freewvs

https://freewvs.schokokeks.org/

free web vulnerability scanner

Hanno Böck - hboeck.de - @hanno

Web applications

Let's assume you run a popular web application like Drupal, Joomla, MediaWiki etc.

Sometimes they have security vulnerabilities

And you forgot to update

And then you get hacked

Your blog now includes JavaScript to mine cryptocurrency, your server is sending spam and someone is hosting a phishing page

So better update

Or use Wordpress, it has auto-updates

What if you run a server for many users and you want to know if your users update their web application?

You would like to check

You need freewvs!

This is how it works:


$ freewvs /var/www/
Joomla 3.9.11 (3.9.13) CVE-2019-18674 /var/www/example.org
nextcloud 14.0.1 (14.0.5) CVE-2019-5449 /var/www/cloud.example.org
MediaWiki 1.31.1 (1.31.5) CVE-2019-16738 /var/www/wiki.example.org
$

[
  {
    "name": "MediaWiki",
    "url": "https://www.mediawiki.org/",
    "safe": "1.33.1",
    "old_safe": "1.32.5,1.31.5",
    "vuln": "CVE-2019-16738",
    "latest": "1.33.1",
    "detection": [
      {
        "file": "DefaultSettings.php",
        "variable": "$wgVersion",
        "subdir": 1
      }
    ]
  },
  {...}
]

freewvs

  • 12 years old and still good
  • Free Software (CC0)
  • Written in Python 3
  • Using some string matching and regular expressions to detect applications and version numbers
  • Compares them to data about vulnerable versions

Try it!

https://freewvs.schokokeks.org/