Pentest Settings Documentation
The Pentest Settings section allows you to configure advanced options for an automated penetration test. Each setting influences the scope, depth, and methodology of the pentest.
🔧 Available Settings
1. Fuzzing level
Higher levels increase network load and scan duration.
Defines the intensity of fuzzing (number and variety of payloads injected). Applies in paths finding and TOP10 attacks
Possible values: LOW / MEDIUM / HIGH
2. HTTP Rate limit
A high value may generate excessive traffic, which could unintentionally overload the target system or impact its normal operation.
Maximum number of HTTP requests per second.
Numeric value (e.g., 40)
3. Authorized attacks
💡 You can enable/disable attacks depending on your legal scope.
4. Methods blacklist
HTTP methods excluded from testing
default: PUT, PATCH, HEAD, DELETE, CONNECT, OPTIONS, TRACE, PURGE).
Reduces the risk of destructive actions.
5. Specific headers
Allows you to add custom HTTP headers that will be included in all requests sent during the pentest.
Useful for:
- Testing applications that require authentication headers (e.g.,
Authorization: Bearer <token>) - Adding custom headers for debugging or bypassing certain protections
- Simulating requests from specific clients or environments
6. Fuzz params part
Defines which part of the request (QUERY / BODY / PATH / COOKIE / HEADER) will be fuzzed in dynamic attacks (e.g. TOP 10 OWASP).
7. Params fuzzing blacklist
Excludes specific parameters from fuzzing (e.g., csrf_token, session_id, parameterName).
8. Fuzzing payloads OS
Determines which payloads are used for system-level injections.
Possible values: UNIX / WINDOWS / BOTH
9. XSS attack type
This setting is only used in dynamic hacksessible tests. CVEs checks may lead to alerts/prompt used.
Two types of XSS are implemented in TOP 10 dynamic tests:
WINDOWNAMEattack which only changes window.namePROMPTattack which put a prompt in the webpage. This technique is more aggressive and may lead to defiguration of the website
10. Redirects
- Follow same host: Allow internal same host redirections.
- Redirects max: maximum number of redirects to follow (e.g., 10).
11. Attack authorizations
- Authorize time-based attacks: enables tests that rely on delay-based responses (e.g., time-based SQLi).
- Authorize Out of Band (OOB) attacks: allows attacks requiring external interaction (e.g. SSRF OOB based).
12. Exploit CVE behavior
- NO_EXPLOIT: Hacksessible will not try to actively exploit CVEs.
- ONLY_ON_IDENTIFIED_TECHS: runs exploits only if the vulnerable technology is detected.
- TRY_ALL_CVE: Try CVEs also on non identified technologies (may increase test duration).
13. Severity CVE to exploit
Applies only when trying all cves; not on intelligent Hacksessible CVEs guessing
- Sets the severities of CVEs to exploit (see Exploit CVE behavior):
Advanced exploit options
-
🚩 Send authorized attacks to CVE Exploit:
Forward all enabled attack types to the CVE exploit module.
Useful for automatically blocking blacklisted HTTP methods during CVE checks.noteThis feature is experimental.
-
🚩 Enable intrusive exploits (CVE)
Authorize exploits that may impact availability, integrity, or confidentiality of the target system.
cautionIntrusive exploits attempt real attacks. They can alter data, expose sensitive information, or temporarily disrupt services.
Make sure this is authorized in the pentest scope before enabling. -
🚩 Use experimental exploits (CVE) - alpha
Enable exploits that are still under testing or not yet publicly available.
cautionExperimental exploits may be unstable, incomplete, or produce false positives/false negatives.
-
🚩 Auto-add new attack types
Automatically integrate newly discovered attack modules as they become available.
tipThis ensures your pentest engine always runs with the latest attack capabilities without manual updates.
However, new attack types may introduce instability or increase scan duration.
▶️ Starting the Test
Once all parameters are configured, click Start Pentest to launch the scan.