- Vulnerability Scanning
- Vulnerability Research
Before unleashing more advanced and powerful tools like OpenVAS, a few quick steps can help better guide your work. As a general note, surfing using a browser with at least NoScript enabled may help not only protect you, but may also help to reveal malware or adware infecting the websites.
CMS Version Detection
Identification of CMS during web footprint can be done either using scripts and tools or using online services.
you can use certain websites to determine the type of CMS a target website is using:
For CMS systems, out of date components can mean well-known and easy to exploit by malicious actors.
Drupal For Drupal, try visiting /CHANGELOG.txt , which, if not manually removed, will reveal the most recent version of Drupal installed on the server. Other telltale signs depend on the specific Drupal release; http://corporate.adulmec.ro/blog/2010/drupal-detection-test-site-running-drupal maintains a detection tool.
Drupal 6.27, 2012-12-19 ---------------------- - Fixed security issues (multiple vulnerabilities), see SA-CORE-2012-004. Drupal 6.26, 2012-05-02 ---------------------- - Fixed a small number of bugs. - Made code documentation improvements.
Joomla For Joomla, default templates provide strong hints towards versions based on copyright dates. Specific versions can often be discovered using this guide: https://www.gavick.com/magazine/how-to-check-the-version-of-joomla.html
WordPress Wordpress sites tend to advertise their version number in the header of each webpage, such as
<meta name="generator" content="WordPress 3.3.1" />
There is a web-based tool with browser add-ons available here: http://www.whitefirdesign.com/tools/wordpress-version-check.html
Document your finding and list what type of CMS your target is using along with it's version. You can use this information in the next possible activities:
If the organization is trying to provide its websites to visitors using TLS but having trouble obtaining the 'green padlock' in the browser, utilise the scanning tool at https://www.whynopadlock.com/ to analyse common problems preventing TLS compliance.
Most popular CMS platforms provide emailed alerts and semi-automated ways to update their software. Make sure someone responsible for the website is either receiving these emails or checking regularly for available updates. Security updates should be applied immediately. It is a best practice however to have a “test” site where you can first deploy any CMS update before attempting it on a production site.
For websites using a content management system (Drupal, Wordpress, Joomla or similar), it is important to use a popular and open source tool (as opposed to a custom tool that a web design firm has put together for its customer base). Open source tools are more likely to have their security holes discovered and fixed at a rapid pace, but the burden remains on the organization to keep up to date with these security updates.
The top CMS tools have dashboards and other tools to help alert the webmaster to available updates, and security updates should be heeded quickly. For sites that hold password data, it is worth exploring additional security features – the built-in password security for even modern CMS systems is weak, but the methods to improve upon them vary widely depending on the system.
For sites built on custom CMS software which does not regularly receive updates, it is strongly advisable to migrate to a more standard, open source system.
Note that “Static” websites – those created with a web design tool and uploaded to a server – are both more secure (no code to break) and also withstand denial of service attacks easier. However, these are more difficult to maintain and update, and work best only for “brochure” style sites.
For custom CMS systems, it is strongly advisable to migrate to a more standard, open source system.
An increasingly good practice is for organizations to take advantage of the "free" tiers of DDoS mitigation services, of which CloudFlare is probably the best known. A challenge of these free services can be that they have definite limits to their protection. With CloudFlare, organizations can request to be a part of their Project Galileo program to support at-risk sites even beyond their normal scope of support.
A community-based, open source alternative is Deflect, which is completely free for eligible sites.
Some of these services will be revealed by BuiltWith, but checking the HTTP Response Headers (in Chromium/Chrome, available under the Inspect Element tool, or by using Firebug in Firefox. See Deflect's wiki for more information.
Guide for NGOs to diagnose issues with a website: Digital First Aid Kit
Organizations wishing to offer full TLS (HTTPS) on their websites may consider using LetsEncrypt or selecting a hosting provider which fully supports LetsEncrypt for generating free TLS certificates.