Drupal Scanner

July 28, 2013, by | Start Discussion

CMS – What’s the Fuss all About?

A Content Management System makes your life easy. It makes the online presence of your business more accessible and hence the probability of the success of your business soars higher. Incredibly, if you are unfamiliar with CMSes, the best part is, you need not be a nerdy, high-tech web developer to give this touch of virtuality to your ideas and convert them to online reality. You need not have your armour flooding with all sorts of programming and impressive and crisp UI design skills. Neither do you need to have those ‘super-natural’ scripting and back-end management skills. So that’s the power you get when you use a CMS for you websites. All that you need is some anciently basic idea about creating websites and you are absolutely ready to go and get it done.And what more, you have different flavours to choose from. So depending on your requirements and taste you can go for any of the three major CMSes out there, viz. WordPress, Joomla or Drupal.

OK…What’s the Catch!

But, like all interesting stories, this one too has a catch. “With great power comes great responsibility”. These CMSes have their own guidelines for secure implementation to safeguard the integrity, confidentiality and availability of your websites. WordPress and Joomla have their flaws and to deal with them, they have their standard counter attack tools in place. We have Wpscan and Joomscan for WordPress and Joomla respectively, that can be used to scan websites built on these CMSes for security issues and do the needful to reduce the risk and diminish the impact of the threat.

As of people who find their taste satisfied by Drupal, they might not be much in luck on these lines, as there is no such tool out there, (at least not one that you can find free of cost, and accept it, everyone likes free stuff) that can take care of your Drupal powered websites as their WordPress and Joomla counterparts do.

The Inception

Enter the idea of creating one such tiny little tool that can be handy enough to just find out that exact detail about your Drupal powered websites tool that could be your compass to guide you to a more secure version of your websites. And what better than making use of an already freely available web application security tool to start off with this project. Thus it was decided that IronWasp shall be the mother for this Drupal security scanner, which for now we will term as DrupScan to bein phonetic sync with its counterparts. So effectively, once the tool gets made and is available, it can be easily accessed as yet another module of IronWasp. So put yet more simply, you download IronWasp and you know how to access its different modules, that’s it. You know how to ensure better security for your Drupal powered websites.

For once, please be crapless!

DrupScan is based on a very obvious and simple idea. The idea to identify the version of a specific module installed on the Drupal powered website and find thus if the website is secure or not. The CVE ids database has a comprehensive list of all the different vulnerabilities present in the different versions of the different modules that are there for a Drupal site. So, if for example, the website makes use of the ‘views’ module, and the scanner identifies that the version of the “view” module being used by the website is say ‘X.x’ and not ‘Y.y’ Now the CVE ids database holds the following details about version “X.x” of the “views” module: – “Vulnerable to XSS and SQLi” and the following about the next version, “Y.y”:- “No vulnerabilities found”. So now the scanner just looks up for the details available for the module and it’s specific version in question in the CVE ids database and thus decides if the website in question is vulnerable or not. Using this simple and obvious technique saves a lot of time as the web application does not really need to be tested for security vulnerabilities from the scratch. We simply make use of the information that is already readily available as the result of intensive research. Thusefficiently delivering the required solution.

The Technology and Progress so far

The scanner itself since is powered by IronWasp, makes use of all the APIs made available by IronWasp. It is majorly being written in IronPython, again something that has full-fledged interactive learning support through the scripting engine of IronWasp. So far a proof of concept is available for the DrupScan which works on the same principle as explained above. The exact function names that do the respective jobs are listed down. (For details the function definitions please refer the script itself).

The processing starts from the main function named runAsMain().

  1. Simply takes up 2 versions of a specific module, say ver1 and ver2.
  2. It lists out all the files in these 2 versions, finds the difference between the 2 file listings.

Taken care by passDirPath(), fileLookUp(), dictComp(), createDic():-

passDirPath():- For the proof of concept 2 instances of the same Drupal site are installed on to the localhost. On one of the instances an older and vulnerable version of a specific module, say the “views” module, is installed and on the other instance a newer and patched version of the same module is installed. So correspondingly in the respective paths directories and files are created accordingly. These two paths are passed to the function passDirPath().

fileLookUp():- is a recursive function. It recursively checks all the folders for any files present in it. Each of the files are taken and their hash is calculated. Now each of these hashes along with their corresponding fileis stored in a temp file.

dictComp():- this function takes 2 text files as input. These 2 text files contain the list of all the files present in the 2 versions of the folder. IT DOES NOT MATTER WHAT ORDER IS THE CONTENT OF THESE TWO FILES IN. As long as the contents of these    2 text files is in the format “file_path/file_name t hash_key”, it does not matter in which order is the contents being listed in the 2 text files. And finally it finds out the difference between the files and prints out the differences in a text file called dicDiff.txt

createDic():- is a helping function for dictComp(). This function simply creates a dictionary or list and returns the same.

  1. Then sees which of these files (that were found to be different) are publicly accessible.
  2. Stores these publicly accessible files in a db.

Taken care by publicAccessFiles() and requestor():-

publicAccessFiles():– Send re-quests for these files present in dicDiff.txt to the 2 instances, con-taining the 2 versions of the module, on the localhost. Depending on the response code we decide if a partic¬ular file is publicly accessible or not. And we populate the PUBLIC_ACCESS database table with the respective details. Later we make use of this table to determine what version of the module the live site is running. The database used is SQLite.

requestor():- is a helping function. It simply frames and sends the re¬quired requests and returns the re¬sponse code in case the requestor method is called with a third param¬eter as “True”, it would indicate that the body of the reponse also needs to be saved.

  1. Say after all this the db contains 5 files, viz, a,b,c, d and e with its respective hash.
  2. Now when doing a scan on a live site, a request is sent for each of these files to the live site.
  3. If there is a success response, the hash of the received file is calculatedand it is compared against the hash in the db.
  4. Depending on this the status of the site is reported.

Taken care by liveVersionScan().

liveVersionScan():
– This function now makes use of the database of the publicly accessible files created by the publicAccessFiles(), and sends a request for same to the live site that needs to be scanned for its version. liveVersionScan() is aided by the helping function requestor().

Thus the above are the major tasks that are currently being taken care of by the proof of concept scanner so far.

Ok. That’s Enough.Shut up! I’ll see if I am interested.

A lot more work still needs to be done. Majorly incorporating support for as many modules as possible is one of the major parts that still needs to be completed. The scanner as of now focuses only on Drupal 7.x. Later as the project matures other Drupal versions may also be included. There are a lot of interesting challenges that we have at our hand to solve and that is where community support is needed for people with interest and expertise to contribute.

Final words

The scanner on completion can help pin pointedly highlight the security issues with a Drupal powered website and of course will be a completing part in the group of similar scanners :- WpScan, JoomScan and then why not DrupScan.

 

Author bio not avialable

Leave a Reply