/drupsec

Resources, tips, howtos, and everything in between to secure your Drupal app.

GNU General Public License v2.0GPL-2.0

Drupal Security

Resources, tips, howtos, and everything in between to secure your Drupal app.

Resources

  1. Steps to a Drupal security review
  2. Automated Security Review
  3. Cracking Drupal
  4. Drupal Security Report
  5. Drupal Security Group
  6. Securing your site
  7. Enhancing security using contributed modules
  8. The 10 most critical Drupal security risks
  9. Doing Drupal Security Right
  10. How to Check Your Drupal Site Security
  11. How to Restore Your Hacked Site
  12. Web Application Security Testing Cheat Sheet
  13. Handle text in a secure fashion
  14. How to improve security on Drupal websites

Modules

  1. Paranoia - The Paranoia module attempts to identify all the places that a user can evaluate PHP via Drupal's web interface and then block those. It reduces the potential impact of an attacker gaining elevated permission on a Drupal site.
  2. Security Review - The Security Review module automates testing for many of the easy-to-make mistakes that render your site insecure.
  3. Drupalgeddon - Drupalgeddon (with an "L") checks for backdoors and other traces of known Drupal exploits of "Drupageddon" (no "L"), aka SA-CORE-2014-005 SQL injection. Drupalgeddon is not a module; it's a Drush command.
  4. Hacked! - This module scans the currently installed Drupal, contributed modules and themes, re-downloads them and determines if they have been changed.
  5. MD5 Check - The MD5 Check generates a md5 checksum of all module files. If module is changed a critical security error is generated in watchdog log.
  6. File Integrity Check - This module lets the site maintainer “fingerprint” an entire site (except the files below the public:// upload directory) when it is in an untainted state.
  7. Site Audit - Site Audit is a Drupal static site analysis platform that generates reports with actionable best practice recommendations.
  8. Security Kit - SecKit provides Drupal with various security-hardening options. This lets your mitigate the risks of exploitation of different web application vulnerabilities.
  9. Unused Modules - Not really for security but still good to have it here. This is a helper / development module that lists unused modules / projects that can be safely deleted. This makes your repository cleaner and your website faster.
  10. Login Security - Login Security module improves the security options in the login operation of a Drupal site. With Login Security module, a site administrator may protect and restrict access by adding access control features to the login forms (default login form in /user and the block called "login form block").
  11. Flood Control - This project is intended to add an administration interface for hidden flood control variables in Drupal 7, like the login attempt limiters and any future hidden variables.
  12. Captcha - A CAPTCHA is a challenge-response test most often placed within web forms to determine whether the user is human.
  13. Spamspan Filter - The SpamSpan module obfuscates email addresses to help prevent spambots from collecting them.
  14. ACL - The ACL module, short for Access Control Lists, is an API for other modules to create lists of users and give them access to nodes.
  15. Content Access - This module allows you to manage permissions for content types by role and author. It allows you to specifiy custom view, edit and delete permissions for each content type. Optionally you can enable per content access settings, so you can customize the access for each content node.
  16. Lightweight Directory Access Protocol (LDAP) - The Lightweight Directory Access Protocol (LDAP) project provides integration with LDAP for authentication, user provisioning, authorization, feeds, and views.
  17. Password Policy - This module provides a way to enforce restrictions on user passwords by defining password policies.
  18. Oauth - This module implements the OAuth 1.0 standard for use with Drupal and acts as a support module for other modules that wish to use OAuth.
  19. Security Testing - Security Testing is a tool for locating XSS, CSRF and SQL Injection vulnerabilities in Drupal contributed modules. This tool will scan the source code of contributed module(s) for vulnerabilities and display warnings.
  20. ClamAV - Drupal integration with the ClamAV virus scanner. This module will verify that files uploaded to a site are not infected with a virus, and prevent infected files from being saved.
  21. Spambot - Spambot protects the user registration form from spammers and spambots by verifying registration attempts against the Stop Forum Spam online database. It also adds some useful features to help deal with spam accounts.
  22. Honeypot - Honeypot uses both the honeypot and timestamp methods of deterring spam bots from completing forms on your Drupal site read more here. These methods are effective against many spam bots, and are not as intrusive as CAPTCHAs or other methods which punish the user YouTube.
  23. Taxonomy Access Control - Access control for user roles based on taxonomy categories (vocabulary, terms).
  24. reCaptcha - Uses the Google reCAPTCHA web service to improve the CAPTCHA system and protect email addresses.
  25. Spamicide - The purpose of Spamicide is to prevent spam submission to any form on your Drupal web site. Spamicide adds an input field to each form then hides it with css, when spam bots fill in the field the form is discarded.
  26. Mollom - Mollom is an intelligent content moderation web service. By monitoring content activity on all sites in the Mollom network, Mollom is in a unique position to determine if a post is potentially spam; not only based on the posted content, but also on the past activity and reputation of the poster.
  27. http:BL - Implementation of http:BL for Drupal. http:BL can prevent email address harvesters and comment spammers from visiting your site by using a centralized DNS blacklist.
  28. UserOne - Since Drupal 7 is more restrictive in allowing multiple failed logins, using different names (in 6.x version) is not needed any longer.
  29. MimeDetect - MimeDetect provides an API for consistent server side mime detection using the PHP FileInfo extension, the UNIX 'file' command, user supplied mime data, or file extension lookups.
  30. Captcha Riddler - Captcha Riddler is a sub module of Captcha that lets site administrators create their own questions to foil automated spam bots.
  31. Username Enumeration Prevention - By default Drupal is very secure (especially Drupal 7). However, there is a way to exploit the system by using a technique called username enumeration. This module will stop this from happening. When the module is enabled, the error message will be replaced for the same message as a valid user and they will be redirected back to the login form. If the user does not exist, no password reset email will be sent, but the attacker will not know this is the case.
  32. Secure Login - Secure Login module enables the user login and other forms to be submitted securely via HTTPS, thus preventing passwords and other private user data from being transmitted in clear text. Secure Login module locks down not just the user/login page but also any page containing the user login block (or other forms that you configure to be secured).
  33. User registration password - Let users register with a password on the registration form when verification mail is required.

