# CodePress CMS Penetration Test Suite ## πŸ”’ Overview Comprehensive security testing script voor CodePress CMS. Test 10 kritieke attack vectors met 40+ individuele tests. ## ⚠️ WAARSCHUWING **Gebruik dit script ALLEEN op systemen waar je toestemming voor hebt!** Ongeautoriseerde penetration testing is illegaal. ## πŸ“‹ Test CategorieΓ«n ### 1. **XSS (Cross-Site Scripting)** - Page parameter injection - Search parameter injection - Language parameter injection - HTML entity encoding - SVG/IMG tag injection ### 2. **Path Traversal** - Basic `../` attacks - URL encoding bypass - Double encoding - Backslash variants - Mixed separators - Config file access ### 3. **PHP Code Injection** - PHP wrapper attacks - Data URI execution - Expect wrapper exploitation ### 4. **Null Byte Injection** - Null byte in parameters - Extension bypass attempts ### 5. **Command Injection** - Shell command injection in search - Backtick command execution - Pipe operator injection ### 6. **Template Injection** - Mustache SSTI (Server-Side Template Injection) - Config disclosure via templates ### 7. **HTTP Header Injection** - CRLF injection - Header manipulation ### 8. **Information Disclosure** - PHP version leakage - Directory listing - Config file exposure - Dependency disclosure ### 9. **Security Headers** - X-Frame-Options - Content-Security-Policy - X-Content-Type-Options - Referrer-Policy ### 10. **Denial of Service (DoS)** - Large parameter attacks - Resource exhaustion ## πŸš€ Gebruik ### Vereisten - bash - curl - python3 (voor lange strings) - Lopende CodePress CMS instance ### Uitvoeren ```bash # Start de server php -S localhost:8080 -t public # In een andere terminal ./pentest.sh ``` ### Output Het script genereert: 1. **Console output** - Real-time test resultaten met kleuren 2. **pentest_results.txt** - Gedetailleerd rapport ### Resultaat Codes - 🟒 **[SAFE]** - Aanval geblokkeerd βœ… - πŸ”΄ **[VULNERABLE]** - Kwetsbaarheid gevonden ❌ - 🟑 **[POTENTIAL]** - Mogelijk kwetsbaar ⚠️ - 🟑 **[UNKNOWN]** - Onverwachte response ⚠️ ## πŸ“Š Voorbeeld Output ``` ======================================== 1. XSS VULNERABILITY TESTS ======================================== Testing: XSS in page parameter...[SAFE] βœ… Testing: XSS in search parameter...[SAFE] βœ… Testing: XSS in lang parameter...[SAFE] βœ… ======================================== PENETRATION TEST SUMMARY ======================================== Total tests: 40 Vulnerabilities found: 0 Safe tests: 40 βœ… All tests passed! System appears secure. ``` ## πŸ›‘οΈ Verwachte Resultaten CodePress CMS zou **ALLE** tests moeten doorstaan: | Categorie | Verwacht Resultaat | |-----------|-------------------| | XSS | βœ… Blocked | | Path Traversal | βœ… Blocked | | PHP Injection | βœ… Blocked | | Command Injection | βœ… Blocked | | Template Injection | βœ… Blocked | | Security Headers | βœ… Present | | Info Disclosure | βœ… Hidden | ## πŸ”§ Aanpassen ### Target wijzigen ```bash # Bewerk bovenaan pentest.sh TARGET="http://your-domain.com" ``` ### Tests toevoegen ```bash test_vulnerability \ "Jouw test naam" \ "$TARGET/?param=payload" \ "search_pattern" \ "true" # true = vulnerable if found ``` ## πŸ“š OWASP Top 10 Coverage - βœ… A01:2021 - Broken Access Control - βœ… A02:2021 - Cryptographic Failures - βœ… A03:2021 - Injection - βœ… A05:2021 - Security Misconfiguration - βœ… A06:2021 - Vulnerable Components - βœ… A07:2021 - Authentication Failures ## πŸ› Gevonden Vulnerability? 1. Stop met testen 2. Documenteer de vulnerability in `pentest_results.txt` 3. Fix de code 4. Run de test opnieuw 5. Commit NIET de vulnerability voor de fix klaar is ## πŸ“ Licentie Deel van CodePress CMS - Gebruik alleen voor security testing van eigen systemen. ## πŸ”— Meer Informatie - [OWASP Testing Guide](https://owasp.org/www-project-web-security-testing-guide/) - [OWASP Top 10](https://owasp.org/www-project-top-ten/) - [Web Application Penetration Testing](https://portswigger.net/web-security) --- **Remember:** Ethical hacking = Permission + Documentation + Responsible Disclosure