Skip to main content

Typo3Scan

License Apache-2.0GitHub release (latest SemVer)OWASP Incubator ProjectArtifact HUBGitHub Repo starsTwitter Follower

What is Typo3Scan?#

Typo3Scan is an open source penetration testing tool to automate the process of detecting the Typo3 CMS and it's installed extensions. It also has a database with known vulnerabilities for core and extensions.

To learn more about the Typo3Scan scanner itself visit [https://github.com/whoot/Typo3Scan].

Deployment#

The typo3scan chart can be deployed via helm:

# Install HelmChart (use -n to configure another namespace)helm upgrade --install typo3scan secureCodeBox/typo3scan

Scanner Configuration#

The Typo3Scan targets are specified with the -d parameter. The target should be a hostname, an IP address or an IP range.

Additional Typo3Scan scan features can be configured via the parameter attribute.

Some useful example parameters listed below:

  • --vuln : Check for extensions with known vulnerabilities only.
  • --timeout TIMEOUT : Request Timeout. Default: 10 seconds
  • --auth USER:PASS: Username and Password for HTTP Basic Authorization.
  • --cookie NAME=VALUE: Can be used for authenticiation based on cookies.
  • --agent USER-AGENT: Set custom User-Agent for requests.
  • --threads THREADS: The number of threads to use for enumerating extensions. Default: 5
  • --json: Output results to json file
  • --force: Force enumeration
  • --no-interaction: Do not ask any interactive question

Requirements#

Kubernetes: >=v1.11.0-0

Examples#

example.com#

# SPDX-FileCopyrightText: 2021 iteratec GmbH## SPDX-License-Identifier: Apache-2.0apiVersion: "execution.securecodebox.io/v1"kind: Scanmetadata:  name: typo3scan-examplespec:  scanType: "typo3scan"  parameters:    - "-d"    - "https://www.typo3.example.com" # Change to the website you want to scan    # Only show vulnerable extensions    - "--vuln"    # Set the number of threads to use for enumerating extensions at 10    - "--threads"    - "10"