There are roughly 1.8 billion websites. Many of them have vulnerabilities. Actually, more than 56% of Content Management System (CMS) installations such as WordPress, Joomla, and Drupal are out of date and hence susceptible to compromise.

Vulnerable versions of third-party CMS components, including plugins and themes, also play into attackers’ hands. Their loopholes are lucrative soil for unauthorized access, data theft, and the injection of malicious scripts.

So what can you, the pentester, do—and what tools can you use—to find and fix the vulnerabilities in your website? We’ll provide some tools and tips in this post.

Website vulnerability assessment 101

All websites can be broken down into three distinct categories and penetration testers need to keep them in mind:

• Hand-coded (written in HTML or created with site generators like Jekyll, or designed using Adobe Dreamweaver).
• Created with online site builders (these are simple sites containing no databases and user interaction elements).
• CMS-based (made with top systems like WordPress, Joomla, and Drupal).

For hackers, CMS platforms hardly differ from other services in terms of exploitation. Their code is publicly available, and anyone can scrutinize it for bugs and security weaknesses. CMS-based websites rarely fall victim to targeted attacks. Instead, they tend to be hacked “in bulk.”

This form of compromise follows a well-trodden path. First, a malefactor pinpoints a recently discovered flaw in the target CMS. Next, he scans myriads of websites, looking for the vulnerability in question.

Fending off these automated hacks is not just a matter of keeping the CMS up to date since websites’ functionality is extended through various plugins. It’s problematic to stay abreast of all of them.

How to check a WordPress site for vulnerabilities

WordPress currently dominates the CMS landscape. To scan it for vulnerabilities, you can use a hugely effective scanner called WPScan. (You will first need to update the database of WPScan if you are about to use it for the first time.)

It can fetch the WordPress version, spot vulnerable open directories, detect all plugins installed, and do many more things. It is also included as a separate module in Kali Linux and other pentesting instruments.

The tool displays exclamation marks to flag things that do not conform to proper security practices. It can also brute-force the admin’s login credentials. Its workflow is super-fast because it leverages multithreading.

Whereas these details might be sufficient for an attacker to take over the average site, there are still quite a few more things to check, including plugins and other potential entry points.

Additionally, use the CVE service to check for Common Vulnerabilities and Exposures (CVEs).  For instance, you may want to go over loopholes in the PHP version the CMS is using. You may also look for available Metasploit modules for WP and try them out.

Checking a Joomla site for vulnerabilities

Joomla can be probed for weaknesses using a tool called JoomScan. The Open Web Application Security Project created it. It resembles WPScan, except that it does not have as many features.

JoomScan supports an aggressive method of scanning. Its scan report includes the CMS version, the CVEs corresponding to the detected vulnerabilities, and links leading to known exploits. Plus, it lists all the site’s directories and a hyperlink to the configuration file if the admin has not obfuscated it.

Checking Drupal and other CMS sites

Checking the Drupal CMS is more complicated. There is no effective scanner here. DroopeScan is the only worthwhile tool to use, but it doesn’t retrieve details beyond basic site information.

You will have to dig manually or search the web to get in-depth data and tools. Vulnerability databases like CVE details or proof-of-concept exploits on GitHub can point a pentester in the right direction.

One example of what you can come across is the CVE-2018-7600 vulnerability, which affects Drupal 7.x and 8.x versions and allows to execute arbitrary code. If the scanner returns nothing but the CMS version, it could still be enough as long as the Drupal version is within the vulnerable range.

How to check a hand-coded website for vulnerabilities

It’s not easy to find security flaws in a hand-coded website. You can’t find a scanner that will say: this web app is outdated, it has several vulnerabilities, and here is a link to the exploit.

In other words, you have a long list of potential weaknesses to check by hand. Audits like that hinge on the OWASP methodology (a framework for web application security testing defined by the Open Web Application Security Project).

But probing a website for unsecured entry points is a deeply creative activity. You are not limited to using a clear-cut already-defined framework or specific tools.

Nevertheless, security auditing is no joke. It comes as no surprise that some companies implement these check-ups in a customized way, so that a pentester doesn’t miss anything. Still, one of the best ways to do this is to use the OWASP Web Security Testing Guide. It is a detailed rundown of the rules for web application vulnerability detection.

If you need to check a hand-coded site, using the above-mentioned WhatWeb tool is a good starting point. Please keep in mind that you are not inspecting a CMS, but looking for all embedded services and their versions. Tons of framework versions are susceptible to exploitation. For instance, outdated editions of Apache Tomcat or Ruby on Rails have working exploits.

Your next move is to leverage a security scanner. Even if it doesn’t dot all the i’s and cross all the t’s, it could give you some actionable insights.

How Trend Micro can help

Trend Micro can provide some help for pentesters checking their website for vulnerabilities.

Trend Micro Cloud One is a solution that checks web applications and APIs for code vulnerabilities and pinpoints data exfiltration attempts. It can easily detect attacks like SQL injection, remote code execution, URL redirects, and harmful file uploads.

Also, Trend Micro Web Security will provide an extra layer of protection for your virtual or on-premise web server. It uses predictive machine learning technology to identify zero-day malware, thwarts data loss, provides URL filtering, and comes with a handful of other useful security features.

Protection best practices

In the end, if your website uses a CMS, the most effective security tactic is to refrain from installing unnecessary plugins and keep all software up to date. Designers should stick with safe coding practices such as filtering special characters in database queries and extensively vetting scripts found online.

If you own a custom-built website, be sure to scrutinize its web components, get rid of redundant ones, and keep the rest up to date.

A vulnerable website can be a catalyst for online scams on a large scale. By compromising it, threat actors may display sketchy pop-ups to visitors. Once clicked, these ads may lead to phishing pages or malware downloads. To help you here, Trend Micro Check is a sure-shot way to detect these frauds. In the end, a proactive strategy geared toward patching loopholes is your top priority so that exploitation like that never happens in the first place.

About the author:
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation.

David runs the Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, malware removal, and white hat hacking.

David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.