ActiveScan++, a widely used extension for the popular penetration testing tool Burp Suite, has released a significant upgrade.
The scanner now includes specific detection capabilities for the critical “React2Shell” vulnerabilities.
This update addresses two high-severity security flaws, CVE-2025-55182 and CVE-2025-66478.
Why This Update Matters
React2Shell vulnerabilities are critical because they allow attackers to execute remote commands on a server.
By adding these specific checks, ActiveScan++ enables security testers to identify these dangerous gaps during their routine scans automatically.
The goal of the extension is to find these complex issues without slowing down the testing process. It is designed to add minimal “noise” or traffic to the network while hunting for deep system flaws.
While the React2Shell detection is the headline feature, the tool’s broader capabilities remain vital for advanced testers.
ActiveScan++ looks for behaviors that standard scanners might miss. It detects “Host header” attacks, where a hacker might trick a server into sending a password reset link to the wrong person.
It also identifies “blind code injection,” a sneaky method where attackers try to run code in languages like Ruby or Perl by injecting commands into data fields, as reported by Portswigger.
The tool also scans for:
- Suspicious Math: It checks if a server calculates math equations (like changing “7 times 7” into “49”) in text fields, which is a sign of a code injection risk.
- Legacy Threats: It continues to check for well-known historical attacks such as Shellshock, Log4Shell, and Apache Struts vulnerabilities.
- Hidden XML Issues: It identifies weaknesses in how a website handles XML data, which can lead to data leaks.
The best part for users is the ease of integration. There is no complex setup required to use these new features. Testers run a standard active scan on their target within Burp Suite.
ActiveScan++ works in the background, automatically triggering its passive and active checks.
If a vulnerability like React2Shell is found, it appears directly in the scan results, ready for review.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.