JoomScan is an open-source vulnerability scanner specifically designed for Joomla CMS installations. Developed by OWASP, it identifies security vulnerabilities, misconfigurations, and outdated components in Joomla systems during authorized security assessments.
The tool automates detection of known vulnerabilities in Joomla core, components, modules, and plugins, providing comprehensive security assessment for Joomla-based web applications.
- Perl 5.10 or higher
- LWP::UserAgent Perl module
- HTTP::Request Perl module
- Curl (optional, for additional features)
- Network connectivity to target
# Install Perl and dependencies
sudo apt-get update
sudo apt-get install perl libwww-perl curl
# Clone JoomScan repository
git clone https://github.com/OWASP/joomscan.git
cd joomscan
# Make executable
chmod +x joomscan.pl
# Test installation
perl joomscan.pl -h
# Install Perl modules via Homebrew
brew install perl
# Using CPAN
sudo cpan LWP::UserAgent
sudo cpan HTTP::Request
# Clone and setup
git clone https://github.com/OWASP/joomscan.git
cd joomscan
chmod +x joomscan.pl
# Build Docker image
docker build -t joomscan .
# Run scanner
docker run -it joomscan perl joomscan.pl -u http://target.com
# With volume mount
docker run -it -v $(pwd):/workspace joomscan \
perl joomscan.pl -u http://target.example.com
# Install required modules
sudo cpan install LWP::UserAgent
sudo cpan install JSON
sudo cpan install Getopt::Long
# Verify installation
perl -e "use LWP::UserAgent; print 'OK\n'"
perl joomscan.pl [OPTIONS] -u <URL>
| Option | Description |
|---|
-u, --url | Target Joomla URL |
-e, --enumerate | Enumerate components and modules |
-g, --get | HTTP GET method (default) |
-p, --post | HTTP POST method |
-s, --submit | Submit findings to OWASP |
-v, --verbose | Verbose output |
-h, --help | Display help |
# Scan single Joomla site
perl joomscan.pl -u http://target.com
# Scan with port specification
perl joomscan.pl -u http://target.com:8080
# Scan HTTPS site
perl joomscan.pl -u https://target.com
# Include detailed enumeration
perl joomscan.pl -u http://target.com -e
# Verbose output for debugging
perl joomscan.pl -u http://target.com -v
# Identify Joomla installation
perl joomscan.pl -u http://target.com
# JoomScan detects:
# - Joomla presence via characteristic files:
# - /administrator/
# - /media/
# - /plugins/
# - /components/
# - Version identification
# - Generator meta tag analysis
| Category | Scans |
|---|
| Core Vulnerabilities | Joomla version exploits |
| Component Flaws | Vulnerable third-party extensions |
| Module Issues | Insecure custom modules |
| Plugin Exploits | Vulnerable plugins |
| Configuration Errors | Exposed files and directories |
| Information Disclosure | Version leaks, file exposure |
# Full vulnerability scan
perl joomscan.pl -u http://target.com -e -v
# Components enumeration and vulnerability check
perl joomscan.pl -u http://target.com \
-e --enumeration-components
# Check for specific vulnerabilities
perl joomscan.pl -u http://target.com \
--check-cve CVE-2019-6341
# Scan subdirectories
perl joomscan.pl -u http://target.com/cms/
# Detect Joomla version through multiple methods
# Check version in various locations:
# 1. Manifest.xml files
perl joomscan.pl -u http://target.com -v | grep -i "version"
# 2. Generator meta tag
curl -s http://target.com | grep -i "generator"
# 3. CSS and JavaScript file versions
curl -s http://target.com/media/system/css/ | grep "\.css"
# 4. administrator directory
curl -s http://target.com/administrator/ | grep -i "joomla"
# JoomScan checks detected version against vulnerability database
# Common vulnerable versions:
# - Joomla 1.5.x - Multiple RCE vulnerabilities
# - Joomla 2.5.x - Session hijacking, SQL injection
# - Joomla 3.0-3.4 - COM_FIELDS SQL injection
# - Joomla 3.5-3.9 - Multiple security issues
# View vulnerability details
perl joomscan.pl -u http://target.com -v | \
grep -A 5 "vulnerability"
# Enumerate all components
perl joomscan.pl -u http://target.com -e
# Components typically located in
# /components/com_*/
# JoomScan discovers:
# - Component names
# - Versions if identifiable
# - Known vulnerabilities
# - Exploitation possibilities
# Manual component discovery
for component in $(curl -s http://target.com | grep -o "com_[a-zA-Z0-9_]*" | sort -u); do
echo "Found: $component"
curl -I http://target.com/components/$component/
done
# Enumerate and check vulnerabilities
perl joomscan.pl -u http://target.com -e --enumeration-components
# Common vulnerable components:
# - com_jce (File manager)
# - com_virtuemart (E-commerce)
# - com_k2 (Content management)
# - com_eshop (Shopping)
# - com_easydiscuss (Forum)
# Check specific component version
curl http://target.com/components/com_jce/ | grep -i "version"
# Find installed modules
perl joomscan.pl -u http://target.com -e
# Modules typically in:
# /modules/mod_*/
# /administrator/modules/mod_*/
# Check for suspicious modules
curl -s http://target.com | grep -o "mod_[a-zA-Z0-9_]*"
# List module files
curl -s http://target.com/modules/ | grep "\.php"
# Plugin information in database queries if accessible
# Typically in jos_extensions table
# Plugins directory
# /plugins/
# JoomScan checks plugin presence through:
# - manifest.xml files
# - Directory listings (if enabled)
# - Reference in HTML comments
# Check for exposed configuration
perl joomscan.pl -u http://target.com -v
