Drupal security review steps

Jul 19th, 2015

There used to be this pretty sweet site called drupalscout but it looks like it was taken down. Damn. Well, I used the way back machine to track down the old page on Drupal security reviews and am re-posting it here for reference.

The article was listed on drupalscout under the http://creativecommons.org/licenses/by-sa/3.0/ license.

STEPS TO A DRUPAL SECURITY REVIEW

Submitted by Greg Knaddison on Mon, 02/21/2011 - 18:50

As we've developed our security review offering we've come up with this outline. We don't follow all the steps on every site because they sometimes have specific concerns we address. But this is our exhaustive list of steps. Note that this is only about the Drupal portion of the stack. There is an array of things you could also analyze at the webserver, database server, operating system, network and even data center levels of the stack.

The first are relatively simple to perform. The last three (manual review, and putting it all in a report) are the hardest.

Steps to review a Drupal site's security

Automated or semi-automated steps:

  • Santize the database, remove all e-mail addresses, remove passwords, etc.
  • Install one or more of mail_loggerreroute_emailadvanced_mail_reroutemaillog so that your testing won't accidentally send mails.
  • Is core modified anywhere? Are their contribs modified anywhere? check with Hacked!
  • Are those modifications documented somewhere or just modified? Ideally patch files should exist somewhere like /sites/example.com/patches/ or in the module directory itself with a Drupal.org issue number and comment number as part of the patch name).
  • Install Security Review module on the live site and local site and make sure it passes
  • Use a stronger than normal rainbow table to find anyone who has an advanced role and a weak password (See this issue for some related work).
  • Run Coder Security on all contributed modules and custom code
  • Run Secure Code Review on contributed modules and all custom code
  • Run the Drupal Scout XSS scanner

Manual steps:

  • Install vuln and browse the site as a human
  • Interview the client: What does the site do? What can users do on the site? What content can they post, what fields can they edit? Based on those interviews
  • Probe the site, entering fuzz content and/or Javascript
  • Manually review the custom theme
  • Manually review custom code

The manual review is based on knowledge of secure coding practices. That can be gained from reading the handbook and reading Cracking Drupal.

Suggestions and report:

  • Suggest SSL, especially for logins and admins, if they run a site where that is worth it
  • Suggest OpenID (part of core), Janrain Engage, etc. so that credentials like username/password can be remembered once and used on multiple sites.
  • Prepare report for issues including
    • a narrative describing the above process
    • prioritized vulnerability list with severity and estimated difficulty to fix
    • reference material describing vulnerabilities found (e.g. what is XSS?)
    • screenshots of vulnerabilities where applicable
    • a general assessment of the site

Tags

Security

Internal References

Security Review
Security Kit
Login Security
Drop the Ripper

External References

https://web.archive.org/web/20130605144619/http://drupalscout.com/node/11
https://docs.acquia.com/articles/steps-drupal-security-review

Article Type

General