# C-SCAD: Assessing Security Flaws in C-SCAD WebX Client


Introducing C-SCAD!

  • Overview
    C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.


Presentation !

Version 0.1 - Functionality !

  • Enumerates active users configured for the WebX access!
  • Enumerates configured databases and SQL lists for the ClearSCADA!
  • Performs complete configuration check for exposed components!
  • Verifies access to diagnostic page and dumps required information!
  • Executes dictionary attacks for checking weak credentials!
  • Triggers Shodan search queries for exposed ClearSCADA WebX client on the Internet!

Documentation - Usage Examples:

Download !

Bugs !

  • Send all bugs and queries to : contact [no spam] secniche.org