

Schwartz Communications

+1 781-684-0770

Tue, October 16