Drupal Security Scanner
DPscan.py to DrupalScan
Recently I was in the need of a simple "drupal security scanner" which enumerates all modules of a drupal project so I can do a source code audit on them. The only thing I could found for this were some you-have-to-be-a-member sites and a script called WPscan.py. Because the author's site of the script was not accessible I decided to write an own little tool in ruby which can be easily plugged into another project I'm currently realising.
DrupalScan can be installed via rubygems:
$ gem install DrupalScan
You can also find this project on github.
After installation you can use it directly in the command line or by requiring the lib.
Command Line Usage
$ DrupalScan -h Usage: DrupalScan <url> [--no-module-lookup] -u, --url URL URL of drupal project. Example: http://drupal.org -n, --no-module-lookup Disable module lookup on drupal.org -h, --help Show this help $ DrupalScan -u http://drupal.org Version: Drupal 6.26, 2012-05-02 Found 'flot' -> This module provides an API and views integration for using the flot graphing library. It is designed to make it simple to add flot graphs or charts, it supports line, bar and pie charts.http://drupal.org/project/flot Found 'drupalorg' -> Customizations used on drupal.org itself. It is not meant to be useful to other sites, except as an educational example of the kinds of modifications you can make via a site-specific module.http://drupal.org/project/drupalorg Found 'token' -> Tokens are small bits of text that can be placed into larger documents via simple placeholders, like %site-name or [user]. The Token module provides a central API for modules to use these tokens, and expose their own token values.http://drupal.org/project/token Found 'httpbl' -> Implementation of http:BL for Drupal. http:BL can prevent email address harvesters and comment spammers from visiting your site by using a centralized DNS blacklist. It requires a free Project Honey Pot membership. This module provides efficient blacklist lookups and blocks malicious visitors effectively.http://drupal.org/project/httpbl
Using DrupalScan in your own script
require 'DrupalScan' version = DrupalScan::getVersion("http://drupal.org") modules = DrupalScan::enumerateModules("http://drupal.org")
Feel free to fork.