Security Compass Releases “Yasuo,” an Application Vulnerability Scanner for Red Team Engagements

Share Article

Following Derbycon 4.0 debut, Security Compass releases "Yasuo," an application vulnerability scanner for red team engagements. Yasuo helps identify vulnerable 3rd party applications sitting on an organization's network undetected.

Security Compass, a leading web and mobile application security firm, announces the release of Yasuo, an open-source application vulnerability scanner that is developed to assist penetration testers in Red Team engagements as well as other network penetration testing gigs. The scanner was first released at DerbyCon 4.0 2014 by Saurabh Harit (@0xsauby) and Stephen Hall (@_stephen_hall) during their talk “Gone in 60 Minutes – Practical Approach to Hacking an Enterprise with Yasuo.”, an updated version will also be presented at the upcoming ToorCon San Diego, October 22nd - 26th.

“Many large organizations have tons of vulnerable 3rd-party web applications sitting on their network, but these aren’t always easy to find and, for pentesters, sometimes there’s the additional challenge of avoiding detection by network security devices, which often detect and block the use of automated scanning tools due to large number of requests,” said Saurabh Harit, Director of Security Research at Security Compass. “Applications such as Apache Tomcat, JBoss jmx-console, Hudson Jenkins etc. are quite often discovered on the network and could lead to the compromise of remote server through vulnerabilities like malicious file upload, remote code execution, RFI, LFI and so on. There are thousands of such applications that would allow an attacker to remotely compromise the backend server in the similar manner and Yasuo is written to find these applications without being too noisy.”

Yasuo is written in Ruby and currently supports over 100 vulnerable 3rd-party web applications. It detects false-positives, automatically extracts login forms as well as login parameters and allows you to brute force default/weak login credentials. Future versions of Yasuo will also contain the following features: smarter version detection, support masscan output format, support for more vulnerable applications, add secondary signature, make current code modular, add multi-threading.

Yasuo can be downloaded from


Headquartered in Toronto, Security Compass is a leading information security firm specializing in web and mobile application security for Fortune 10s-500s, large financial institutions, energy firms, technology/software providers, media companies, retailers and other businesses. Security Compass guides teams in building customized security blueprints based the industry, software development lifecycle, and business needs to cost-effectively mitigate risks. Its secure application lifecycle management tool, SD Elements, was selected for Ovum's 2014 “On the Radar” report and recognized by Gartner’s 2014 “Cool Vendors in Application and Endpoint Security” report. Website:

Share article on social media or email:

View article via:

Pdf Print

Contact Author

Christine MacDonald
Visit website