Drupal Scanner
About this tool
Finds Drupal version, modules, theme, and their vulnerabilities. Checks for common Drupal misconfigurations and weak server settings.
This is a custom scanner that implements all the security checks performed by known Drupal scanners such as CMSMap or Droopescan but also adds new security tests on top.
The list of tests performed by the Drupal vulnerability scanner includes:
Fingerprint the Drupal installation
Find installed Drupal modules
Find the current Drupal theme
Search for vulnerabilities affecting the current Drupal version
Check for directory listing
Search for default install files
Verify the communication security (HTTPS settings)
Attempt user enumeration using Views module
Attempt user discovery using Forgot Password
Check if the login page is accessible
Check if user registration is enabled
The scan is performed remotely, without authentication, in a black-box manner. This simulates an external attacker who tries to penetrate the target website.
However, no harmful actions are performed and all identified problems are presented in the final report.
Parameters
Target URL: This is the URL of the Drupal website that will be scanned. All URLs must start with http or https.
Don't forget to specify the complete path to the base directory of the Drupal installation (if exists). Ex. http://targetdrupal.com/path/.
How it works
The scanner performs a series of passive and active checks to identify the Drupal version, modules, themes, and the current system configuration.
Furthermore, the Drupal core vulnerabilities are extracted from a local database which is periodically updated with the latest vulnerabilities which affect Drupal. The vulnerabilities are reported according to the identified Drupal version.