How to find security vulnerabilities in Drupal CMS (Content Management System)?

Drupal is the third-largest open-source CMS used with a market share of more than 4.5%. There are close to a million sites powered by them, which is more than enough to attract an attacker and hacker.

If you are using Drupal for your website and not sure if it is secure from known vulnerabilities, doesn’t expose the sensitive information, having misconfiguration, etc. then the following tools will help you.

Ready to explore?

Let’s do it.

Droopescan

Droopescan is a python based scanner to help security researcher to find basic risk in the installed version of Drupal. There are the following four main checks done by this tiny program.

  1. Plugins
  2. Themes
  3. Versions
  4. Special URL (admin, readme, changelog, etc.)
[email protected]:~/droopescan# droopescan scan drupal -u http://bloggerflare.com
[+] No themes found.                                                            
[+] Possible interesting urls found:
    Default admin - http://bloggerflare.com/user/login
[+] Possible version(s):
    8.5.0
    8.5.0-alpha1
    8.5.0-beta1
    8.5.0-rc1
    8.5.1
    8.5.2
    8.5.3
    8.5.4
    8.5.5
    8.5.6
[+] No plugins found.
[+] Scan finished (0:03:32.286747 elapsed)

You might have realized; this is not an online scanner, so you got to install the Python and clone the code on your server to run the test.

You can perform a test on multiple URL’s simultaneously, and results are shown on the terminal. Droopescan can also work with WordPress, Joomla, Moodle, and SilverStripe. But for WordPress, I would recommend checking this list of the scanner.

Pentest-Tools

Drupal vulnerability scan by Pentest-Tools is an online scanner where you can audit your site security to find out vulnerabilities in plugins, configuration, and core files.

The scan results are well explained, and you have an option to get it in PDF format. You require 50 credits to run this tool.

Drupwn

A python-based utility to perform enumeration and exploitation against Drupal 6 and 8 versions. You can run Drupwn in two modes.

Enumeration to check the following.

  • Cookies
  • User-agent
  • Logging
  • User
  • Node
  • Module
  • Theme
  • Request delay

And, exploit mode to check vulnerabilities.

You can get it started by installing using Python or Docker image.

SUCURI

SUCURI SiteCheck is a general security scanner to quickly find out if your Drupal site is infected with known malware, having an out-dated software, blacklisted, and popular website error. Nothing specific to Drupal but worth scanning any Internet site.

SUCURI also provides continuous security for Drupal sites to protect and accelerate.

Its comprehensive protection against attacker/hacker, DDoS attacks for small to enterprise-level of business.

Hacker Target

A free online passive scan to perform the basic test on the following.

  • Identify theme,  plugins and iFrame
  • Show client-side JavaScript files
  • Depetect Drupal version and check if that is vulnerable
  • Check if URL is blacklisted by Google
  • Check if directory indexing is enabled

It’s not the comprehensive test but good to start with.

Acunetix

An enterprise-ready cloud-based scanner to detect vulnerabilities in CMS, including Drupal. Acunetix detects the security risk against OWASP top 10 and known online vulnerabilities with more than 500 types of attacks.

And, if you are using Drupal in a big organization where you have to submit the compliance report, then you are covered. You can generate PCI DSS, HIPAA, etc. regulatory compliance reports from their dashboard.

They offer 14-days trial, so go ahead and give a try. You can choose their online scanner, so you don’t have to install anything on your server.

Sqreen

Sqreen scanner is not exactly targetted for Drupal but applicable to any modern application or online store to find some of the following common vulnerabilities attacks.

  • SQL injection
  • Cross-site scripting
  • MIME sniffing
  • Tampering data in a communication
  • Clickjacking
  • DDoS

Detectify

Test for over 1000 vulnerabilities with Detectify. Not just Drupal, but you can test other platforms (WordPress, Joomla, JavaScript, PHP, etc.) too.

You can get it started in FREE to perform a complete website security audit. Check out my previous blog post about getting started with Detectify.

The good thing about Detectify is, you get an actionable report which is easy to follow to mitigate the risk faster.

I hope the above tools help you find security risk in your Drupal site so you can fix it before someone misuses it. Stay secured!