Improves detection of WP Version, Plugins etc by checking 404

spec/shared_examples/dynamic_finders/wp_items.rb

@@ -16,13 +16,15 @@ shared_examples WPScan::Finders::DynamicFinder::WpItems::Finder do
 
   describe '#passive' do
     before do
-      stub_request(:get, target.url).to_return(body: body)
+      stub_request(:get, target.url).to_return(body: homepage_body)
+      stub_request(:get, ERROR_404_URL_PATTERN).to_return(body: error_404_body)
 
       allow(target).to receive(:content_dir).and_return('wp-content')
     end
 
     context 'when no matches' do
-      let(:body) { '' }
+      let(:homepage_body) { '' }
+      let(:error_404_body) { '' }
 
       it 'returns an empty array' do
         expect(finder.passive).to eql([])
@@ -30,9 +32,7 @@ shared_examples WPScan::Finders::DynamicFinder::WpItems::Finder do
     end
 
     context 'when matches' do
-      let(:body) { File.read(passive_fixture) }
-
-      it 'contains the expected items' do
+      let(:expected_items) do
         expected = []
 
         finder.passive_configs.each do |slug, configs|
@@ -48,7 +48,25 @@ shared_examples WPScan::Finders::DynamicFinder::WpItems::Finder do
           end
         end
 
-        expect(finder.passive).to match_array(expected.map { |item| eql(item) })
+        expected
+      end
+
+      context 'from the homepage' do
+        let(:homepage_body) { File.read(passive_fixture) }
+        let(:error_404_body) { '' }
+
+        it 'contains the expected items' do
+          expect(finder.passive).to match_array(expected_items.map { |item| eql(item) })
+        end
+      end
+
+      context 'from the 404' do
+        let(:homepage_body) { '' }
+        let(:error_404_body) { File.read(passive_fixture) }
+
+        it 'contains the expected items' do
+          expect(finder.passive).to match_array(expected_items.map { |item| eql(item) })
+        end
       end
     end
   end

spec/shared_examples/finders/wp_items/urls_in_page.rb

@@ -1,8 +1,8 @@
 # frozen_string_literal: true
 
-shared_examples 'App::Finders::WpItems::URLsInHomepage' do
+shared_examples 'App::Finders::WpItems::UrlsInPage' do
   before do
-    stub_request(:get, finder.target.url).to_return(body: File.read(fixtures.join(file)))
+    stub_request(:get, page_url).to_return(body: File.read(fixtures.join(file)))
   end
 
   describe '#items_from_links' do

spec/shared_examples/target/platform/wordpress.rb

@@ -7,14 +7,17 @@ shared_examples WPScan::Target::Platform::WordPress do
 
   let(:fixtures) { FIXTURES.join('target', 'platform', 'wordpress') }
 
-  describe '#wordpress?' do
+  describe '#wordpress?, wordpress_from_meta_comments_or_scripts?' do
     let(:fixtures) { super().join('detection') }
 
     before do
       stub_request(:get, target.url).to_return(body: File.read(fixtures.join("#{homepage}.html")))
+      stub_request(:get, ERROR_404_URL_PATTERN).to_return(body: File.read(fixtures.join("#{page_404}.html")))
     end
 
     context 'when pattern/s in the homepage' do
+      let(:page_404) { 'not_wp' }
+
       %w[default wp_includes only_scripts meta_generator comments mu_plugins wp_admin wp_json_oembed].each do |file|
         context "when a wordpress page (#{file}.html)" do
           let(:homepage) { file }
@@ -29,39 +32,55 @@ shared_examples WPScan::Target::Platform::WordPress do
     context 'when no clues in the homepage' do
       let(:homepage) { 'not_wp' }
 
-      context 'when only passive detection mode' do
-        it 'returns false' do
-          expect(subject.wordpress?(:passive)).to be false
+      context 'when pattern/s in the 404 page' do
+        %w[default wp_includes only_scripts meta_generator comments mu_plugins wp_admin wp_json_oembed].each do |file|
+          context "when a wordpress page (#{file}.html)" do
+            let(:page_404) { file }
+
+            it 'returns true' do
+              expect(subject.wordpress?(:mixed)).to be true
+            end
+          end
         end
       end
 
