Drupal is the third-largest open-source CMS used with a market share of more than 4.5%. There are close to a million sites powered by them, which is more than enough to attract an attacker and hacker. If you are using Drupal for your website and are not sure if it is secure from known vulnerabilities, doesn’t expose sensitive information, has misconfiguration, etc. then the following tools will help you. Ready to explore? Let’s do it.
Droopescan
Droopescan is a python-based scanner to help security researcher to find basic risks in the installed version of Drupal. There are the following four main checks done by this tiny program. You might have realized; that this is not an online scanner, so you got to install the Python and clone the code on your server to run the test. You can perform a test on multiple URLs simultaneously, and the results are shown on the terminal. Droopescan can also work with WordPress, Joomla, Moodle, and SilverStripe. But for WordPress, I would recommend checking this list of the scanner.
Pentest-Tools
Drupal vulnerability scan by Pentest-Tools is an online scanner where you can audit your site security to find out vulnerabilities in plugins, configuration, and core files. The scan results are well explained, and you have an option to get it in PDF format. You require 50 credits to run this tool.
Drupwn
A python-based utility to perform enumeration and exploitation against Drupal 6 and 8 versions. You can run Drupwn in two modes. Enumeration to check the following.
CookiesUser-agentLoggingUserNodeModuleThemeRequest delay
And, exploit mode to check vulnerabilities. You can get it started by installing using Python or Docker image.
SUCURI
SUCURI SiteCheck is a general security scanner to quickly find out if your Drupal site is infected with known malware, has outdated software, is blacklisted, and popular website error. Nothing specific to Drupal but worth scanning any Internet site. SUCURI also provides continuous security for Drupal sites to protect and accelerate. Its comprehensive protection against attacker/hacker, and DDoS attacks for small to enterprise-level of businesses.
Hacker Target
A free online passive scan to perform the basic test on the following.
Identify theme, plugins, and iFrameShow client-side JavaScript filesDetect the Drupal version and check if that is vulnerableCheck if the URL is blacklisted by GoogleCheck if directory indexing is enabled
It’s not a comprehensive test but good to start with.
Acunetix
An enterprise-ready cloud-based scanner to detect vulnerabilities in CMS, including Drupal. Acunetix detects the security risk against OWASP top 10 and known online vulnerabilities with more than 500 types of attacks. And, if you are using Drupal in a big organization where you have to submit the compliance report, then you are covered. You can generate PCI DSS, HIPAA, etc. regulatory compliance reports from their dashboard. They offer a 14-day trial, so go ahead and give it a try. You can choose their online scanner, so you don’t have to install anything on your server.
Sqreen
Sqreen scanner is not exactly targeted for Drupal but applicable to any modern application or online store to find some of the following common vulnerabilities attacks.
SQL injectionCross-site scriptingMIME sniffingTampering data in a communicationClickjackingDDoS
Update: Sqreen has been acquired by Datadog
Detectify
Test for over 1000 vulnerabilities with Detectify. Not just Drupal, but you can test other platforms (WordPress, Joomla, JavaScript, PHP, etc.) too. You can get it started for FREE to perform a complete website security audit. Check out my previous blog post about getting started with Detectify. The good thing about Detectify is, that you get an actionable report which is easy to follow to mitigate the risk faster. I hope the above tools help you find security risks in your Drupal site so you can fix them before someone misuses them. Stay secured!