[WEB SECURITY] Introducing WPScan - WordPress Security Scanner

dd at sucuri.net dd at sucuri.net
Mon Jun 20 12:58:06 EDT 2011

Comparing the hashes of some js/css file is probably the most reliable
method, since lots of sites
hide their version from the generator and remove the readme file.

We wrote an article about it a while ago:

And we still use that on our scanner ( http://sitecheck.sucuri.net ) :)


On Mon, Jun 20, 2011 at 1:49 PM, Chris Weber <chris at casabasecurity.com> wrote:
> Ryan - I'm I correct that the two methods you use for identifying the WP
> version are:
> a) Parse the readme.html file for the version number
> b) Parse the meta tag generator content for the WP version number
> In the case where both of these failed, what do you do?  Does Seth's plan of
> comparing hashes of the js/css/other files sound like it would work?
> -Chris
> -----Original Message-----
> From: websecurity-bounces at lists.webappsec.org
> [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of seth
> Sent: Sunday, June 19, 2011 12:14 AM
> To: ryandewhurst at gmail.com
> Cc: webappsec at securityfocus.com; websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Introducing WPScan - WordPress Security Scanner
> I have started a wp scanner but lost the files before finishing and never
> started again. It had three ways of identifying the version:
> Generator meta tag
> Readme file (you already download it, and the only valuable information i
> see is the version number. Why not showing it?) Downloading some javascript,
> css, images, etc. Then comparing the hashes of these files against an array
> that was like [file][hash]=>version Hope it's usefull
> _______________________________________________
> The Web Security Mailing List
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
> WASC on Twitter
> http://twitter.com/wascupdates
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org

More information about the websecurity mailing list