Cracking Drupal: A Drop in the Bucket [Paperback]

Greg Knaddison (Author)

Book Description

ISBN-10: 0470429038 | ISBN-13: 978-0470429037 | Publication Date: May 11, 2009 | Edition: 1

The first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing Drupal is an open source framework and content management system that allows users to create and organize content, customize presentation, automate tasks, and manage site visitors and contributors. Authored by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing. The main goal of this guide is to explain how to write code that avoids an attack in the Drupal environment, while also addressing how to proceed if vulnerability has been spotted and then regain control of security.

Editorial Reviews

From the Back Cover

Uncover threats and protect your Drupal® site with proven strategies

What is the worst-case scenario if your Web site gets attacked and the security is broken? By following the strategies in this guide, you don't have to find out. It first walks you through the vulnerabilities you'll face and the steps you should take to protect a basic Drupal site. You'll then discover how to review a module to find weaknesses and fix them. And you'll learn how to keep your site running securely by implementing more advanced techniques.

Take control of your site by learning how to:

• Prevent the common ways that Drupal gets cracked

• Uncover parts of the attack surface that can expose your site

• Install extra modules and configure Drupal to maintain your site's security

• Control the security of your site using Drupal's API

• Utilize the Drupal Access system to limit who can see specific content

• Test your site with automated scanners like Grendel

• Follow strategies to find, exploit, and avoid vulnerabilities

• Leverage resources from the Drupal Security Team

For all the code in this book, as well as all the latest updates, visit the Web site http://crackingdrupal.com.

About the Author

Greg James Knaddison is Principal of Growing Venture Solutions and a dedicated Drupalista. As a member of the Drupal security team, Knaddison has participated in every part of the process including identifying vulnerabilities, creating fixes, testing fixes, and writing security documentation and advisories. He has also contributed modules and publishes the news site DrupalDashboard.com.

Product Details

• Paperback: 240 pages
• Publisher: Wiley; 1 edition (May 11, 2009)
• Language: English
• ISBN-10: 0470429038
• ISBN-13: 978-0470429037
• Product Dimensions: 9.2 x 7.4 x 0.5 inches
• Shipping Weight: 12.8 ounces (View shipping rates and policies)
• Average Customer Review: 4.5 out of 5 stars  See all reviews (13 customer reviews)
• Amazon Best Sellers Rank: #269,647 in Books (See Top 100 in Books)

More About the Author

I'm a Drupal developer and site builder who got involved in the security of Drupal sites and modules the hard way: by having to fix an insecure module I maintained.

Now I've done dozens of presentations about security and Drupal and felt that a book would be a great way to share that knowledge with an even broader audience.

Customer Reviews

Most Helpful Customer Reviews

17 of 18 people found the following review helpful:

5.0 out of 5 stars Site Hacked? Read Cracking Drupal!, July 27, 2009

By 

Aaron Winborn "AaronWinborn.com" (Harrisburg, PA USA) - See all my reviews

Amazon Verified Purchase

This review is from: Cracking Drupal: A Drop in the Bucket (Paperback)

Cracking Drupal: A Drop in the Bucket was everything I'd hoped it would be, and more.

I know that's a cliche, but when I first learned about Greg Knaddison's book (greggles in Drupal-land), I'd assumed it would be aimed primarily at Drupal contributed module developers. By the time I finished the excellent book about Drupal security, I realized it was an essential read for anyone connected with developing, theming, or maintaining a Drupal site.

I had been anticipating the release of Knaddison's book for months, as I've been a fan of his for some time, due in part to his active and helpful role in Drupal's forums, and to his work with the Security Team. After reading the book, I feel more secure than ever using Drupal, as its well-documented API and best practices ensure that any module maintainer adhering to them will produce rock-solid code. At the same time, it quite visibly demonstrates the importance of an active community to ensure the modules and themes we use do just that.

Let's look in more detail at the book.

Part One, "Anatomy of Vulnerabilities", offers an extensive overview of the predominate routes of attack that may be taken against a site. It's split logically into two chapters by vulnerabilities possible with Drupal or its contributed modules and themes, and by potential weaknesses introduced by a poorly configured or poorly maintained server environment.

The first two chapters, "That Horrible Sinking Feeling" and "Security Principles and Vulnerabilities outside Drupal", jump right into outlining the more commong things that could expose your site to attack. By beginning with this acopolyptic message. Greg grabs the reader's attention and embues a sense of dread and hopelessness. Fortuntely, he doesn't leave us hanging, and immediately shows us in the next part, "Protecting against Vulnerabilities", relatively easy configurations and optional modules that can buttress our sites with defenses against some of the more common lines of attack, such as tools to subscribe a site for security updates, enforcing strong passwords and reducing the risks of persistant sessions.

