This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Difference between revisions of "OWASP Wordpress Vulnerability Scanner Project"

From OWASP
Jump to: navigation, search
(Road Map and Getting Involved)
(Current Features)
Line 17: Line 17:
 
The following features are currently available.  
 
The following features are currently available.  
 
* Detect version of wordpress installation
 
* Detect version of wordpress installation
* Detect sensitive file. (eg: readme, database replacing file)
+
* Detect sensitive file. (eg: readme, database replacing file, etc..)
* Detect enabled feature on installation. (eg: multisite enabled, allow registration)
+
* Detect enabled feature on installation. (eg: multisite enabled, allow registration, etc..)
 
* Detect theme name (through passive fingerprinting)
 
* Detect theme name (through passive fingerprinting)
 
* List of installed plugins (through passive fingerprinting)
 
* List of installed plugins (through passive fingerprinting)

Revision as of 06:54, 4 June 2015

OWASP Project Header.jpg

OWASP Wordpress Scanner Project

A wordpress scanner written in PHP, focus on vulnerability assessment and security audit of wordpress installation. Wordpress Scanner allows you to audit the security of your wordpress installation. It performs "black-box" scans.

Description

A Wordpress Scanner written in PHP, focus on vulnerability assessment and security audit of misconfiguration in the Wordpress installation. Wordpress Scanner is capable of finding the flaw in the Wordpress installation and will provide the all the information about the vulnerability. Wordpress Scanner is not a tool for code auditing, it performs "black box" scanning for the Wordpress powered web application.

Current Features

The following features are currently available.

  • Detect version of wordpress installation
  • Detect sensitive file. (eg: readme, database replacing file, etc..)
  • Detect enabled feature on installation. (eg: multisite enabled, allow registration, etc..)
  • Detect theme name (through passive fingerprinting)
  • List of installed plugins (through passive fingerprinting)
  • Enumerate Plugins
  • Enumerate Themes
  • Enumerate Users

Resources

Project Leader

Contact Us

Licensing

OWASP Wordpress Scanner is free software: you can redistribute it and/or modify it under the terms of the MIT License.

Classifications

Project Type Files TOOL.jpg
Incubator Project

Requirement

  • PHP >= 5.3
  • PHP cURL Extension
  • PHP JSON Extension
  • PHP OpenSSL Extension (HTTPS Support)

Installation

Q1
A1
Q2
A2

Contributors

  • Mokhdzani Faeq - Multi-thread support for plugin enumeration.
  • Nawawi Jamili - Code Enhancement.
  • Big thanks to WPScan.org team for providing plugin/theme/version vulnerability database - WPScan.org

Road Map

As of now, the priorities are:

  • Rewrite code to be more modular
  • Unit Tests
  • Add Proxy Support
  • Add Web UI
  • Add Password audit support
  • Add custom wordpress directory(wp-content and wp-plugin)
  • Add support for static user agent(currently random)
  • Vulnerability Database (currently using https://wpvulndb.com)
Retrieved from "https://wiki.owasp.org/index.php?title=OWASP_Wordpress_Vulnerability_Scanner_Project&oldid=195759"