Skip to content

Check if Typo3 security guidelines are followed.

License

Notifications You must be signed in to change notification settings

JavanXD/Typo3AccessChecker

Repository files navigation

Typo3AccessChecker License: GPL v3 Twitter Follow

Check if TYPO3 security guidelines are followed. This tool scans if your typo3 instance is correctly secured by testing restrictions and permissions to important endpoints.

With great astonishment we had to find out while testing our tool that many of the Typo3 instances on the Internet have obviously skipped the step from the installation manual to secure them.

Installation

git clone https://github.com/JavanXD/Typo3AccessChecker.git
cd Typo3AccessChecker
python3 -m pip install requests progressbar

Docker Image

docker build -t typo3accesschecker:latest .

Usage

Start a Scan of https://typo3.org with the default checklist:

python3 check_axxess.py https://typo3.org checklist.txt

Start a Scan of https://typo3.org and use a proxy (e.g. OWASP ZAP/Burp/Fiddler). The proxy function helps you during a manual check by displaying the exact answer you received.

python3 check_axxess.py https://typo3.org checklist.txt --proxy localhost:8080  --verify False

List of possible arguments:

python3 check_axxess.py -h

To use the Docker Image

docker run --rm -e URL=URLofTYPO3 --name typo3accesschecker typo3accesschecker

Checklist

The checklist contains a default set of URLs that should be protected. You can expand the checklist by adding lines in the format https://my.domain/. Please do not replace my.domain with your real URL, this is done by the application using the host parameter that is passed on startup.

Contribute

Feel free to open issues / pull requests if you want to contribute to this project.

Releases

No releases published

Contributors 4

  •  
  •  
  •  
  •