Closed indhu85 closed 2 years ago
SamJoan
commented
2 years ago hi @indhu85,
There's a section on authentication on the README, but I'm not sure that will help you in this case. I would try removing /user/ from the URL, e.g. https://www.xxxxxxxxxxx.org/ instead of https://www.xxxxxxxxxxx.org/user/.
If you're still having issues, please provide the output for the site with the --debug-requests command line flag and I'll have a look for you.
Thanks, Sam
indhu85
commented
2 years ago Hi @SamJoan,
Without "user" in the URL, I can able to get list of modules and themes.
Thanks, @indhu85
SamJoan
commented
2 years ago Hi,
droopescan does indeed not use authentication to identify list of modules and themes. The way these are identified is through wordlists and bruteforcing URLs. For example, droopescan may perform a request to sites/all/modules/cktoolkit and observe whether a HTTP 200 response is detected.
The wordlist that is used is obtained from each CMS' addon download page. I refresh this annually approximately in case new popular addons have been created.
You can export the results in JSON format, check out the output section of the README.
indhu85
commented
2 years ago Hi @SamJoan ,
Is the returned droopescan plugin list contains only active modules or it include inactive(disabled) modules also?
SamJoan
commented
2 years ago I would have to look into this but I believe that droopescan returns both active and inactive plugins.
Hi,
How to add authentication to scanning drupal website?
For eg:
python droopescan/droopescan scan drupal -u https://www.XXXXXXXXXXX.org/user/ --output json -e p
Its returns as "The site is not running Drupal"
Anyone share me the steps to authenticate into drupal website in droopescan.