greg . foss [at] owasp . org
v0.5 Beta -- 1/11/2015
Scripts and a basic checklist used to augment the penetration testing and security process of Drupal web applications. These scripts and the drupal-security-checklist.pdf coincide with the 'Attacking Drupal' presentation, which covers many common configuration flaws associated with Drupal web applications.
Slides: http://www.slideshare.net/heinzarelli/attacking-drupal BSidesLV Presentation: https://www.youtube.com/watch?v=-0ZeL_SMNB8
A Drupal account brute-forceing script.
There are two versions, Drupal 6 and Drupal 7 as each has slight differences in the code. This script will work with any wordlist against a Drupal 6 application, assuming that it does not have additional protections in place such as rate limiting, MFA, SSO, CAPTCHA (implemented properly) etc. Drupal 7 is a bit trickier, and will only work if a small wordlist is used.
To run... Drupal 6 ./d6-account-forcer.sh (then follow the prompts) Drupal 7 ./d7-account-forcer.sh (then follow the prompts)
This script will harvest all user e-mails and password hashes from an application running the Drupal Devel module.
There are two versions, Drupal 6 and Drupal 7 as each has slight differences in the code. This script can be used to automate the task of extracting user account information from any site that has left the devel module enabled.
To run... Drupal 6 ./d6-devel-exploit.sh (then follow the prompts) Drupal 7 ./d7-devel-exploit.sh (then follow the prompts)
Basic checklist which helps developers and security teams alike avoid common security pitfalls when developing Drupal web applications.
Checklist is located within the /presentation/ directory.
The BSidesLV presentation can be viewed here: https://www.youtube.com/watch?v=-0ZeL_SMNB8
The slides are located in the /presentation/ directory or can be viewed on slideshare: http://www.slideshare.net/heinzarelli/attacking-drupal
1/11/2015 - Security Checklist Update -Closed Issue #1 8/16/2014 - BSidesLV Updates -Presentation video link added to Readme -Movies condensed into one demo 5/21/2014 - Minor Updates -BSides Denver presentation added -Updated movies 1/28/2014 - Updates Presentation -slides updated to include hardening -checklist updated to include hardening -drupal-account-forcer.mp4 - updated and shortened Scripts -adding User Agent strings -clear screen before run -minor tweaks... 1/15/2014 - Public Release
Copyright (c) 2014, Greg Foss All rights reserved.
Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
- Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer.
- Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution.
- Neither the name of Greg Foss nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.