⚠️ Overview

JustView is a multi-threaded web vulnerability scanner first released in 2015 by the Chinese researcher known as "LuckyCat". It is an open-source tool hosted on GitHub at github.com/luckycat/JustView, and while intended for legitimate security testing, it is frequently abused by malicious actors for unauthorized scanning and exploitation.

🔧 Technical Capabilities

JustView performs automated scans for SQL injection, cross-site scripting (XSS), remote and local file inclusion (RFI/LFI), directory traversal, and server-side request forgery (SSRF). It includes a built-in dictionary for brute-forcing directories and files, and can detect outdated software versions by analyzing HTTP response headers. The scanner supports HTTP/HTTPS proxies, multi-threading for speed, and WAF detection with evasion techniques such as parameter pollution and payload encoding. It also features a plugin system for extending capabilities and can generate detailed reports in HTML format.

📜 History & Notable Incidents

In 2018, JustView was implicated in a series of attacks against Chinese e-commerce platforms, where it was used to extract customer data via SQL injection. Analysis of the source code revealed hardcoded C2 server credentials, indicating a potential backdoor. The tool has been referenced in multiple security advisories by Chinese CERTs. No CVEs are directly associated with the scanner itself, but it has been used to exploit known vulnerabilities.

🔍 Detection Indicators

The primary indicator is the user-agent string "JustView/1.0" or "JustView/2.0". Behavioral fingerprints include rapid sequential requests to paths like /admin, /login, /cgi-bin, /wp-admin with SQL keywords in query parameters, high request rate from a single IP, and absence of Referer headers. The scanner often sends requests with unusual Accept headers such as "text/html,application/xhtml+xml".

☠️ Risk & Impact

JustView can lead to complete compromise of vulnerable web applications, including unauthorized database access, data exfiltration, website defacement, and lateral movement within internal networks through LFI/RFI. It is often used as a reconnaissance tool to identify further attack vectors.

🛡️ Mitigation

Immediate blocking of requests containing the JustView user-agent or matching its behavioral patterns is critical. Web application firewalls (WAFs) and intrusion prevention systems (IPS) should be configured to detect and drop such traffic at the perimeter.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the bots listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.