-      context 'when mixed or aggressive detection modes' do
-        context 'when wp-admin/install.php and wp-login.php not there' do
+      context 'when no clues in the 404 page' do
+        let(:page_404) { 'not_wp' }
+
+        context 'when only passive detection mode' do
           it 'returns false' do
-            %w[wp-admin/install.php wp-login.php].each do |path|
-              stub_request(:get, target.url(path)).to_return(status: 404)
+            expect(subject.wordpress?(:passive)).to be false
+          end
+        end
+
+        context 'when mixed or aggressive detection modes' do
+          context 'when wp-admin/install.php and wp-login.php not there' do
+            it 'returns false' do
+              %w[wp-admin/install.php wp-login.php].each do |path|
+                stub_request(:get, target.url(path)).to_return(status: 404)
+              end
+
+              expect(subject.wordpress?(:mixed)).to be false
             end
-
-            expect(subject.wordpress?(:mixed)).to be false
           end
-        end
 
-        context 'when wp-admin/install.php is matching a WP install' do
-          it 'returns true' do
-            stub_request(:get, target.url('wp-admin/install.php'))
-              .to_return(body: File.read(fixtures.join('wp-admin-install.php')))
+          context 'when wp-admin/install.php is matching a WP install' do
+            it 'returns true' do
+              stub_request(:get, target.url('wp-admin/install.php'))
+                .to_return(body: File.read(fixtures.join('wp-admin-install.php')))
 
-            expect(subject.wordpress?(:mixed)).to be true
+              expect(subject.wordpress?(:mixed)).to be true
+            end
           end
-        end
 
-        context 'when wp-admin/install.php not there but wp-login.php is matching a WP install' do
-          it 'returns true' do
-            stub_request(:get, target.url('wp-admin/install.php')).to_return(status: 404)
-            stub_request(:get, target.url('wp-login.php'))
-              .to_return(body: File.read(fixtures.join('wp-login.php')))
+          context 'when wp-admin/install.php not there but wp-login.php is matching a WP install' do
+            it 'returns true' do
+              stub_request(:get, target.url('wp-admin/install.php')).to_return(status: 404)
+              stub_request(:get, target.url('wp-login.php'))
+                .to_return(body: File.read(fixtures.join('wp-login.php')))
 
-            expect(subject.wordpress?(:mixed)).to be true
+              expect(subject.wordpress?(:mixed)).to be true
+            end
           end
         end
       end

spec/shared_examples/target/platform/wordpress/custom_directories.rb

@@ -4,6 +4,9 @@ shared_examples 'WordPress::CustomDirectories' do
   let(:fixtures) { super().join('custom_directories') }
 
   describe '#content_dir' do
+    # Stub the error_404_res to make it easier to test
+    before { stub_request(:get, ERROR_404_URL_PATTERN) }
+
     {
       default: 'wp-content', https: 'wp-content', custom_w_spaces: 'custom content spaces',
       relative_one: 'wp-content', relative_two: 'wp-content', cache: 'wp-content',
@@ -45,9 +48,9 @@ shared_examples 'WordPress::CustomDirectories' do
       end
     end
 
-    context 'when not found via the homepage' do
+    context 'when not found via the homepage or 404' do
       before do
-        stub_request(:get, target.url).to_return(body: '')
+        stub_request(:get, target.url)
 
         expect(target).to receive(:default_content_dir_exists?).and_return(dir_exist)
       end
@@ -123,6 +126,9 @@ shared_examples 'WordPress::CustomDirectories' do
   end
 
   describe '#sub_dir' do
+    # Stub the error_404_res to make it easier to test
+    before { stub_request(:get, ERROR_404_URL_PATTERN) }
+
     { default: false, with_sub_dir: 'wp', relative_two_sub_dir: 'cms' }.each do |file, expected|
       it "returns #{expected} for #{file}.html" do
         fixture = File.join(fixtures, "#{file}.html")