CMS audit, ask more than the release number

Intervenant(s) : Antoine Cervoise

  • Langue : Anglais
  • Niveau : Confirmé
  • Type d'événement : Conférence
  • Date : Maandag 8 juli 2013
  • Horaire : 17h00
  • Durée : 40 minutes
  • Lieu : H 2215
Thème : Beveiliging
Public cible : GeeksProfessionnels


Content Management Systems are everywhere in the World Wide Web and in the different Intranet; due to the large number of CMS available on the market, a lot of users choose free software CMS.

Using a CMS requires you to use the same rules you use with any other software : correct configuration, removing unused features, software and components update.

Do not follow these rules during integration or in production all along the software life may implied software compromising. This compromising is is generally the first step of server control by attackers. Just give a look to to be sure of that.

A lot of methods and tools exist nowadays to be able to know which version of a CMS a website uses. But these tools are usually quite limited : you only know which CMS is used and what version of the CMS the website runs. Some other products, more targeted, allow you to audit popular CMS (Drupal, Joomla, Wordpress).

The first part of the talk will speak about the market share of the CMS on the WWW and on the intranet, way to determine the version of a CMS and will expose some attacks using the CMS as the entry point of a server.

This talk will speak about integrated tools like BackTrack/Kali enabling you to audit specific CMS, detailing some scripts. You will see how PoCs are working in general and a demo will be done with a custom PoC specifically written for this talk.

The 2 following parts will describe the specific features provided by WPScan and Joomscan in regard to more classical fingerprinting tools like whatweb, sedusa or BlindElephant.

The talk will end by a sum up of the features provided by the different tools and scripts and their use during an audit.


Antoine Cervoise, graduated from École des Mines de Douai, works as Security consultant at Devoteam, and currently for a large corporation.

twitter: @acervoise