DruPen is a helper module that provides a few Drush commands which are helpful when auditing the security of a Drupal 8 site.
Place the drupen folder in your site's modules directory and enable
the module.
Currently the module only provides a few Drush commands, however more interaction with Drupal is planned (hence it is a module and not just a Drush command).
DruPen requires PHP 7+ and Drupal 8.
Display a list of routes defined in the Drupal site.
drush route-list
This command will build a list of urls from the site's routes with parameter replacements. This attempts to build an exhaustive list of all urls the site will respond to.
Request all routes and display the HTTP response code for each.
drush route-test
By default this command loads urls as an anonymous user, however a session cookie can be passed as an option.
Output is currently comma delimited with the intention of being sent to a csv file.
route-test accepts 4 options:
--response-code : Filter output based on a provided HTTP response code.
--response-cache : Filter output based on a provided X-Drupal-Cache
HIT/MISS.
--profile : Display response times and X-Drupal-Cache HIT/MISS.
--cookie : Provide cookie information to the requests, which is
intended to authenticate the user. The session-cookie command can be
used to generate the cookie string.
List routes with 500 response code as an anonymous user.
drush route-test --response-code=500
List routes with 200 response code, with load times, as an authenticated user.
drush route-test --response-code=200 --profile --cookie="SESSe7c1f93bf5adaa9459634b1ab92db72d=JPNlqdkf9wT6PIIHu4bIRCH1EJua5vwKyaUUNQOJZvM; expires=Sat, 10-Sep-2016 07:15:28 GMT; Max-Age=2000000; path=/; domain=.example.dev; HttpOnly"
Output Set-Cookie header from standard Drupal authentication request.
drush session-cookie
session-cookie requires 2 arguments:
username : Username use for login.
password : Password use for login.
Create a session as admin user and display the cookie string.
drush session-cookie admin password