How To Avoid Web Application Vulnerabilities In Drupal Based

Web Applications?

Web Applications are

vulnerable to attacks causing harms that may range from nothing, all

the way through putting you out of business.

Businesses have to evaluate the risk

involved and be prepared for mitigating

the risks. To determine the risk to your

organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your

organization. Together, these factors determine the overall risk.

Research studies across different applications have identified the most common vulnerabilities. The name of these vulnerabilities or risks stem from the type of attack, the type of weakness, or the type

of impact they cause. The top six such vulnerabilities are listed below:

The ways to be prepared for the prevention of these vulnerabilities differ with respect to the context of the web application. Various application frameworks and platforms available in the market provide

guidelines and patterns to be used while developing the application on the specific platforms. This paper discusses about the solution provided by DRUPAL framework in guarding against the listed web

application vulnerabilities.

A1-Injection

Drupal provides a database API with builit-in SQL injection attack prevention. Properly used, it is not possible to inject arbitrary SQL.

Drupal 7’s new database API makes writing insecure database code even more difficult.

Drupal provides a set of functions to process URLs and SQL arguments, making security an easy choice for developers

A2-Broken Authentication and Session Management

Authentication cookies are not modifiable by site users. This prevents users from masquerading

as more powerful users. User sessions (and related cookies) are completely destroyed and recreated on log-in and log-

out. User name, ID and Password are only managed on the server side, not in the user’s cookie.

Passwords are never emailed. Session cookies are named uniquely for each Drupal installation

A3-Insecure Direct Object References

Drupal’s menu and form API encourage validating and sanitizing data submitted from users.

When object references are passed through the form API, Drupal core protects the values from tampering by site users

Drupal and PHP provide fi le and session APIs that allow convenient and secure object reference

passing.

A4-Cross-site Request Forgery

If a site allows users to load any content off external servers, the site can be used to originate attacks. This is configurable either way in Drupal.

Drupal fi lters out scripting variations of this attack, leaving only simpler (GET-type) ones.

The simpler CSRF attacks fail when attacking Drupal because the form API isolates state-

changing operations behind POST requests.

A5-Cross Site Scripting

Drupal has a system of input fi lters that remove potential XSS exploits from user input.

The Form API verifies that a user loaded a form before submitting it. This verification makes effective XSS against Drupal sites considerably more difficult.

A6-Insecure Cryptographic Storage

Passwords are stored using a one-way hash. Even if someone downloads the site database,

recovering usable passwords is difficult.

Drupal provides a randomly generated private key for every installation. Modules can use this

key to use reversible encryption of sensitive data like credit-card numbers.

Commerce modules for Drupal minimize any retention of sensitive data.

For more information about the Drupal Web Development Services, drupal 7 module development,

please visit: http://www.optisolbusiness.com/index.php/drupal-development