Finding and blocking security vulnerabilities in Drupal CMS.

Drupal is one of the most flexible, community-driven web content management systems. Used by over 5 million websites across the world, this open-source CMS is a prime target for hackers too.

It is critical for businesses to find active vulnerabilities before hackers do and patch them. That’s is exactly where a Drupal security scanner comes to your rescue. Here is a list of all the popular options available in the market today.

1. Drupwn

Drupwn is more of an utility tool used to test and exploit weaknesses in Drupal 6 and 8. Also available on Github, this python-based works on two exploit modes, i.e. vulnerability checker and CVE exploiter. Under enum mode, you get:

  • User enumeration
  • Node enumeration
  • Default files enumeration
  • Module enumeration
  • Theme enumeration
  • Cookies support
  • User-Agent support
  • Basic authentication support
  • Request delay
  • Enumeration range
  • Logging
  • Socks and HTTP proxy support

You have to download it too.

2. Droopescan Drupal

This python-based scanner has four main checks to ensure every vulnerability is thoroughly scanned. Droopescan offers following checks in a tiny, flexible program.

  • Themes
  • Versions
  • Plugins
  • Special URL

Please note that this is not an online scanner and you will need to install Python through GitHub to make it work. It is a plugin scanner also available for other popular CMSs like WordPress, Moodle, Joomla, and SilverStripe.

3. Pentest Tools

Pentest Tools is a credit-based online scanner, which means that you will have to pay for the usage. It is commonly used to check the risks in plugins, core files and configurations. You will need 50 credits to run each test and the basic plan starts at $45 for 500 credits.

The credits are provided instantly after the purchase and you will get the results in a PDF file.Developed by experts, this tools is used at companies like Accenture and Vodafone.


This is a general safety scanner that identifies any familiar malware. Sucuri also ensures that the website isn’t blacklisted, has any old software or is a famous website error. It also provides continuous security to Drupal and has many other helpful functions as well:

  • Inventory management
  • Continuous monitoring
  • Indicators of Compromise
  • Block software injections
  • Prevent SQL injections
  • Prevent DDOs attacks
  • Prevent Brute Force attacks
  • Global Anycast Network
  • Load Balancing
  • Prevent Spam

It is available for online use.

5. Hacker Test

Hacker Test offers free scanning services at a basic level for your Drupal CMS. It covers a lot of ground and can be upgraded at any time if you want to use the advanced features of the tool.

This is a precise, passive yet free online scan test on:

  • Attempt to detect version of Drupal Core
  • Find Plugins in HTML response
  • Identify theme in use
  • List client-side JS in page
  • List iframes in page
  • Test for directory indexing enabled on key locations
  • Check Google Safe Browse for reputation
  • Get IP information and Geolocation

This is a passive online scan.

6. Acunetix

Acunetix is one of the oldest tools in the market with most advanced features on the list. Its Drupal vulnerability scanner offers visibility into some of the most common security weaknesses including OWASP Top 10 and DSS. With compliance-ready reports and solid support from the team, you will not regret paying for this commercial option.

7. Sqreen

Sqreen is an online option with capability that goes beyond the Drupal scanning. This website or web application scanner is powerful against most attack vectors.

  • DDoS
  • Clickjacking
  • Tampering data in a communication
  • MIME sniffing
  • Cross-site scripting
  • SQL injection

This online scanner is perfect for any CMS with a free, basic version.

8. Detectify Drupal Scan

When it comes to commercial tools, how about an option that can scan your Drupal CMS for over a 1000 security issues? Detectify is one of the most popular options across businesses of all sizes including those using other platforms like WordPress, PHP, Joomla, JavaScript, and more.

  • OWASP Top 10
  • Clickjacking
  • MIME attacks
  • Automated scanning

This security scanner is used by companies like Spotify, Trello, and Trustpilot.

9. Qualys

Qualys offers both dynamic and static vulnerability testing of your website. It is marketed as the consolidated way to manage all security risks in a single platform and can offer a lot of value to the users. Available as a cloud platform, Qualys is an interesting option for Drupal vulnerability management.

  • OWASP Top 10 coverage
  • SANS 25 coverage
  • Test IoT and mobile apps
  • Drupal support
  • Simple and comprehensive reports

There is a free trial for the product eventually you will have to pay to use it.

Do you know any other tools that we have missed on the list? Let us know about your thoughts on Drupal scanning.

Related Post