[WEB SECURITY] Introducing WPScan - WordPress Security Scanner

dd at sucuri.net dd at sucuri.net
Mon Jun 20 12:58:06 EDT 2011


Comparing the hashes of some js/css file is probably the most reliable
method, since lots of sites
hide their version from the generator and remove the readme file.

We wrote an article about it a while ago:
http://tools.sucuri.net/?page=docs&title=fingerprinting-web-apps

And we still use that on our scanner ( http://sitecheck.sucuri.net ) :)

Thanks,

On Mon, Jun 20, 2011 at 1:49 PM, Chris Weber <chris at casabasecurity.com> wrote:
> Ryan - I'm I correct that the two methods you use for identifying the WP
> version are:
>
> a) Parse the readme.html file for the version number
> b) Parse the meta tag generator content for the WP version number
>
> In the case where both of these failed, what do you do?  Does Seth's plan of
> comparing hashes of the js/css/other files sound like it would work?
>
> -Chris
>
>
> -----Original Message-----
> From: websecurity-bounces at lists.webappsec.org
> [mailto:websecurity-bounces at lists.webappsec.org] On Behalf Of seth
> Sent: Sunday, June 19, 2011 12:14 AM
> To: ryandewhurst at gmail.com
> Cc: webappsec at securityfocus.com; websecurity at webappsec.org
> Subject: Re: [WEB SECURITY] Introducing WPScan - WordPress Security Scanner
>
> I have started a wp scanner but lost the files before finishing and never
> started again. It had three ways of identifying the version:
> Generator meta tag
> Readme file (you already download it, and the only valuable information i
> see is the version number. Why not showing it?) Downloading some javascript,
> css, images, etc. Then comparing the hashes of these files against an array
> that was like [file][hash]=>version Hope it's usefull
>
>
>
> _______________________________________________
> The Web Security Mailing List
>
> WebSecurity RSS Feed
> http://www.webappsec.org/rss/websecurity.rss
>
> Join WASC on LinkedIn http://www.linkedin.com/e/gis/83336/4B20E4374DBA
>
> WASC on Twitter
> http://twitter.com/wascupdates
>
> websecurity at lists.webappsec.org
> http://lists.webappsec.org/mailman/listinfo/websecurity_lists.webappsec.org
>




More information about the websecurity mailing list