How to find security vulnerabilities in Drupal CMS (Content Management System)?
Drupal is the third largest open-source CMS used with a market share of more than 4.5%. There are close to a million sites powered by them which is more than enough to attract an attacker and hacker.
If you are using Drupal for your website and not sure if its secure from known vulnerabilities, doesn’t expose the sensitive information, having misconfiguration, etc. then the following tools will help you.
Ready to explore?
Let’s do it.
Droopescan is a python based scanner to help security researcher to find basic risk in the installed version of Drupal. There are the following four main checks done by this tiny program.
- Special URL (admin, readme, changelog, etc.)
[email protected]:~/droopescan# droopescan scan drupal -u http://bloggerflare.com [+] No themes found. [+] Possible interesting urls found: Default admin - http://bloggerflare.com/user/login [+] Possible version(s): 8.5.0 8.5.0-alpha1 8.5.0-beta1 8.5.0-rc1 8.5.1 8.5.2 8.5.3 8.5.4 8.5.5 8.5.6 [+] No plugins found. [+] Scan finished (0:03:32.286747 elapsed)
You might have realized; this is not an online scanner, so you got to install the Python and clone the code on your server to run the test.
You can perform a test on multiple URL’s simultaneously, and results are shown on the terminal. Droopescan can also work with WordPress, Joomla, Moodle, and SilverStripe. But for WordPress, I would recommend checking this list of the scanner.
Dupral vulnerability scan by Pentest-Tools is an online scanner where you can audit your site security to find out vulnerabilities in plugins, configuration and core files.
The scan results are well explained, and you have an option to get it in PDF format. You require 50 credits to run this tool.
A python based utility to perform enumeration and exploitation against Drupal 6 and 8 version. You can run Drupwn in two modes.
Enumeration to check the following.
- Request delay
And, exploit mode to check vulnerabilities.
You can get it started by installing using Python or Docker image.
SUCURI SiteCheck is general security scanner to quickly find out if your Drupal site is infected with known malware, having an out-dated software, blacklisted and popular website error. Nothing specific to Drupal but worth scanning any Internet site.
SUCURI also provide continuous security for Drupal sites to protect and accelerate.
Its comprehensive protection against attacker/hacker, DDoS attacks for small to enterprise level of business.
A free online passive scan to perform the basic test on the following.
- Identify theme, plugins and iFrame
- Depetect Drupal version and check if that is vulnerable
- Check if URL is blacklisted by Google
- Check if directory indexing is enabled
It’s not the comprehensive test but good to start with.
An enterprise-ready cloud-based scanner to detect vulnerabilities in CMS including Drupal. Acunetix detects the security risk against OWASP top 10 and known online vulnerabilities with more than 500 types of attacks.
and, if you are using Drupal in a big organization where you have to submit the compliance report, then you are covered. You can generate PCI DSS, HIPAA, etc. regulatory compliance report from their dashboard.
They offer 14-days trial so go ahead and give a try. You can choose their online scanner so you don’t have to install anything on your server.
- SQL injection
- Cross-site scripting
- MIME sniffing
- Tampering data in a communication
You can get it started in FREE to perform complete website security audit. Check out my previous blog post about getting started with Detectify.
The good thing about Detectify is, you get an actionable report which is easy to follow to mitigate the risk faster.
I hope above tools help you find security risk in your Drupal site so you can fix it before someone misuses it. Stay secured!