Drupal Security

Recently, I was working for governmental site which need to be really secure. I was using Drupal as CMS / framework, so it was needed that i should look into the drupal short comings to security, but i really found that drupal has more than enough of what a framework should offer to address security. As a developer we just need to use its existing features to enhance security.

I really need to go through following Scenarios where security needed to be up to the mark and solutions we made :

1. SQL Injection

What SQL Injection is:

SQL Injection is subset of the an unverified/unsanitized user input vulnerability ("buffer overflows" are a different subset), and the idea is to convince the application to run SQL code that was not intended.

There can be many type of SQL Injections which can be prevented with Drupal by taking following Steps:.

i. Use db_query with its placeholders as drupal passes the inputs from sql injection filters before sending the query to database.

db_query('SELECT foo FROM {table} t WHERE t.name = '. $_GET['user']);

db_query("SELECT foo FROM {table} t WHERE t.name = '%s' ", $_GET['user']);

db_query("SELECT t.s FROM {table} t WHERE t.field IN (%s)", $from_user);

$placeholders = implode(',', array_fill(0, count($from_user), "%d"));

db_query("SELECT t.s FROM {table} t WHERE t.field IN ($placeholders)", $from_user);

Drupal core ‘db_query ’ performs all the necessary checks against sql injections. For integer checks it insures that it is numeric , so the query do not break.

ii. Use check_plain, check_markup, filter_xss on user inputs.

check_plain($string) --> To present all HTML as encoded entities.

check_markup($string) --> To allow at least some HTML. When a user has selected a specific format. When you are unsure of the format, and need HTML, but need to limit the HTML that is allowed, use the‘‘default’’ format as a fallback.

filter_xss($string, $allowed_tags ) --> Removes characters and constructs that can trick browsers. Makes sure all HTML entities are well-formed. Makes sure all HTML tags and attributes are well-formed. Makes sure no HTML tags contain URLs with a disallowed protocol (e.g. javascript:)

You can also use filter_xss_admin where admin is to make an input.

2. Security Testing

There are number of Drupal Specific testing solutions Such as :

Coder Module (http://drupal.org/project/coder):

The Coder module is a powerful tool for analyzing Drupal code. The module was created by Doug Green, but it has since had significant improvements by many users. Initially it analyzed code to ensure it conformed to the Drupal coding standards and to help identify changes from one version of Drupal to another, but since it is built in an extensible manner, it can perform many different kinds of source-code analysis. It has been expanded to include some simple security checks and could be expanded to cover more security tests.

How to use Coder Module:

Code Review, where you can control the default review to be performed. To actually run the review, visit the /coder path on your site, where you will see a screen that allows you to select which tests to run. Click the Submit button and, after a few seconds, Coder presents a report about the tests it ran and any problems it identified.

Security Scanner (http://drupal.org/project/security_scanner )

How to use the Security Scanner tool:

1. Enable the Scanner and XSS components of the module.

2. Visit Administer Site Configuration Security Scanner,

3. Set Mode in the Security Scanner Settings section to Crawl.

4. Execute the Crawl by visiting the cron.php file.

5. Repeat this process of setting a mode and visiting cron.php for the

next two modes: Seed and ReCrawl.

Grendel Scan ( http://www.grendel-scan.com/download.htm )

A part from Drupal specific / based tools, there are also several general tools available to perform vulnerability analysis. Many of these tools tackle individual pieces: SQL injection, XSS, and providing a local proxy that allows a user to manually alter browser requests. There is also a relatively new tool called Grendel-Scan which leverages many existing tools to be able to provide an amazing array of scanning and vulnerability analysis tools.

2. Form Flooding

use flood_is_allowed() in your custom modules which controls flooding of a form by limiting the number of form submission allowed. enable token.

http://drupal.org/project/flood_exemption

This is a module which helped us a lot when we were addressing form flooding. As, it limits the number of submissions from a particular IP.You can also enhance the functionality by limiting it to a particular MAC address.

3. Password Cracking by the of simple brute force algorithm

Enabling this module, a site administrator may limit the number of invalid login attempts before blocking accounts. This is how the brute force algorithm works.

http://www.ethicalhackingguide.net/2011/08/using-fireforce-to-brute-force-web_04.html

http://drupal.org/project/login_security

Enabling this module, a site administrator may limit the number of invalid login attempts before blocking accounts, or denying access by IP address, temporarily or permanently.

4. Spam Blocking

Mollom can be other option but it is paid service.

http://drupal.org/project/spam

This module can certainly block the spam entries on your blog or forum. Wordpress’s Akismet is the most successful component for spam blocking.

5. Directory Browsing

Web server directories should have the configuration lock-down the browsing of directories.

6. Session Hijacking

Use web application server session management APIs when possible. Tools like fire sheep can be used to test Session Hijacking.