Change the wpscan defaults #1750
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There were alot of enumeration defaults enabled on wpscan and if a wordpress site did not respond to any of the 1000s of requests it sends to enumerate plugins, themes, timthumbs etc. you could be waiting a long time for the requests to timeout.
As noted here #1729 it was taking 45+ minutes on a URL.
It was not stuck but the wpscan json output does not display progress. After looking into it the request_timeout and enumerate settings were causing it to potentially take a long time.
I have removed Timthumbs enumeration and User/Media enumeration from the default options users can still add them back using the
modules.wpscan.enumerate=config optionI have also reduced the HTTP timeout to the same as the httpx timeout
I am unsure if this module deserves to be tagged with "slow" as it potentially could be slow if the wordpress app does not respond to any of the enumeration requests it could potentially take ~25 minutes with these default settings.