Link Search Menu Expand Document



File modes

This check ensures that modules are not marked executable. A module is only called by the framework and not directly. The correct file mode is 0644, which will ensure that other users are only able to read the file, and that the current user is only able to read and write the file, not execute it.


A module should not have a Shebang line.


Modules should not rely on the Nokogiri GEM. Please use REXML instead.

Invalid Formats


CVE references should be in the format YYYY-NNNN


BID references should only contain numbers


OSVDB references should be in the format MSddd-ddd (d = digit)


Milw0rm references are no longer supported (site suspended)


EDB references should only contain numbers


US-CERT references should only contain numbers


ZDI references should be in the format dd-ddd or dd-dddd (d = digit)


If you supply an URL where a short identifier is available, please use the identifier.

Old Keywords

Before Metasploit moved to Github the sources were stored in a SVN repository. SVN has support to replace custom variables with current values like the last revision. Since GIT does not support them, the references should be removed from code.


You should not define a VERBOSE option in your module. A VERBOSE option is already provided by the framework. To make use of the VERBOSE setting, you can use methods like vprint_status and vprint_error


This checks looks for bad characters in the module title. If you encounter this error, please replace the characters.

File Extension

All modules should have a .rb file extension to be loaded by the framework.

Old Rubies

This check checks the file for syntax errors with old Ruby versions. By default this check will not run. To execute this check you need to set the environment variable MSF_CHECK_OLD_RUBIES.


This check ensures you added the correct Exploit Ranking to your module.

Disclosure Date

Date format needs to be Month Day, YYYY. Example: Jan 01, 2014

Title Casing

This check ensures you used the correct case in your title.

Bad Terms

This checks for the correct use of the terms Stack Buffer overflow and Stack Exhaustion. See “Stack exhaustion” vs “Stack buffer overflow” for more information.

Function Arguments

If you define a function which defines a lot of input arguments, the check ensures you use a hash instead.

Line Check


Your module must not contain Unicode characters.

Spaces at EOL

Your module must not contain spaces at the end of a line.

Mixed Tab Spaces

Your module contains Tabs and Spaces in one line. Only spaces should be used


Your module should not use tabs for intending code. Please use spaces instead.

Carriage return

The specified line only contains a carriage return (\r) at the end of line. Please change to a normal linebreak (\n or \r\n).

You used a call without specifying a binary mode???


You used the load command in your module. This is not required since the framework loads all necessary files for you.


Modules should not write directly to stdout. Please use the print_* functions instead.

Modified datastore

Datastore options (options set by the user) should not be modified in code. If you need to change some values use local variables instead.

The Set-Cookie header should not be parsed by your code. You can use the API call res.get_cookies insteady which already handles some special cases and ensures a clean header.

Auxiliary Rand

Auxiliary modules should have no Rank. Only Exploits and Payloads should have a Rank attribute.

Snake Case

This check ensures your module filename is in Snake Case

Old License

This check checks for the old Metasploit license in the module header. You can use the tool ruby tools/dev/resplat.rb <filename> to convert the file.

VULN Codes

This check ensures only known CheckCodes are returned by the check function.


When using send_request_cgi or send_request_raw the URL supplied should not contain GET Parameter. Please provide the Parameter via the vars_get hash.


res = send_request_raw({
  'uri' => uri_base + '/upload.php?type=file&folder=' + folder


res = send_request_raw({
  'uri' => uri_base + '/upload.php',
  'vars_get' => {
    'type' => 'file',
    'folder' => folder