Skip to main content

Overview

The Drupal Scanner identifies vulnerabilities in Drupal installations, including core, modules, and themes. It uses Droopescan technology combined with custom security tests to detect issues specific to the Drupal CMS. The Drupal Scanner is a vulnerability scanner: it actively tests Drupal sites for security weaknesses. It does not add data to your Attack Surface. Identified vulnerabilities are reported as findings.

Supported targets

Target typeExamples
URLhttps://example.com, https://example.com/drupal/
Provide the complete path to the Drupal installation. If Drupal is installed in a subdirectory (e.g., /drupal/), include it in the URL.

Tests performed

The Drupal Scanner runs all tests in a single scan. There are no scan mode options.
TestDescription
Server FingerprintingIdentifies web server software, technology stack, and operating system
Drupal FingerprintingDetects Drupal version using Droopescan and fingerprinting techniques
Drupal Core VulnerabilitiesChecks detected version against CVE databases for known vulnerabilities
Module EnumerationDiscovers installed Drupal modules by analyzing page links and directory structure
Theme DetectionIdentifies the current Drupal theme from page source and settings
Directory ListingChecks if modules and files directories expose file listings
User Enumeration (Views)Attempts to enumerate users via the Views module autocomplete vulnerability
User Discovery (Forgot Password)Tests if usernames can be discovered via the Forgot Password form
Login Page DetectionChecks if the login page is publicly accessible
Secure CommunicationVerifies HTTPS usage and SSL/TLS certificate validity
Install Files DetectionSearches for exposed default installation files (CHANGELOG.txt, INSTALL.txt, etc.)
User Registration CheckTests if public user registration is enabled

Test details

Server fingerprinting

Identifies the web server software (Apache, Nginx), technology stack (PHP version), and operating system. This information helps attackers identify potential vulnerabilities.

Drupal fingerprinting

Uses Droopescan to detect the exact Drupal version. Version detection is needed to identify applicable vulnerabilities.

Drupal core vulnerabilities

Cross-references the detected Drupal version against CVE databases to identify known vulnerabilities. Findings include:
  • CVE identifiers with links
  • CVSS scores
  • EPSS scores and percentiles
  • Vulnerability summaries
  • Available exploits (if any)
Vulnerability detection is version-based. The scanner identifies the Drupal version and matches it against known vulnerabilities. Since vulnerabilities are discovered using version-based testing only, the risk level for findings will not exceed ‘high’ severity.

Module enumeration

Discovers installed Drupal modules by:
  • Analyzing page HTML for module references
  • Parsing Drupal.settings JavaScript object
  • Checking module directory listings
  • Validating module paths via CHANGELOG.txt, README.txt, LICENSE.txt

Theme detection

Identifies the active Drupal theme from:
  • ajaxPageState.theme in Drupal.settings
  • Theme references in page links
  • Theme paths in raw HTML

Directory listing

Checks for exposed directory listings in:
  • /sites/all/modules/: modules directory
  • /sites/default/files/: files directory
Directory listing exposes file structure and potentially sensitive files.

User enumeration (Views module)

Tests the Views module autocomplete vulnerability that allows extracting usernames via: 
/admin/views/ajax/autocomplete/user/{letter}
This vulnerability can reveal all Drupal usernames including the super user account.

User discovery (Forgot Password)

Tests if the Forgot Password form reveals whether a username exists by checking error messages for explicit “username not recognized” responses.

Login page detection

Checks if the login page (?q=user/login) is publicly accessible. An exposed login page enables brute-force attacks.

Secure communication

Verifies:
  • HTTPS is used for communication
  • SSL/TLS certificate is valid and trusted
  • No certificate errors

Install files detection

Searches for default Drupal installation files that reveal version information:
  • install.php
  • CHANGELOG.txt
  • INSTALL.txt
  • INSTALL.mysql.txt
  • INSTALL.pgsql.txt
  • LICENSE.txt
  • MAINTAINERS.txt
  • UPGRADE.txt

User registration check

Tests if public user registration is enabled (?q=user/register), which could allow attackers to create accounts.

Notable Drupal vulnerabilities

VulnerabilityCVEImpact
DrupalgeddonCVE-2014-3704SQL injection leading to RCE
Drupalgeddon 2CVE-2018-7600Remote code execution
Drupalgeddon 3CVE-2018-7602Remote code execution
Drupalgeddon vulnerabilities allow complete site takeover. Affected Drupal versions must be updated immediately.

How it works

The Drupal Scanner works in these steps:
  1. Server fingerprinting: Identifies web server, technology, and OS
  2. Drupal detection: Confirms Drupal installation and determines version
  3. Vulnerability lookup: Cross-references version against CVE databases
  4. Component discovery: Enumerates modules and identifies the active theme
  5. Security checks: Tests for misconfigurations and exposed functionality
  6. Reporting: Generates findings with CVE details, CVSS/EPSS scores, and remediation guidance
The scanner uses Droopescan for version detection and implements additional custom security tests.

Follow-up actions

After identifying vulnerabilities:
  • Update Drupal core: Apply security patches immediately, especially for Drupalgeddon-class vulnerabilities
  • Update modules: Keep all installed modules updated to latest versions
  • Remove unused modules: Delete modules that are not actively used
  • Remove install files: Delete CHANGELOG.txt, INSTALL.txt, and other default files
  • Disable user registration: If not needed, disable public user registration
  • Restrict login access: Consider IP-based restrictions on the login page
  • Enable HTTPS: Ensure all communication uses HTTPS with valid certificates
  • Scan the web application: Run Website Scanner for full web application testing
  • Schedule regular scans: Set up Scheduled scans for continuous monitoring