Drupal Vulnerability Scanner

Discover Security Vulnerabilities in Drupal Core Files, Plugins and Configurations

Discover Security Vulnerabilities in Drupal Core Files, Plugins and Configurations

Contents of the Report

Here is what you can expect in Scantrics’ Drupal Vulnerability Scanner report:
Website Scanner

Use Cases for Drupal Vulnerability Scanner

Regularly scan for the latest Drupal security threats with the Drupal Vulnerability Scanner. Prevent major vulnerabilities like Drupalgeddon2 (CVE-2018-7600) and Drupalgeddon3 (CVE-2018-7602) from exposing your software to external attackers.
The Drupal Vulnerability Scanner can check for the latest core and module released by Drupal to ensure the update can be applied immediately and avoid vulnerabilities that exist in the previous core and module.
The Open Web Application Security Project (OWASP) maintains a list of the top 10 security vulnerabilities on the web. Drupal is engineered to mitigate the risk of each vulnerability on this list and many more. The Drupal Vulnerability Scanner will ensure sites that run on Drupal adheres to the standard of OWASP’s Top10 rule.

Technical Details

Drupal is a content management software that can be used to create a website or web application. Many people and organizations around the world use Drupal for managing their websites. Drupal is an open-source software released under GNU Public License, which means that everyone can download, modify, and customize it based on their needs.

Based on the LAMP stack, Drupal CMS is built with modular capability that allows users to add or remove functionality by installing or uninstalling modules. It also allows the user to decide the design of the website by installing specific themes.

A module consists of PHP, JavaScript, and CSS files that covers the features and functionality. Users can install the module that suits his purposes.

A theme is a set of files that compose the design/interface of the Drupal website. The theme itself allows users to insert content, such as images and any other asset file for the website.

Due to the massive amount of functionalities provided by Drupal, there can be some drawbacks in term of security. Most of the time, hackers will try to gather as much information as they can get in order to successfully attack the Drupal-based website.

Hence, the Drupal Vulnerability Scanner is a useful tool for any web developer or organization that needs to assess the security of their website. By doing so, the owner of the website can analyze and come up with the right countermeasures plan before being attacked.

Here are the tests performed by the Drupal Vulnerability Scanner:

  • Fingerprint the server software and technology
  • Fingerprint the Drupal installation on the web server
  • Detect installed Drupal modules
  • Detect the current Drupal theme
  • Search for vulnerabilities affecting the current Drupal version
  • Check for directory listing
  • Search for default install files such as install.php, install.txt, install.mysql.txt, etc.
  • Verify the encryption of communication security (HTTPS settings)
  • Attempt user enumeration using Views module
  • Attempt user discovery using Forgot Password
  • Check if the login page is accessible
  • Check if user registration is enabled
IMPORTANT: When performing a scan, this tool runs multiple security tests remotely without any kind of authentication in order to simulate a black box testing scenario, which is a popular penetration testing methodology used by hackers. However, no harmful actions are actually performed and all identified problems are presented in the generated report.

How it works?

How it works

A target URL is the parameter to be scanned by the Drupal Vulnerability Scanner. The URL of the target Drupal website must start with http:// or https:// as the protocol. If it exists, the user should also specify the complete path to the base directory of the Drupal installation.

Upon execution, this tool will perform a large number of passive and active tests against the target to identify the Drupal version, Drupal modules, Drupal themes and the current Drupal system configuration. Drupal vulnerabilities are checked against a database which is periodically updated with the latest vulnerabilities that affect Drupal CMS globally. All identified vulnerabilities are reported according to the detected Drupal version from the scan results.

Explore More of Our Tools