Alex Horan, director of product management for Core, says Impact's wireless support lets pen testers wage man-in-the middle attacks and crack the encryption in WEP, WPA, and WPA2-encrypted networks. "In version 9, you could just sniff a wireless network, he says. Version 10 lets you see a wireless network and break in, he says.
Impact also now includes testing for additional Web application security flaws, including insecure direct object references, failure to restrict URL access, security misconfiguration, and insufficient transport layer protection to test for weaknesses in SSL-secured sites. "The discovery we do is based on crawling. We got a lot more capability for looking for pages directly," he says.
And Impact's exploits now inject payloads into PDFs and executables for phishing and spear-phishing attacks. "That's the most exciting part of this release for me," Horan says.
Version 10 also tests for leakage of certain types of data, including Social Security numbers, credit card numbers, and other sensitive data. Users who opt into Core's community data-sharing program, which lets them anonymously share data on their testing findings, now can also access data on how other organizations are using the tool and trends in their pen tests of other customers. "If you've opted in, we will display the community stats on your dashboard," he says. "You can see how your [results] compare with the community of Core Impact customers."
Impact's new features further reflect a shift in pen testing from a "black art" to more of a mainstream practice, Horan says.
Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.