Overview
JoomScan is an open-source vulnerability scanner specifically designed for Joomla CMS installations. Developed by OWASP, it identifies security vulnerabilities, misconfigurations, and outdated components in Joomla systems during authorized security assessments.
The tool automates detection of known vulnerabilities in Joomla core, components, modules, and plugins, providing comprehensive security assessment for Joomla-based web applications.
Installation
Prerequisites
- Perl 5.10 or higher
- LWP::UserAgent Perl module
- HTTP::Request Perl module
- Curl (optional, for additional features)
- Network connectivity to target
Linux Installation
# Install Perl and dependencies
sudo apt-get update
sudo apt-get install perl libwww-perl curl
# Clone JoomScan repository
git clone https://github.com/OWASP/joomscan.git
cd joomscan
# Make executable
chmod +x joomscan.pl
# Test installation
perl joomscan.pl -h
macOS Installation
# Install Perl modules via Homebrew
brew install perl
# Using CPAN
sudo cpan LWP::UserAgent
sudo cpan HTTP::Request
# Clone and setup
git clone https://github.com/OWASP/joomscan.git
cd joomscan
chmod +x joomscan.pl
Docker Installation
# Build Docker image
docker build -t joomscan .
# Run scanner
docker run -it joomscan perl joomscan.pl -u http://target.com
# With volume mount
docker run -it -v $(pwd):/workspace joomscan \
perl joomscan.pl -u http://target.example.com
Manual Perl Installation
# Install required modules
sudo cpan install LWP::UserAgent
sudo cpan install JSON
sudo cpan install Getopt::Long
# Verify installation
perl -e "use LWP::UserAgent; print 'OK\n'"
Basic Usage
Command Line Syntax
perl joomscan.pl [OPTIONS] -u <URL>
Essential Options
| Option | Description |
|---|
-u, --url | Target Joomla URL |
-e, --enumerate | Enumerate components and modules |
-g, --get | HTTP GET method (default) |
-p, --post | HTTP POST method |
-s, --submit | Submit findings to OWASP |
-v, --verbose | Verbose output |
-h, --help | Display help |
Target Discovery and Identification
Basic Scanning
# Scan single Joomla site
perl joomscan.pl -u http://target.com
# Scan with port specification
perl joomscan.pl -u http://target.com:8080
# Scan HTTPS site
perl joomscan.pl -u https://target.com
# Include detailed enumeration
perl joomscan.pl -u http://target.com -e
# Verbose output for debugging
perl joomscan.pl -u http://target.com -v
Joomla Detection
# Identify Joomla installation
perl joomscan.pl -u http://target.com
# JoomScan detects:
# - Joomla presence via characteristic files:
# - /administrator/
# - /media/
# - /plugins/
# - /components/
# - Version identification
# - Generator meta tag analysis
Vulnerability Scanning
Vulnerability Categories
| Category | Scans |
|---|
| Core Vulnerabilities | Joomla version exploits |
| Component Flaws | Vulnerable third-party extensions |
| Module Issues | Insecure custom modules |
| Plugin Exploits | Vulnerable plugins |
| Configuration Errors | Exposed files and directories |
| Information Disclosure | Version leaks, file exposure |
Comprehensive Scanning
# Full vulnerability scan
perl joomscan.pl -u http://target.com -e -v
# Components enumeration and vulnerability check
perl joomscan.pl -u http://target.com \
-e --enumeration-components
# Check for specific vulnerabilities
perl joomscan.pl -u http://target.com \
--check-cve CVE-2019-6341
# Scan subdirectories
perl joomscan.pl -u http://target.com/cms/
Core Vulnerability Assessment
Joomla Version Detection
# Detect Joomla version through multiple methods
# Check version in various locations:
# 1. Manifest.xml files
perl joomscan.pl -u http://target.com -v | grep -i "version"
# 2. Generator meta tag
curl -s http://target.com | grep -i "generator"
# 3. CSS and JavaScript file versions
curl -s http://target.com/media/system/css/ | grep "\.css"
# 4. administrator directory
curl -s http://target.com/administrator/ | grep -i "joomla"
Known Version Exploits
