Geekflare is supported by our audience. We may earn affiliate commissions from buying links on this site.
Share on:

4 Tools to Scan vBulletin for Security Vulnerabilities

vbulletin scanner
Invicti Web Application Security Scanner – the only solution that delivers automatic verification of vulnerabilities with Proof-Based Scanning™.

Find vulnerabilities in vBulletin community software.

vBulletin is one of the popular community, forum software powering more than 100,000 sites on the Internet. Like every software, vBulletin may be vulnerable if not hardened and secured correctly.

As a best practice, you should frequently scan your Internet-facing community to find weaknesses so you can mitigate before hacker’s eyes on it. There are two ways:

  • Manual – run security scan periodically.
  • Automatic – leverage cloud-based scanner to scan regularly and you get notified whenever a vulnerability is found.

As you can guess, the automatic way sounds better.

Why securing a forum?

One may argue, my business is not the forum. It’s just for people to talk to each other, raise issues, etc.

But think about this – your online business has a forum, and there are more than 1 million users. You don’t care about security, and one day someone has hacked the forum and leaked all the user details.

How embarrassing, reputational loss, consumer trust loss, etc.

Let’s explore the tools.

VBScan

A project by OWASP.

VBScan is based on Perl and capable of analyzing vBulletin for vulnerabilities. It includes more than 70 modules to detect the flaws.

Installation is straightforward, and you can use it on any OS.

  • Download the latest version from GitHub
  • Unzip (if you downloaded source as a zip file)
  • Go to the newly created folder during zip extract
  • Change the permission of vbscan.pl to be executable
chmod 755 vbscan.pl

And you are good to go!

root@geekflare:~/vbscan-0.1.8# ./vbscan.pl
  _  _  ____  ___   ___    __    _  _
 ( \/ )(  _ \/ __) / __)  /__\  ( \( )
  \  /  ) _ <\__ \( (__  /(__)\  )  (
   \/  (____/(___/ \___)(__)(__)(_)\_)
		(1337.today)
   
    --=[OWASP VBScan
    +---++---==[Version : 0.1.8
    +---++---==[Update Date : [2018/09/13]
    +---++---==[Author : Mohammad Reza Espargham
    +---++---==[Website : www.reza.es
    --=[Code name : Self Challenge
     @OWASP_VBScan , @rezesp , @OWASP


   Usage: 
 	./vbscan.pl <target>
	./vbscan.pl http://target.com/vbulletin


   Options: 
	./vbscan.pl --help

root@geekflare:~/vbscan-0.1.8#

Updating vbscan is easy.

./vbscan.pl --upgrade

CMSScan

Above mentioned VBScan powers CMSScan. One advantage it offers is the scheduler. This is great if you are looking for an open-source solution to run periodically and send the reports through email.

Not just VBulletin but CMSScan also let you test WordPress, Joomla, Drupal.

By default, the web interface listening on port 7070 and when you access that in the browser, you will see the beautiful page where you enter the URL to be scanned.

root@geekflare:~/CMSScan# ./run.sh 
[2019-09-27 19:09:14 +0000] [25590] [INFO] Starting gunicorn 19.9.0
[2019-09-27 19:09:14 +0000] [25590] [INFO] Listening at: http://0.0.0.0:7070 (25590)
[2019-09-27 19:09:14 +0000] [25590] [INFO] Using worker: sync
[2019-09-27 19:09:14 +0000] [25593] [INFO] Booting worker with pid: 25593
[2019-09-27 19:09:14 +0000] [25594] [INFO] Booting worker with pid: 25594
[2019-09-27 19:09:14 +0000] [25595] [INFO] Booting worker with pid: 25595

TLS Scanner

Geekflare TLS Scanner is not specific to vBulletin, but it is essential to ensure TLS certificate implementation is correct. You can run the test against your vBulletin to find out the supported TLS protocol, ciphers, common web vulnerabilities, and certificate details.

There is more SSL/TLS scanner listed here.

Invincti

An enterprise-ready scanner is available as self-hosted or cloud-based.

Invicti can be integrated with development to provide continuous security to small or large websites.

With their proprietary proof-based scanning technology, you can scan vBulletin or entire web applications quickly to get actionable results. It covers a large number of web vulnerabilities, including OWASP top 10.

Conclusion

Keeping online assets secure is challenging, and periodic scan against vBulletin or any web applications is MUST so you can mitigate as soon as vulnerabilities are found. The above tools help you to find the security flaws, and if you are looking for continuous security protection, then you may choose SUCURI Cloud WAF.

Thanks to our Sponsors
More great readings on Security
Power Your Business
Some of the tools and services to help your business grow.
  • Invicti uses the Proof-Based Scanning™ to automatically verify the identified vulnerabilities and generate actionable results within just hours.
    Try Invicti
  • Web scraping, residential proxy, proxy manager, web unlocker, search engine crawler, and all you need to collect web data.
    Try Brightdata
  • Semrush is an all-in-one digital marketing solution with more than 50 tools in SEO, social media, and content marketing.
    Try Semrush
  • Intruder is an online vulnerability scanner that finds cyber security weaknesses in your infrastructure, to avoid costly data breaches.
    Try Intruder