Chapter 4, "Drupal's User and Permissions System", begins the section most exciting to me as a developer, by describing the API and hooks offered by Drupal to help create more secure code. It offers, for example, and in-depth examination of the famous t() function, showing its dual nature as an aid to translation and internationalization, and (when used properly) as an easy method to automatically filter user input from XSS attacks. Then, as the title implies, the bulk of that chapter offers an in-depth overview of the user and permission system, and how the menu system hooks into it.

Chapter 5, "Dangerous Input, Cleaning Output", begins with an exciting foray into the database API for Drupal. It covers safely using the database functionality for Drupal 6 and earlier, and the new, improved, and evermore secure system we can look forward to for Drupal 7. It then meanders into sanitizing output, and applying lessons learned to form building.

We learn in Chapter 6 about best practices for developers who work at the theme level (or themers), beginning with an overview of Drupal's theming system and PHPTemplate. The overview is particularly valuable, as Greg poinjts out that many people who work at the theme level do not necessarily come from a PHP background, so have another hurdle to overcome in ensuring a secure site. Fortunately, as he reiterates, it's hard to go wrong as long as we stick to the established standards. For module developers, he cautions the need to maintain a clear seperation of code from form, keeping template files as clean as possible.

Next on the plate is the Node Access system, thoroughly described in Chapter 7. My first exploration of this initially baffling framework was the concise, though somewhat cryptic, summary in Pro Drupal Developer (an excellent book, by the way, and another essential in any Drupal developer's library). Greg offers more of a leisurely walkthrough, which would have saved me hours of frustration when I first was learning that system.

The final chapter of that section, "Automated Security Testing", explores some currently available modules that should be in the bag of tricks for not only module developers, but anyone deploying a site. He describes how they can be used to test both the modules in use, and a site's custom theme, where many of the vulnerabilities in the wild can be found.

Which brings us, finally, to Part Three, "Weaknesses in the Wild". Chapter 9 offers real world examples of vulnerabilities, showing how to find not only weaknesses in contributed modules using nothing more than a search on your local cvs repository checkout, but also weaknesses in the wild, using nothing more than a Google search. Scared yet? You should be. But before you think, "Maybe Drupal's too insecure for me to use, if you can find weaknesses so easily," just remember that every contributing developer to Drupal is interested in creating and maintaining secure code, and at the very least, we can ensure our own sites will be ahead of the game if we do nothing more than keep them updated to the most secure releases as they become available.

Now for your Homework...

Your homework, if you're interested in putting your knowledge to a test, is to complete a full security audit on a 'Vulnerable' module (a dubious companion to the book), and Knaddison offers his own answers in Chapter 10, "Un-Cracking Drupal". I found this fun exercise to be informative, and it is helping me work through my own code to check for vulnerabilities.

The appendices are useful in their own right. The first appendix examines several useful core functions, explaining specifically how they help maintain security through proper usage. Greg offers useful examples of how to properly use each. The next appendix demonstrates how to create a clean (and secure!) Drupal installation. The final appendix introduces readers to the active Drupal Security Team, and to several useful resources outside the Drupal community, in the larger world of Internet security.

If you've read this far without purchasing the book yet, then get on it! You need Cracking Drupal: A Drop in the Bucket by Greg Knaddison. Your sites will be happy for it.

12 of 13 people found the following review helpful:

5.0 out of 5 stars More than meets the eye!, May 3, 2009

By 

Doug Vann "dougvann" (Indianapolis) - See all my reviews

This review is from: Cracking Drupal: A Drop in the Bucket (Paperback)

Whoa!
This book does not seek to alarm you as much as it seeks to inform you.
The problem is not that Drupal is not secure. What Gregg shows is that its up to the admin to make sure that all of the security features are used properly to ensure a secure site. By showing what hackers might do the reader is informed on how to make sure that those attacks would not cause damage to their sites.
In a word, this book is PRACTICAL. And for a second word I would add ESSENTIAL.
This book is causing a lot of conversation in the Drupal community. We're all glad that it has become an easy to read, one-stop-shop to get the facts on security.

8 of 9 people found the following review helpful:

5.0 out of 5 stars Don' take your site live without this book, May 11, 2009

By 

Cary Gordon (Los Angeles, CA USA) - See all my reviews
(REAL NAME)   

This review is from: Cracking Drupal: A Drop in the Bucket (Paperback)

In this wonderfully concise and well written book, Greg Knaddison has managed to cover both the theory and practice of securing your Drupal site as well as your users against the myriad dangers of the internet. As professional Drupal site developers, we pay close attention to security. It is great that we can now have so many userful resources together in one place.