# Look for:
# - configuration.php (should not be web accessible)
# - administrator/manifests/
# - plugins directory listing
# - components directory listing
# Test for configuration exposure
curl http://target.com/configuration.php
curl http://target.com/components/
# Check .htaccess protection
curl -I http://target.com/plugins/
# JoomScan identifies exposed information
# Common disclosures:
# - Joomla version in generator tag
# - Administrator path exposure
# - Module and component names
# - Detailed error messages
# - Directory listing enabled
# Manual checks
curl -s http://target.com | grep -i "joomla"
curl -s http://target.com/administrator/ | head -20
curl -s http://target.com/plugins/ | grep "Index of"
# Use GET method (default)
perl joomscan.pl -u http://target.com -g
# Use POST method
perl joomscan.pl -u http://target.com -p
# Test different methods
perl joomscan.pl -u http://target.com --method=HEAD
# Extended component enumeration
perl joomscan.pl -u http://target.com \
-e --aggressive
# Slow scan to avoid detection
perl joomscan.pl -u http://target.com \
--delay=2 # 2 second delay between requests
# Deep directory traversal attempt
perl joomscan.pl -u http://target.com \
--enumerate-all
# Specify proxy
perl joomscan.pl -u http://target.com \
--proxy http://127.0.0.1:8080
# Custom user agent
perl joomscan.pl -u http://target.com \
--user-agent "Mozilla/5.0"
# Add headers
perl joomscan.pl -u http://target.com \
--header "Authorization: Bearer token"
# Standard terminal output
perl joomscan.pl -u http://target.com | tee scan_results.txt
# Save to file
perl joomscan.pl -u http://target.com > results.txt 2>&1
# Verbose output with all details
perl joomscan.pl -u http://target.com -v > detailed_results.txt
# JSON output (if supported)
perl joomscan.pl -u http://target.com --json > results.json
# Extract vulnerability summary
grep -i "vulnerability\|vulnerable\|vulnerable" results.txt
# Count findings
grep -c "\[!" results.txt # Confirmed vulnerabilities
grep -c "\[+\]" results.txt # Potential issues
# List all components found
grep "Component" results.txt | sort -u
# Identify critical issues
grep -E "RCE|SQL Injection|Authentication" results.txt
# Create target list
cat > targets.txt << EOF
http://site1.com
http://site2.com
https://site3.com
http://site4.com:8080
EOF
# Scan all targets
while read target; do
echo "Scanning: $target"
perl joomscan.pl -u "$target" -e > "${target//\//-}-results.txt"
done < targets.txt
#!/bin/bash
# Comprehensive Joomla scanning script
TARGETS="${1:-targets.txt}"
REPORT_DIR="joomla_reports"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
mkdir -p "$REPORT_DIR/$TIMESTAMP"
while read target; do
echo "[*] Scanning: $target"
output_file="$REPORT_DIR/$TIMESTAMP/${target//\//-}.txt"
# Run scan with enumeration
perl joomscan.pl -u "$target" -e -v > "$output_file"
# Extract key findings
echo "=== SUMMARY ===" >> "$output_file"
grep -E "vulnerability|vulnerable|RCE|SQL" "$output_file" | \
sort -u >> "$output_file"
echo "[+] Results saved to $output_file"
done < "$TARGETS"
echo "[+] All scans complete. Reports in $REPORT_DIR/$TIMESTAMP"
# SQL Injection in components
# - com_fields (CVE-2019-6340, CVE-2019-6341)
# Exploitation through component parameters
# Remote Code Execution
# - Privilege escalation in admin panel
# - File upload vulnerabilities
# - Template file manipulation
# Information Disclosure
# - Administrator enumeration
# - Configuration file exposure
# - Error message information leaks
# Verify findings manually
curl -v http://target.com/administrator/
# Check component accessibility
curl http://target.com/components/com_jce/
# Test for injection points
curl "http://target.com/index.php?option=com_component&id=1%27"
# Try exploitation if applicable (authorized only)
# Use framework exploits (Metasploit, etc.)
- Obtain written authorization before scanning
- Define clear scope of testing
- Notify system administrators beforehand
- Avoid aggressive scanning on production systems
- Document all findings systematically
- Follow responsible disclosure procedures
- Maintain confidentiality of results
# 1. Initial reconnaissance
perl joomscan.pl -u http://target.com -v
# 2. Detailed enumeration
perl joomscan.pl -u http://target.com -e -v
# 3. Analyze results
# - Prioritize by severity
# - Group by component/module
# - Cross-reference with exploit databases
# 4. Documentation
# - Record all findings
# - Note verification methods
# - Provide remediation guidance
# Reduce scan time with targeted approach
# - Scan core first
# - Then enumerate components
# - Finally check configurations
# Use timeouts for slow targets
perl joomscan.pl -u http://slow-target.com \
--timeout=30
# Parallel scanning multiple targets
for target in $(cat targets.txt); do
perl joomscan.pl -u "$target" -e &
done
wait
| Issue | Solution |
|---|
| Perl module not found | Install via cpan: cpan install Module::Name |
| Connection timeout | Increase timeout, check connectivity |
| Joomla not detected | Verify URL, check Joomla installation |
| No results | Try verbose mode, check proxy settings |
| Blocked by WAF | Adjust delay, try different user-agent |
# Enable debug output
perl -d:Trace joomscan.pl -u http://target.com
# Verbose + debug
perl joomscan.pl -u http://target.com -v -v -v
# Check Perl modules
perl -e "use LWP::UserAgent; print 'OK\n'"
- Joomla Security Guidelines
- OWASP CMS Security Testing
- Vulnerability Database (exploit-db.com)
- Metasploit Joomla modules
- Web application security assessment methodologies
- Component-specific security advisories
