Hi, use curl -i "target" See the HTTP response header value if you are seeing set-cookie: sessid Then that's vulnerable if you see set-cookie: phpsessid that's not vulnerable. Most of the PAN VPN aren't vulnerable but still it depends on the luck.

@@chiragartani yes it's set-cookie: sessid

That means it's vulnerable?

@@jatinbudhwar5661 yeah most probably

@@chiragartani the server is not responding now.

you can do that with OVA, EVE-NG, GNS3, but you will need to setup firewall

Hi, check the set-cookie if that's sessid , not phpsessid then that's vulnerable. else not also, just visit the URL,. If you see 403 while opening the file instead of 404. You got vulnerability. Or if you are still seeing 404 mean there's no vulnerability in the target.

@@chiragartani yes its sessid but at the place of login POST request that I am trying don't know why this error is : Missing or invalid required input parameters coming. Also these are the version : { "date": "2024-04-14", "versions": [ "10.2.9-h1", "11.0.4-h1", "11.1.2-h3" ], "precision": "exact", "resource": "global-protect/portal/images/bg.png" I have the both ip and domain of the portal and don't know which parameter is missing : user=3rag&portal=3rag&authcookie=2a50b3a2-aa4d-4429b3a4d6dc&domain=3rag&computer=3rag&client-ip=3rag&client-ipv6=watchTowr&md5-sum=3rag&gwHipReportCheck=3rag

If you see status code 200 on the logs, Data exposed. If you see 403 in the status code of logs - WAF worked.

The following command can be used from the PAN-OS CLI to help identify if there was an attempted exploit activity on the device: grep pattern "failed to unmarshal session(.\+.\/" mp-log gpsvc.log* If the value between "session(" and ")" does not look like a GUID, but instead contains a file system path or embedded shell commands, this could be related to an attempted exploitation of CVE-2024-3400, which will warrant further investigation to correlate with other indicators of compromise. Grep output indicating an attempted exploit may look like the following entry: failed to unmarshal session(../../some/path) Grep output indicating normal behavior will typically appear like the following entry: failed to unmarshal session(01234567-89ab-cdef-1234-567890abcdef)

@@emersonvan we have the output with path but PA TAC team told it is just failed attempts. Also they told No exploit. I am confused.🥴