Today, we released Metasploit Pro 4.6, which brings you some awesome new features for your enterprise security program.
Updated Web Application Security Testing with Support for OWASP Top 10 2013
Web applications are gaining more and more traction, both through internally developed applications and by adding SaaS-based solutions. These applications often contain some of the most confidential information in the organization, such as financial and customer data, credit card numbers, medical data, and intellectual property. To enable you to audit the security of these applications, Metasploit Pro's web application auditing functionality has been significantly enhanced in the new release:
- Support for OWASP Top 10 2013: Release 4.6 broadens the scope of Metasploit's security auditing with the inclusion of testing capabilities for the upcoming Open Web Application Security Project (OWASP) Top 10 2013, which is currently in the Release Candidate stage. The list identifies ten of the most critical risks relating to web applications. Due to the popularity of, and increasing reliance on, web applications, they are involved in the majority of breaches. Metasploit addresses this, enabling organizations to audit the security of their web-based applications, whether they be out of the box or custom, on-premise or in the cloud. This helps security professionals identify issues before a malicious attacker does. Learn more about what's new in our OWASP Top 10 2013 webcast.
- Revamped user interface: Metasploit's web application security testing is now easier to use and includes a wizard that walks you through the process. This speeds up the process for seasoned web application penetration testers, and makes it really easy for new users to conduct baseline assessments.
- More effective website spider: Like Google crawling the web to index pages, Metasploit Pro's spider follows linked pages to map out the entire application. The updated spider is now more efficient and follows harder to find links to ensure comprehensive testing.
- Get shells using SQL injection: SQL injections are among the top reasons of compromise for web applications, posing a huge risk to confidential data. Most SQL injection attacks give you access to the data in the database; Metasploit Pro's new SQL injection attacks go beyond this, giving penetration testers a session on the machine, which is equivalent to having administrative rights on the machine. This gives the penetration tester not only access to the database but also to other information on the machine, and opens the door to pivot to other machines.
- Support for web app authentication: Many web applications require log in credentials for access. Metasploit Pro now supports the five most common authentication types.
- Web app report with remediation advice: Finding vulnerabilities is great, but the goal is to eliminate them. The remediation advice provided in Metasploit's reports should serve as a valuable basis for discussions with internal developers and external SaaS application providers.
Security Auditing Wizards Accelerate Engagements, Simplify Baseline Assessments
Metasploit Pro 4.6 also introduces the concept of Security Auditing Wizards, which walk the user through the steps of a typical engagement. Seasoned penetration testers will find that the wizards shortcut the first steps of an engagements, making them more productive. For new Metasploit Pro users, the new wizards provide a great way to easily conduct baseline assessments to find low-hanging fruit. Release 4.6 introduces three new wizards:
- Quick Penetration Testing Wizard: This wizard guides security professionals through a baseline penetration test. Only requiring users to enter an IP range, the wizard discovers assets, fingerprints hosts, determines potential attacks, runs exploits of a certain safety level, and provides a report. The wizard can either serve as a first step for a more in-depth security assessment or for a baseline penetration test to find low-hanging fruit, either as a regular security practice or before a third-party audit to make it more effective.
- Web Application Testing Wizard: Requiring only a base URL to start, this wizard crawls the web application, finds exploitable vulnerabilities, and creates a report with remediation information. It is a great, quick way to assess the security of an application during regular assessments or as a gate before releasing it to production.
- Phishing Simulation Wizard: Phishing emails with links or attachments that try to exploit a user's machine are a big threat vector for many organizations, both for spear phishing and for untargeted attacks. Metasploit Pro's social engineering campaigns enable organizations to measure their exposure by sending simulated phishing emails, both to get a general sense of the size of risk and to verify a reduction of risk after conducting security awareness trainings.
Metasploit Pro 4.6 is available for download now
All of these improvements in Metasploit Pro 4.6 are in addition to the weekly updates to all Metasploit editions, both free and commercial ones (read todb's awesome post on Metasploit Framework updates). Existing users of Metasploit can update their installation using the in-product update feature (Kali Linux users may see the update in four hours at the latest as the Kali repos synch).
If you want to learn more about what's new in OWASP Top 10 2013, reserve a free seat in our OWASP webcast today.
For free trial of Metasploit Pro, download the Metasploit installer now.