Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP Foundation OWASP OWASP Joomla! (CMS) Vulnerability Scanner Release Flyer Aung Khant YGN Ethical Hacker Group, Myanmar 07/17/2009
OWASP 2 Current Release: Implemented 200 defense bypass This is bypass web servers which respond with 200 for every 404, which is affectively killing the scanner, producing very noisy reports about false positives, rendering vulnerability detection useless. 200 defense can kill nearly most scanners today. Added vulnerability information till Added fingerprinting signature till Joomla! Added anti-caching mechanism in update check Added Graph facility in HTML reporting
OWASP 3 Former Release: Changed report location. ~ will save report under report/ directory. Removed "Poke Version" -pv command option Version fingerprinting is run by default now till the future versions But you can skip it using -nv (No version check) option Improved fingerprinting engine To find more exact version and to provide most approximate version range without making you calculate it anymore. Please see the sample output:
OWASP 4 Former Release: Fingerprint in ~Generic version family [1.5.x] ~1.5.x htaccess.txt revealed [ ] ~1.5.x configuration.php-dist revealed [ ] ~1.5.x en-GB.xml revealed [ ] ~1.5.x en-GB.ini revealed [ ] Fingerprint in ~Generic version family [1.5.x] ~1.5.x htaccess.txt revealed [ ] ~1.5.x configuration.php-dist revealed [ ] ~1.5.x en-GB.xml revealed [ ] ~1.5.x en-GB.ini revealed [ ] …skip… * Deduced version range is : [ ]
OWASP 5 Former Release: Updated fingerprinting signature up to current Joomla! version Updated vulnerability information up to July 12, 2009 Made vulnerability information neat by labelling as Generic, Core, Component, Plugin. Fixed parsing bug in listing components
OWASP 6 Former Release: Added components detectability in re-routed URL (/component/option,com_xxxx) Made finer report format: HTML Added Joomla! related firewall/defense detection
OWASP 7 Former Release: New and Improved Fingerprinting Engine ( which can almost detect exact version of Joomla 1.0.x and Joomla 1.5.x) Updated database till In database, removed and employed simple blind detection approach 1=1, 1=2 to bypass IDS which prevents MySQL-sensitive words from request
OWASP OWASP Joomla! Vulnerability Scanner Project URL omla_Vulnerability_Scanner_Project omla_Vulnerability_Scanner_Project Mailing List vulnerability-scanner vulnerability-scanner Download URLs