# JoomScan checks detected version against vulnerability database
# Common vulnerable versions:
# - Joomla 1.5.x - Multiple RCE vulnerabilities
# - Joomla 2.5.x - Session hijacking, SQL injection
# - Joomla 3.0-3.4 - COM_FIELDS SQL injection
# - Joomla 3.5-3.9 - Multiple security issues
# View vulnerability details
perl joomscan.pl -u http://target.com -v | \
grep -A 5 "vulnerability"
Component and Extension Enumeration
Discovering Installed Extensions
# Enumerate all components
perl joomscan.pl -u http://target.com -e
# Components typically located in
# /components/com_*/
# JoomScan discovers:
# - Component names
# - Versions if identifiable
# - Known vulnerabilities
# - Exploitation possibilities
# Manual component discovery
for component in $(curl -s http://target.com | grep -o "com_[a-zA-Z0-9_]*" | sort -u); do
echo "Found: $component"
curl -I http://target.com/components/$component/
done
Identifying Vulnerable Components
# Enumerate and check vulnerabilities
perl joomscan.pl -u http://target.com -e --enumeration-components
# Common vulnerable components:
# - com_jce (File manager)
# - com_virtuemart (E-commerce)
# - com_k2 (Content management)
# - com_eshop (Shopping)
# - com_easydiscuss (Forum)
# Check specific component version
curl http://target.com/components/com_jce/ | grep -i "version"
Module and Plugin Detection
Enumerate Modules
# Find installed modules
perl joomscan.pl -u http://target.com -e
# Modules typically in:
# /modules/mod_*/
# /administrator/modules/mod_*/
# Check for suspicious modules
curl -s http://target.com | grep -o "mod_[a-zA-Z0-9_]*"
# List module files
curl -s http://target.com/modules/ | grep "\.php"
Check Plugin Status
# Plugin information in database queries if accessible
# Typically in jos_extensions table
# Plugins directory
# /plugins/
# JoomScan checks plugin presence through:
# - manifest.xml files
# - Directory listings (if enabled)
# - Reference in HTML comments
Identify Configuration Files
# Check for exposed configuration
perl joomscan.pl -u http://target.com -v
# Look for:
# - configuration.php (should not be web accessible)
# - administrator/manifests/
# - plugins directory listing
# - components directory listing
# Test for configuration exposure
curl http://target.com/configuration.php
curl http://target.com/components/
# Check .htaccess protection
curl -I http://target.com/plugins/
# JoomScan identifies exposed information
# Common disclosures:
# - Joomla version in generator tag
# - Administrator path exposure
# - Module and component names
# - Detailed error messages
# - Directory listing enabled
# Manual checks
curl -s http://target.com | grep -i "joomla"
curl -s http://target.com/administrator/ | head -20
curl -s http://target.com/plugins/ | grep "Index of"
Advanced Scanning Options
HTTP Method Selection
# Use GET method (default)
perl joomscan.pl -u http://target.com -g
# Use POST method
perl joomscan.pl -u http://target.com -p
# Test different methods
perl joomscan.pl -u http://target.com --method=HEAD
Aggressive Scanning
# Extended component enumeration
perl joomscan.pl -u http://target.com \
-e --aggressive
# Slow scan to avoid detection
perl joomscan.pl -u http://target.com \
--delay=2 # 2 second delay between requests
# Deep directory traversal attempt
perl joomscan.pl -u http://target.com \
--enumerate-all
Custom Scanning Parameters
# Specify proxy
perl joomscan.pl -u http://target.com \
--proxy http://127.0.0.1:8080
# Custom user agent
perl joomscan.pl -u http://target.com \
--user-agent "Mozilla/5.0"
# Add headers
perl joomscan.pl -u http://target.com \
--header "Authorization: Bearer token"
Output and Reporting
Generate Reports
# Standard terminal output
perl joomscan.pl -u http://target.com | tee scan_results.txt
# Save to file
perl joomscan.pl -u http://target.com > results.txt 2>&1
# Verbose output with all details
perl joomscan.pl -u http://target.com -v > detailed_results.txt
# JSON output (if supported)
perl joomscan.pl -u http://target.com --json > results.json
Analyzing Results
