Web application pentests almost always involve a CMS. WordPress, Drupal, Joomla — the big names have decent tooling. But spend enough time in this space and you’ll run into less common platforms that don’t have the same coverage. When you do, you’re either doing everything manually or building something yourself.

After a year of regularly encountering Concrete5 during application tests and finding almost no useful tooling for it, the decision was easy. Build something.


Why Concrete5 specifically?

Concrete5 is a legitimate CMS with a real user base — businesses use it, and that means it shows up on real engagements. The problem is that the public vulnerability landscape for it is relatively sparse compared to the major platforms, which cuts both ways. Less documented means less tooling, but it also means findings tend to be less well-known and less likely to have been patched.


When you’re mid-engagement and you’ve identified a Concrete5 installation, the last thing you want to be doing is manually cross-referencing version numbers against vulnerability databases. That’s what ConScan handles.


What ConScan does

ConScan is a black-box scanner — no source code access, no credentials required. It fingerprints the target Concrete5 installation to identify version information and then checks those details against known public vulnerabilities. The goal is to get you from “this is running Concrete5” to “here’s what’s known to be exploitable against this version” as quickly as possible.

It’s focused and purposeful. It doesn’t try to be a general-purpose web scanner. It does one thing well.


Download

ConScan is available via the nullsecurity GitHub:

https://github.com/nullsecuritynet/tools/raw/main/scanner/conscan/release/conscan-1.2.tgz


A note on black-box CMS scanning generally

Tools like this are most useful when you understand what they’re checking and why. Version-based vulnerability scanning only gets you so far — it tells you what’s known. The more interesting findings often come from understanding the CMS well enough to look for what isn’t in the public databases yet.

That’s the habit worth building. Use the scanner to cover the known ground quickly. Spend the time you saved looking for what nobody’s documented yet. That’s where the real findings tend to live.