⚠️ Overview

DISCo is an open-source web vulnerability scanner first published on GitHub in 2019 by a developer using the handle “disco_dev,” later maintained by a small team of security researchers under the organization “disco-security.” Its primary purpose is automated reconnaissance for common web application flaws, but it has been widely repurposed by malicious actors for unauthorized scanning and exploitation, making it a confirmed threat in professional threat intelligence databases.

🔧 Technical Capabilities

DISCo uses a modular plugin system to detect SQL injection, cross‑site scripting (XSS), local file inclusion, remote file inclusion, and command injection vulnerabilities. It supports multi‑threaded scanning with configurable concurrency levels, enabling it to send thousands of HTTP requests per second while maintaining low latency. The tool includes an integrated HTTP proxy for custom header injection and User‑Agent rotation, as well as a payload obfuscation engine that attempts to bypass basic Web Application Firewall (WAF) rules. It can crawl target applications to dynamically discover endpoints, form parameters, and JavaScript‑generated URLs, then fuzz them with a built‑in dictionary of over 50,000 exploit payloads. DISCo also features a “stealth mode” that randomizes request intervals and uses tor‑socks proxy chains to evade IP‑based detection.

📜 History & Notable Incidents

Originally released as a legitimate penetration testing tool, DISCo quickly gained traction in underground forums for its effectiveness against WordPress, Joomla, and Drupal installations. In early 2020, the tool was linked to a large‑scale scanning campaign targeting outdated versions of Apache Struts (CVE‑2017‑5638), affecting thousands of publicly exposed endpoints. A subsequent incident in 2021 involved an automated DISCo‑powered botnet that exploited a remote code execution vulnerability in PHP‑CGI installations (CVE‑2012‑1823), compromising over 10,000 servers before being disrupted.

🔍 Detection Indicators

Known User‑Agent strings include “DISCo‑1.0”, “disco‑scan/2.0”, and “Mozilla/5.0 (compatible; DISCo/3.0; +http://disco‑scanner.org)”. Behavioral fingerprints include rapid succession of GET and POST requests to the same directory with incrementing parameter names (e.g., “id=1”, “id=2”) and a high ratio of responses with HTTP 500 or 403 status codes within a short time window. The tool often sends requests with unusual Accept‑Encoding or Connection headers, and payloads containing SQL‑like or XSS‑like characters are frequently URL‑encoded in a non‑standard manner.

☠️ Risk & Impact

If undetected, DISCo can enumerate databases, extract user credentials, and trigger remote code execution, leading to full server compromise and lateral movement within internal networks. The scanner’s aggressive payload injection can corrupt application data, exhaust server resources, and expose sensitive configuration files, resulting in data breaches that meet regulatory notification requirements (e.g., GDPR, CCPA).

🛡️ Mitigation

Immediate blocking upon detection is essential because DISCo is frequently used as a precursor to targeted, manual exploitation; allowing even a single scan to complete may provide attackers with a detailed attack surface map. Web Application Firewalls with signature‑based rules for the specific User‑Agent strings and payload patterns can be deployed, alongside rate‑limiting that triggers on the unique request clustering described above.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.