search

wpscanteam / wpscan

WPScan WordPress security scanner. Written for security professionals and blog maintainers to test the security of their WordPress websites. Contact us via contact@wpscan.com
https://wpscan.com/wordpress-cli-scanner
Other
8.64k stars 1.27k forks source link

WPScan 3.8.17 - API Token error code: 1020 #1660

Closed D3vil0p3r closed 3 years ago

D3vil0p3r commented 3 years ago

Hi, in the last period when I try to test my test WordPress site (no additions, only default WordPress core contents) and I try to use --api-token argument, I get the following error:

username@hostname:~$ wpscan --url https://testwebsite.com --api-token 

     __          _______   _____
     \ \        / /  __ \ / ____|
      \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
       \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
        \  /\  /  | |     ____) | (__| (_| | | | |
         \/  \/   |_|    |_____/ \___|\__,_|_| |_|

     WordPress Security Scanner by the WPScan Team
                     Version 3.8.17
   Sponsored by Automattic - https://automattic.com/
   @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart

Scan Aborted: lexical error: invalid char in json text. error code: 1020 (right here) ------^

Trace: /usr/lib/ruby/vendor_ruby/yajl/json_gem/parsing.rb:15:in 'rescue in parse' /usr/lib/ruby/vendor_ruby/yajl/json_gem/parsing.rb:11:in 'parse' /usr/share/rubygems-integration/all/gems/wpscan-3.8.17/lib/wpscan/db/vuln_api.rb:30:in 'get' /usr/share/rubygems-integration/all/gems/wpscan-3.8.17/lib/wpscan/db/vuln_api.rb:63:in 'status' /usr/share/rubygems-integration/all/gems/wpscan-3.8.17/app/controllers/vuln_api.rb:23:in 'before_scan' /usr/share/rubygems-integration/all/gems/cms_scanner-0.13.5/lib/cms_scanner/controllers.rb:46:in 'each' /usr/share/rubygems-integration/all/gems/cms_scanner-0.13.5/lib/cms_scanner/controllers.rb:46:in 'block in run' /usr/lib/ruby/2.7.0/timeout.rb:78:in 'timeout' /usr/share/rubygems-integration/all/gems/cms_scanner-0.13.5/lib/cms_scanner/controllers.rb:45:in 'run' /usr/share/rubygems-integration/all/gems/cms_scanner-0.13.5/lib/cms_scanner/scan.rb:24:in 'run' /usr/share/rubygems-integration/all/gems/wpscan-3.8.17/bin/wpscan:17:in 'block in <top (required)>' /usr/share/rubygems-integration/all/gems/cms_scanner-0.13.5/lib/cms_scanner/scan.rb:15:in 'initialize' /usr/share/rubygems-integration/all/gems/wpscan-3.8.17/bin/wpscan:6:in 'new' /usr/share/rubygems-integration/all/gems/wpscan-3.8.17/bin/wpscan:6:in '<top (required)>' /usr/bin/wpscan:23:in 'load' /usr/bin/wpscan:23:in 'main'

My test target is reachable because if I don't use --api-token argument, I get a consistent output.

My environment is:

How can I solve this issue?

Thank you

firefart commented 3 years ago

Hi, error 1020 means you are blocked or challenged by cloudflare. Are you accessing the API via TOR?

D3vil0p3r commented 3 years ago

Hi, thank you for your answer,

I guess you mean the Cloudflare solution is on wpscan service, right?

Because my test website has not that solution ahead and also because when I try to access via TOR to wpscan.com, I receive Error 1020 by WPScan Cloudflare.

firefart commented 3 years ago

TOR should now be allowed for API calls, please try again

D3vil0p3r commented 3 years ago

@FireFart I confirm you that now it works as expected.

Thank you for your support.