Scan & Secure Joomla with AppCheck

What is Joomla?

Joomla is a popular Content Management System (CMS), used to manage websites. Having over 2.3 million websites live at time of press, this makes it the second most popular CMS platform with around 5% market share, second only to WordPress with a whopping 27 million live sites and 35% market share. (Read more about AppCheck and WordPress here).

Joomla is free and open source, which means users can download a range of plug-ins to use alongside their website.


Common Joomla Vulnerabilities

Joomla is ranked 3rd place in 2018’s most hacked websites according to a recent report.

Below are some common vulnerabilities found in Joomla that you should be looking out for in your Joomla website.


Injection Vulnerabilities

Did you think you’d read a list about common vulnerabilities and not see the OWASP Top 10 number 1 on the list?

Many injection vulnerabilities have been reported in Joomla, and definitely too many to name here.

All we will say is, be especially vigilant, make sure your data is safe and validate all user input.


Cross Site Scripting (XSS)

Another one from the OWASP Top 10 List and one many are familiar with. Often thought of as targeting users rather than an application itself (although some more complicated attacks can target consumer and non-browser systems – think Electron).

Again, too many prior vulnerabilities and ways to exploit a Joomla website using XSS vulnerabilities to mention in this overview post but have a look at our post on a historical Joomla security flaw for some ideas on how hackers can exploit websites with his technique.


Privilege Escalation

Attackers exploiting your website in this way may be able to bypass the usual account restrictions and boost their account permissions to perform actions that would normally be restricted to them. Yes, this may include admin actions such as updating other users and even changing passwords. This can be triggered by numerous things, even SQL Injection can lead to privilege escalation.

Simple ways to help prevent this include keeping privileged log-ins very restricted and keeping permissions restricted.

Ask yourself, do processes need that level of permissions to run? Enable two-factor authentication and keep systems up to date.


Improper deployment / misconfiguration

Misconfiguration happens. Production environments don’t always match UAT and live and can allow for differences. If you are following guides to get things live they don’t always go into full depth around the security controls/concerns.

If you have a vulnerability scanner, make sure to scan in production.

Ensure your configurations are production suitable. Consider using deployment tools such as Salt, Fabric or Puppets to deploy your applications and manage your environments. This ensures a consistent install based upon a known playbook and allows you to better track configurations.


Outdated Joomla website versions

In 2018 a report found that around 87.5% of Joomla websites were not updated with the most recent recommended version at the point of infection.

This can be quite an easy one to manage and can save a lot of headaches. If your website is externally managed don’t be afraid to check with your web developers that the latest version is deployed, and all plug-ins are up to date.

As above – get into the habit of maintaining applications with deployment tools.


Vulnerabilities within Plug-ins and Themes

Downloading off-the-shelf themes and plug-ins is massively handy and time saving but could lead to more trouble than they are worth. Once these stop getting updated, plug-ins can become vulnerable fast.

When looking at installing add-ons created by others, beyond it being popular, make sure to research if there have been prior security alerts and if the tool is being actively maintained.


The above list is by no means exhaustive and represents just a handful of potential ways your Joomla website can be exploited. If there were no surprises above and you feel on top of vulnerability management then at least this article has hopefully provided peace of mind so far. Either way, if you would like a free vulnerability scan of your Joomla website then please get in touch.
See how AppCheck helps identify vulnerabilities in Joomla websites below.


AppCheck as a Joomla Vulnerability Scanner

Although AppCheck is platform agnostic, the product includes a range of scan templates to target specific CMS platforms and their known vulnerabilities. Below are a few features of the AppCheck vulnerability scanner to help you identify vulnerabilities within your Joomla website:


  • The scanner looks across thousands of known vulnerable components within content management systems, to identify any plug-ins which may be exposing your website.


  • Username enumeration – AppCheck will attempt to guess usernames and passwords and will dynamically build these lists using observed values and common username and password lists.


  • Scans in pre-production to ensure quality control before deployment. This way AppCheck can detect potential vulnerabilities before you publish them to live environments.


  • AppCheck monitors CVE’s and updates the software to keep abreast of the latest security flaws.


  • Not only does AppCheck scan a database of known vulnerable components and security flaws, it employs a ‘first principles’ approach to vulnerability testing, approaching the test in the same way a manual tester would. In a nutshell AppCheck will send payloads to a server and observe the server’s response, to determine how the data may be being processed by the server and can dynamically evolve each payload to identify vulnerabilities.


  • AppCheck includes unparalleled XSS detection capabilities that have been accredited by Google, Microsoft and eBay (amongst others).


Of course, AppCheck scans for thousands of known vulnerabilities and the full version of the test is included in each licence, with unlimited users and unlimited back to back scans helping to ensure vulnerabilities are identified and you can start working on fixes to resolve asap.


Read more on AppCheck’s approach to vulnerability testing here: https://appcheck-ng.com/our-approach/


Additional Information

As always, if you require any more information on this topic or want to see how AppCheck can help find your Joomla vulnerabilities then please get in contact with us: info@appcheck-ng.com


Get started with Appcheck

No software to download or install.
Contact us or call us 0113 887 8380

Start your free trial