Add SolarWinds Web Help Desk version detection module

[Aarush289]

Proposed change

Your PR description goes here:

This PR adds a version detection module for SolarWinds Web Help Desk.

The module passively identifies instances by requesting the Helpdesk endpoint and extracting the embedded build version token from the response. It returns the discovered version for further analysis and mapping to known vulnerabilities outside the module.

Tested against 2 live targets with successful version extraction (screenshots attached).

Type of change

• New core framework functionality
• Bugfix (non-breaking change that fixes an issue)
• Code refactoring without any functionality changes
• New or existing module/payload change
• Documentation/localization improvement
• Test coverage improvement
• Dependency upgrade
• Other improvement (best practice, cleanup, optimization, etc)

Checklist

• I've followed the contributing guidelines
• I've digitally signed all my commits in this PR
• I've run make pre-commit and confirm it didn't generate any warnings/changes
• I've run make test and I confirm all tests passed locally
• I've added/updated any relevant documentation in the docs/ folder
• I've linked this PR with an open issue
• I've tested and verified that my code works as intended and resolves the issue as described
• I've attached screenshots demonstrating that my code works as intended (if applicable)
• I've checked all other open PRs to avoid submitting duplicate work
• I confirm that the code and comments in this PR are not direct unreviewed outputs of AI
• I confirm that I am the Sole Responsible Author for every line of code, comment, and design decision

[coderabbitai]

Walkthrough

A new SolarWinds Web Help Desk version scanning module is added to Nettacker, consisting of a YAML manifest file that defines an HTTP-based scanning profile and a corresponding documentation entry in the module listing.

Changes

Cohort / File(s)	Summary
Documentation docs/Modules.md	Added new module entry solarwinds_whd_version_scan to the scan modules list.
New Scanning Module nettacker/modules/scan/solarwinds_whd_version.yaml	Introduced new HTTP-based scanning module to detect SolarWinds Web Help Desk version by parsing responses from /helpdesk/WebObjects/Helpdesk.woa endpoint across http/https and ports 80/443, extracting version patterns from response bodies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Suggested labels

new module

Suggested reviewers

• arkid15r
• securestep9

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Title check	✅ Passed	The title 'Add SolarWinds Web Help Desk version detection module' accurately and directly describes the main change: adding a new module (solarwinds_whd_version.yaml) for version detection of SolarWinds Web Help Desk.
Description check	✅ Passed	The pull request description clearly relates to the changeset. It describes adding a version detection module for SolarWinds Web Help Desk with testing evidence provided.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@docs/Modules.md`:
- Line 166: The markdown list item for the new module has a missing closing
single-quote after the bold module name; update the entry containing the symbol
solarwinds_whd_cve_2025_40536_vuln so that the trailing quote is added
immediately after the closing ** (i.e., change the line to include the closing
"'" after **solarwinds_whd_cve_2025_40536_vuln**), restoring proper list
formatting.

In `@nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml`:
- Line 57: The regex in solarwinds_whd_cve_2025_40536.yaml currently only
permits 12_0 through 12_8_7 and omits 12.8.8 (and HF1); update the lookahead
that matches the version token (the pattern currently containing
"?v=12_([0-7]|8_[0-7])_[0-9]+_[0-9]+") so it also accepts 12_8_8 (and subsequent
build identifiers like HF1) — e.g., extend the alternation for the 12_8 branch
to include 8 (or broaden the 8_* range to cover 8_0–8_8) so versions up to and
including 12.8.8 HF1 are matched.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: b94eb70b-b04d-45af-879e-1f63e6a7b71d

📥 Commits

Reviewing files that changed from the base of the PR and between f3776b0 and faf7a59.

📒 Files selected for processing (2)

• docs/Modules.md
• nettacker/modules/vuln/solarwinds_whd_cve_2025_40536.yaml

[sankalp-b1401]

@Aarush289 Why is http and https mapping to port 80 and 443 at the same time? I mean from the image what I can understand, the module gave positive for all the 4 conditions, i think http:443 and https:80 are false positives. Please correct me if I am wrong.

[Aarush289]

I had same doubt initially but since I have done this on a public server so I don't know the configuration exactly so I am not sure about the reason of this behavior but this is something from server side as I have confirmed that the module is not giving false positives by testing using curl

[sankalp-b1401]

BTW, do you have any info about this public server? It's a pretty weird website, I am curious.

[Aarush289]

Not exactly , I just used shodan to get any website using the required service which I needed to scan.

[securestep9]

@Aarush289 @sankalp-b1401 We don't do product version-based CVE modules in Nettacker. Instead you should be providing a version scan module returning the version discovered - check out the "_version" scan modules. On the roadmap we have a map of versions to CVEs. Ping me on Slack if you need further explanation

[Aarush289]

Will take it into consideration and update it

[Aarush289]

@securestep9 I have updated the PR as per the suggestions