github twitter email rss
Drupal Security Scanner
Oct 23, 2012
2 minutes read to DrupalScan

Recently I was in the need of a simple “drupal security scanner” which enumerates all modules of a drupal project so I can do a source code audit on them. The only thing I could found for this were some you-have-to-be-a-member sites and a script called Because the author’s site of the script was not accessible I decided to write an own little tool in ruby which can be easily plugged into another project I’m currently realising.


DrupalScan can be installed via rubygems:

$ gem install DrupalScan

You can also find this project on github.

After installation you can use it directly in the command line or by requiring the lib.

Command Line Usage

$ DrupalScan -h                  
Usage: DrupalScan <url> [--no-module-lookup]
    -u, --url URL                    URL of drupal project. Example:
    -n, --no-module-lookup           Disable module lookup on
    -h, --help                       Show this help
$ DrupalScan -u
Version: Drupal 6.26, 2012-05-02
Found 'flot'
 -> This module provides an API and views integration for using the flot graphing library. It is designed to make it simple to add flot graphs or charts, it supports line, bar and pie charts.

Found 'drupalorg'
 -> Customizations used on itself.  It is not meant to be useful to other sites, except as an educational example of the kinds of modifications you can make via a site-specific module.

Found 'token'
 -> Tokens are small bits of text that can be placed into larger documents via simple placeholders, like %site-name or [user]. The Token module provides a central API for modules to use these tokens, and expose their own token values.

Found 'httpbl'
 -> Implementation of http:BL for Drupal. http:BL can prevent email address harvesters and comment spammers from visiting your site by using a centralized DNS blacklist. It requires a free Project Honey Pot membership. This module provides efficient blacklist lookups and blocks malicious visitors effectively.

Using DrupalScan in your own script

require 'DrupalScan'
version = DrupalScan::getVersion("")
modules = DrupalScan::enumerateModules("")

Feel free to fork.

Back to posts