Standalone Applications

  1. Droopescan - A plugin-based scanner that aids security researchers in identifying issues with several CMSs, mainly Drupal & Silverstripe.
  2. CMSmap - CMSmap is a python open source CMS scanner that automates the process of detecting security flaws of the most popular CMSs.
  3. DPScan - Note: No updates from the author. Drupal modules enumerator.

HowTo and Best Practices

Javascript

  1. Avoiding unreachable code - The eval() function is evil and SHOULD NOT be used. The browser has to create an entirely new scripting environment (just like creating a new web page), import all variables from the current scope, execute the script, collect the result, and export the variables back into the original environment. Additionally, the code cannot be cached for optimization purposes. It is both the most powerful and most misused method in JavaScript. Note that JavaScript implicitly uses eval() for some other language constructs.
  2. Preventing XSS - All output to the browser that has been provided by a user SHOULD be escaped through Drupal.checkPlain() first. This is similar to Drupal's PHP check_plain() and encodes special characters in a plain-text string for display as HTML.
  3. String Translation - All strings in JavaScript files SHOULD be wrapped in Drupal.t(), which is an equivalent of the well-known t() function. Likewise, there is an equivalent to format_plural(), named Drupal.formatPlural(). Their parameter order is exactly like their server-side counterparts.

Source: JavaScript best practices

Server-side

  1. Securing Your Site: Clickjacking and X-Frame-Options - By default Drupal doesn't have support for X-Frame-Options. The X-Frame-Options HTTP response header can be used to indicate whether or not a browser should be allowed to render a page in a <frame>, <iframe> or <object> . Sites can use this to avoid clickjacking attacks, by ensuring that their content is not embedded into other sites.

Possible values:

DENY: When the X-Frame-Options http header is set to this value a page can never be embedded in a frame/iframe.
SAMEORIGIN: In this case only the originating domain can embed pages in a frame/iframe. This is specific to a domain including the subdomain. Pages on foo.example.com cannot embed pages from bar.example.com if this value is used.

Example:
In Drupal: drupal_add_http_header('X-Frame-Options', 'SAMEORIGIN');
In Apache: Header always append X-Frame-Options SAMEORIGIN
In Nginx: add_header X-Frame-Options SAMEORIGIN;
In PHP: header('X-Frame-Options: SAMEORIGIN');

Credits

  1. Greggles
  2. Droope
  3. Drupal community and contributors
  4. Dionach
  5. Matt Farina