Steps to a Drupal Security Review

As we developed our security review offering we came up with this outline. We don't follow all the steps on every site because sites sometimes have specific concerns that we want to address before the general set. But this is our exhaustive list of steps. Note that this is only about the Drupal portion of the stack. There is an array of things you could also analyze at the webserver, database server, operating system, network and even data center levels of the stack.

Using XSS to steal access

We've talked about Cross Site Scripting (XSS) before, and for good reason, it's a risk far too many sites are vulnerable to. XSS is scary because it runs in the context of the trusted relationship between your browser and a website; XSS can do everything you can do.

XSS cookie theft

Let's look at another example of an XSS exploit: stealing administrative access to a site.

  • An attacker will enter Javascript that steals the visitor's browser cookie
  • An administrator will unknowingly execute this Javascript

Drupalcon Training: Securing your Drupal site with code and configuration

First things first, please take this survey about Security in Drupal.

Much like at last year's Drupalcon in San Francisco, Ben Jeavons and I will be giving a training about Drupal and Security. When we gave this course at Drupalcon San Francisco, 88% of survey respondents said they would take the class again! We took all the feedback from last time and are working to make the experience even better.

Anything you can do XSS can do better

Cross Site Scripting (XSS) is the number one vulnerability in Drupal code¹ and one of the scariest forms of exploits, because anything you can do XSS can do better².

More serious than <script>alert('xss')</script>

During XSS demos and vulnerability testing it's easy to use some code like <script>alert('xss')</script> to see Javascript executed where it shouldn't be. But an alert box isn't scary.

Mitigation against CVE-2010-1584 Drupal Context Module XSS

Recently Justin Klein Keane posted information about a vulnerability in the Context Module for Drupal.

Justin included information about mitigating factors:

In order to execute arbitrary script injection malicious users must have 'Administer blocks' permission.

Here are some more concrete steps for mitigation of this particular vulnerability.

1. Ensure only trusted roles have the "Administer Blocks" permission

Syndicate content