OWASP Joomla! (CMS)
Vulnerability Scanner
Project Flyer
OWASP
Aung Khant
YGN Ethical Hacker Group,
Myanmar
http://yehg.net/
07/17/2009
Copyright © The OWASP Foundation
Permission is granted to copy, distribute and/or modify this document
under the terms of the OWASP License.
The OWASP Foundation
http://www.owasp.org
About Joomla! CMS
 Former code base as Mambo CMS
 One of the most widely used CMS
 Admin/Developer/Webmaster friendliness
 Easy to deploy, restore, backward compatibility
 Download, extract, upload, configure,
Then up and running within a few minutes
 Hundreds of extensions for every possible type of web
sites – E-Commerce, Forum, Shopping, …etc OWASP
2
About Joomla! CMS (cont)
 Extensions comprise of:
- Components
- Modules
- Plugins
- Templates
 Increasing large user community
 Every modern web hosting provider has one-click
Joomla! CMS installer
OWASP
3
Joomla’s Best Quote:
Joomla! makes it easy to launch a Web site of
any kind.
Experience the Freedom! It has never been
easier to create your own dynamic Web site.
Manage all your content from the best CMS
admin interface and in virtually any language you
speak.
OWASP
4
When it comes to security …
Popularity has attracted attackers
Continual vulnerability disclosure publish since
its the first release
Hundreds of extensions mean hundreds of
possible doors to exploit
Third-party components vulnerabilities disclosed
nearly every two or three month
OWASP
How Joomla! Developers React (In)Security
Formed JSST (Joomla! Security Strike Team)
Fix flaw codes found and reported within a few
timeline frame
Cover holes in the Core Application Framework
OWASP
When there is a need for security …
 Although Joomla! Developers are active in patching
security holes, extensions developers may not be
 Free extensions stopped updates or abandoned by their
authors
 Older commercial extensions stopped support or
providers even removed some from their product lines
 Webmasters can update latest bug-free Joomla! but not
vulnerable third-party components, which are main
functionalities of their sites
OWASP
When there is a need for security …
Vulnerable components get not fixed for a long
time
Attackers find them via Google Dork and hack
Webmasters have no idea of how their sites are
hacked
OWASP
Joomla! Mass Worm in the wild
Joomla! 1.5.5 was vulnerable to Admin Token
Password Change vulnerability
Attackers’ wrote Mass Worm which exploits it to
replace the index page with malicious iframes
Victim sites got into Google’s blacklists every
quickly
OWASP
A Need for Pentesters
When pentesting Joomla! Sites, we cannot know
what vulnerable hidden extensions are being
used
There is a possible chance to miss critical
vulnerabilities
No single exploit hosting sites have perfect
Joomla! and its extensions vulnerabilities
OWASP
A Need for Pentesters
Existing Joomla! vulnerability scanners in the
wild are lack of updates and all possible types of
holes
No single exploit hosting sites have perfect
Joomla! and its extensions vulnerabilities
Adding signature database to Nikto/W3AF will
not be appropriate as there are some subtle
things involved
OWASP
OWASP Joomla! Vulnerability Scanner Born!
Started in November, 2008 as a personal project
Released in December 2008 at SourceForge.net
Donated to OWASP in May 2009
Became Release Quality Tool in July 2009
OWASP
OWASP Joomla! Vulnerability Scanner
Author:
Aung Khant (YGN Ethical Hacker Group, http://yehg.net)
Reviewers
1st – Brad Causey
2nd - Matt Tesauro
3rd - Tom Brennan (OWASP Board)
4th Paulo Coimbra (Project Manager)
OWASP
OWASP Joomla! Vulnerability Scanner
Main Features:
Joomla! based web firewalls probing
Extensive version probing
In most cases, the scanner can tell the exact version
the Joomla!
Search for vulnerabilities
 in Joomla! Core Application Frame
 in hundreds of popular components
Immediate update via SVN / Scanner
OWASP
OWASP Joomla! Vulnerability Scanner
Main Features (cont):
Report output of textual and HTML format
Current Limitations:
Lack of IDS bypass mechanism
Not have 100% complete vulnerability database
May generate false positives under the disguise of
security savvy web administrators
OWASP