Skip to content

:shipit: A wordpress security auditor! Audit your wordpress application for security issues with even 1 request.

License

Notifications You must be signed in to change notification settings

chrispetrou/FastAudit

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

63 Commits
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

A simple and minimal wordpress security auditor!
Audit your wordpress application for security issues with even 1 request.

GPLv3 license version Known Vulnerabilities


FastAudit is a simple wordpress enumeration tool and security auditor, able to detect possible security issues with even one web-request.

It is inspired by the amazing WPScan tool and is of course powered by the WPScan Vulnerability Database to identify possible plugin/theme/wpVersion-related vulnerabilities. It performs basic enumeration based on classic techniques and It's nice to use for a fast scan to enumerate the basics. What is special about this tool is that in order to identify possible vulnerabilities (using -ep option), it makes only one web-request to the application, so it doesn't slow it down in any way and doesn't mess with its functionality.

This tool is only for enumeration and not for exploitation - so it doesn't perform any kind of brute-force attack or any other attack in general. This tool can be used by developers and security engineers to scan their wordpress applications for possible vulberabilities (e.g. old plugins etc...) and fix them as soon as possible - that's all!


Features

  • enumerates wp-version/theme/users/plugins
  • based on the aboved results uses WPScan Vulnerability Database to search for potential vulnerabilities
  • utilizes shodan-API to search for additional vulnerabilities (shodan account required for this feature, may also give false positives sometimes)
  • utilizes haveibeenpwned service to search if a password (in sha1) has been used/breached before (useful for developers to test their passwords).

Requirements:

Note: To install the requirements:

pip install -r requirements.txt --upgrade --user

Notes

For the shodan and/or proxy to work, you have to set the appropriate values on config.cfg. Also even if --useragent options is provided, requests to haveibeenpwned service will be made using FastAudit_Agent as user-agent.

TODO

Contributions & Feedback

Feedback and contributions are welcome. If you find any bug or have a feature request feel free to open an issue, and as soon as I review it I'll try to fix it!

Disclaimer

This tool is only for testing and academic purposes and can only be used where strict consent has been given. Do not use it for illegal purposes! It is the end user’s responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this tool and software in general.

Credits

References

License

This project is licensed under the GPLv3 License - see the LICENSE file for details