# Extract vulnerability summary
grep -i "vulnerability\|vulnerable\|vulnerable" results.txt
# Count findings
grep -c "\[!" results.txt # Confirmed vulnerabilities
grep -c "\[+\]" results.txt # Potential issues
# List all components found
grep "Component" results.txt | sort -u
# Identify critical issues
grep -E "RCE|SQL Injection|Authentication" results.txt
Batch and Automation
Scanning Multiple Targets
# Create target list
cat > targets.txt << EOF
http://site1.com
http://site2.com
https://site3.com
http://site4.com:8080
EOF
# Scan all targets
while read target; do
echo "Scanning: $target"
perl joomscan.pl -u "$target" -e > "${target//\//-}-results.txt"
done < targets.txt
Batch Processing Script
#!/bin/bash
# Comprehensive Joomla scanning script
TARGETS="${1:-targets.txt}"
REPORT_DIR="joomla_reports"
TIMESTAMP=$(date +%Y%m%d_%H%M%S)
mkdir -p "$REPORT_DIR/$TIMESTAMP"
while read target; do
echo "[*] Scanning: $target"
output_file="$REPORT_DIR/$TIMESTAMP/${target//\//-}.txt"
# Run scan with enumeration
perl joomscan.pl -u "$target" -e -v > "$output_file"
# Extract key findings
echo "=== SUMMARY ===" >> "$output_file"
grep -E "vulnerability|vulnerable|RCE|SQL" "$output_file" | \
sort -u >> "$output_file"
echo "[+] Results saved to $output_file"
done < "$TARGETS"
echo "[+] All scans complete. Reports in $REPORT_DIR/$TIMESTAMP"
Vulnerability Details and Exploitation
Common Joomla Vulnerabilities
# SQL Injection in components
# - com_fields (CVE-2019-6340, CVE-2019-6341)
# Exploitation through component parameters
# Remote Code Execution
# - Privilege escalation in admin panel
# - File upload vulnerabilities
# - Template file manipulation
# Information Disclosure
# - Administrator enumeration
# - Configuration file exposure
# - Error message information leaks
Post-Scan Actions
# Verify findings manually
curl -v http://target.com/administrator/
# Check component accessibility
curl http://target.com/components/com_jce/
# Test for injection points
curl "http://target.com/index.php?option=com_component&id=1%27"
# Try exploitation if applicable (authorized only)
# Use framework exploits (Metasploit, etc.)
Best Practices
Authorized Security Assessment
- Obtain written authorization before scanning
- Define clear scope of testing
- Notify system administrators beforehand
- Avoid aggressive scanning on production systems
- Document all findings systematically
- Follow responsible disclosure procedures
- Maintain confidentiality of results
Effective Scanning
# 1. Initial reconnaissance
perl joomscan.pl -u http://target.com -v
# 2. Detailed enumeration
perl joomscan.pl -u http://target.com -e -v
# 3. Analyze results
# - Prioritize by severity
# - Group by component/module
# - Cross-reference with exploit databases
# 4. Documentation
# - Record all findings
# - Note verification methods
# - Provide remediation guidance
# Reduce scan time with targeted approach
# - Scan core first
# - Then enumerate components
# - Finally check configurations
# Use timeouts for slow targets
perl joomscan.pl -u http://slow-target.com \
--timeout=30
# Parallel scanning multiple targets
for target in $(cat targets.txt); do
perl joomscan.pl -u "$target" -e &
done
wait
Troubleshooting
Common Issues
| Issue | Solution |
|---|
| Perl module not found | Install via cpan: cpan install Module::Name |
| Connection timeout | Increase timeout, check connectivity |
| Joomla not detected | Verify URL, check Joomla installation |
| No results | Try verbose mode, check proxy settings |
| Blocked by WAF | Adjust delay, try different user-agent |
Debug Mode
# Enable debug output
perl -d:Trace joomscan.pl -u http://target.com
# Verbose + debug
perl joomscan.pl -u http://target.com -v -v -v
# Check Perl modules
perl -e "use LWP::UserAgent; print 'OK\n'"
See Also
- Joomla Security Guidelines
- OWASP CMS Security Testing
- Vulnerability Database (exploit-db.com)
- Metasploit Joomla modules
- Web application security assessment methodologies
- Component-specific security advisories
