Presentation is loading. Please wait.

Presentation is loading. Please wait.

OWASP Joomla! (CMS) Vulnerability Scanner Project Flyer

Published by병길 원 Modified over 5 years ago

Similar presentations

Presentation on theme: "OWASP Joomla! (CMS) Vulnerability Scanner Project Flyer"— Presentation transcript:

1 OWASP Joomla! (CMS) Vulnerability Scanner Project Flyer
Aung Khant YGN Ethical Hacker Group, Myanmar 07/17/2009

2 About Joomla! CMS Former code base as Mambo CMS
One of the most widely used CMS Admin/Developer/Webmaster friendliness Easy to deploy, restore, backward compatibility Download, extract, upload, configure, Then up and running within a few minutes Hundreds of extensions for every possible type of web sites – E-Commerce, Forum, Shopping, …etc

3 About Joomla! CMS (cont)
Extensions comprise of: - Components - Modules - Plugins - Templates Increasing large user community Every modern web hosting provider has one-click Joomla! CMS installer 3 3

4 Joomla’s Best Quote: Joomla! makes it easy to launch a Web site of any kind. Experience the Freedom! It has never been easier to create your own dynamic Web site. Manage all your content from the best CMS admin interface and in virtually any language you speak.

5 When it comes to security …
Popularity has attracted attackers Continual vulnerability disclosures published since its the first release Hundreds of extensions mean hundreds of possible doors to exploit Third-party components vulnerabilities disclosed nearly every two or three month

6 How Joomla! Developers React (In)Security
Formed JSST (Joomla! Security Strike Team) Fix flaw codes found and reported within a few timeline frame Cover holes in the Core Application Framework

7 When there is a need for security …
Although Joomla! Developers are active in patching security holes, extensions developers may not be Free extensions stopped updates or abandoned by their authors Older commercial extensions stopped support or providers even removed some from their product lines Webmasters can update latest bug-free Joomla! but not vulnerable third-party components, which are main functionalities of their sites

8 When there is a need for security …
Vulnerable components get not fixed for a long time Attackers find them via Google Dork and hack eventually Webmasters have no idea of how their sites are hacked

9 Joomla! Mass Worm in the wild
Joomla! was vulnerable to Admin Token Password Change vulnerability Attackers’ wrote Mass Worm which exploits it to replace the index page with malicious iframes Victim sites got into Google’s blacklists every quickly

10 A Need for Pentesters When pentesting Joomla! Sites, we cannot know what vulnerable hidden extensions are being used There is a possible chance to miss critical vulnerabilities No single exploit hosting sites have perfect Joomla! and its extensions vulnerabilities

11 A Need for Pentesters Existing Joomla! vulnerability scanners in the wild are lack of updates and all possible types of holes Adding signature database to Nikto/W3AF will not be appropriate as there are some subtle things involved

12 OWASP Joomla! Vulnerability Scanner Born!
Started in November, 2008 as a personal project Released in December 2008 at SourceForge.net Donated to OWASP in May 2009 Became Release Quality Tool in July 2009

13 OWASP Joomla! Vulnerability Scanner
Author: Aung Khant Reviewers 1st – Brad Causey 2nd - Matt Tesauro 3rd - Tom Brennan (OWASP Board) 4th Paulo Coimbra (Project Manager)

14 OWASP Joomla! Vulnerability Scanner
Main Features: Joomla! based web firewalls probing Extensive version probing In most cases, the scanner can tell the exact version the Joomla! Search for vulnerabilities in Joomla! Core Application Frame in hundreds of popular components Immediate update via SVN / Scanner

15 OWASP Joomla! Vulnerability Scanner
Main Features (cont): Report output of textual and HTML format Current Limitations: Lack of IDS bypass mechanism Not have 100% complete vulnerability database May generate false positives under the disguise of security savvy web administrators

Download ppt "OWASP Joomla! (CMS) Vulnerability Scanner Project Flyer"

Similar presentations

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.
Kick start your career with WordPress

Kick start your career with WordPress
Server-Side vs. Client-Side Scripting Languages

Server-Side vs. Client-Side Scripting Languages
INSTALLATION OF WORDPRESS. WORDPRESS WordPress is an open source CMS, often used as a blog publishing application powered by PHP and MySQL. It has many.

INSTALLATION OF WORDPRESS. WORDPRESS WordPress is an open source CMS, often used as a blog publishing application powered by PHP and MySQL. It has many.
Get closer to the most advanced CMS Mihail Semedzhiev Joomla!

Get closer to the most advanced CMS Mihail Semedzhiev Joomla!
Presented by Mina Haratiannezhadi 1.  publishing, editing and modifying content  maintenance  central interface  manage workflows 2.

Presented by Mina Haratiannezhadi 1.  publishing, editing and modifying content  maintenance  central interface  manage workflows 2.
Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.

Part or all of this lesson was adapted from the University of Washington’s “Web Design & Development I” Course materials.
Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

Introducing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.
Build a CMS Website. The topics this chapter covers are: What is CMS ? What you can do with CMS The benefits and disadvantages of using a content management.

Build a CMS Website. The topics this chapter covers are: What is CMS ? What you can do with CMS The benefits and disadvantages of using a content management.
Content Management Systems A content management system is software that loads on your web host’s server and manages all content on your web site dynamically.

Content Management Systems A content management system is software that loads on your web host’s server and manages all content on your web site dynamically.
Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:

Nikto LUCA ALEXANDRA ADELA. Nikto  Web server assessment tool  Written by Chris Solo and David Lodge  Released on December 27, 2001  Stable release:
By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.

By Jeerarat Boonyanit. As you can see I have chosen Cpanel for my server management tool. cPanel is a Linux based web hosting control panel that provides.
Prepared by Websites Development Team, CITC. Agenda Websites Development Challenges Main Features of Web CMS Faculty Website & Control Panel Navigation.

Prepared by Websites Development Team, CITC. Agenda Websites Development Challenges Main Features of Web CMS Faculty Website & Control Panel Navigation.
Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.

Web Security Demystified Justin C. Klein Keane Sr. InfoSec Specialist University of Pennsylvania School of Arts and Sciences Information Security and Unix.
Danielle Baldwin, ITS Web Services CMS Administrator Application Overview and Joomla 1.5 RC 1 Highlights.

Danielle Baldwin, ITS Web Services CMS Administrator Application Overview and Joomla 1.5 RC 1 Highlights.
Cyber Patriot Training

Cyber Patriot Training
Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.

Prepared By, Mahadir Ahmad. StopBadware makes the Web safer through the prevention, mitigation, and remediation of badware websites. partners include.
1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),
1-19-2012www.ursamajorconsulting.com1 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa.

www.ursamajorconsulting.com1 Avoid Getting Hacked Joomla! Web Security Northern Virginia Joomla Users Group January 2012 Dorothy Firsching, Ursa.
Template Version 2.0 Prepared for ElderSource (http://www.myeldersource.org/) June 2nd 2009 Version 1 (started June/2/2009) Satya Komatineni Small to Medium.

Template Version 2.0 Prepared for ElderSource ( June 2nd 2009 Version 1 (started June/2/2009) Satya Komatineni Small to Medium.

Similar presentations

Ads by Google