Drupal Planet

Using Hacked! module to compare Drupal site code to standard code

One of the first things we do when supporting a site or reviewing it for security is look for modifications to the code.

We use the Hacked module to achieve this because it works quickly and automates a lot of the work in what is a normally very tedious process.

Here's some basic usage:

Using filter functions as intended: filter_xss and classes

Consider this code found in a page.tpl.php file.

  <body class="<?php print filter_xss($_GET['parameter']); ?>">

The documentation for filter_xss states:

Filters an HTML string to prevent cross-site-scripting (XSS) vulnerabilities.

So, you might think the above code is safe - it's using filter_xss afterall.

Improvements to Security in Drupal 7


This article has been moved to the Acquia Help Center!

The Acquia Help Center contains Drupal and Acquia product knowledge that you can use to help you as you develop your Drupal websites, including much of the security information that started here on Drupal Scout.

Steps to a Drupal Security Review

As we've developed our security review offering we've come up with this outline. We don't follow all the steps on every site because they sometimes have specific concerns we address. But this is our exhaustive list of steps. Note that this is only about the Drupal portion of the stack. There is an array of things you could also analyze at the webserver, database server, operating system, network and even data center levels of the stack.

The first few are relatively simple to perform. The last three (manual review, and putting it all in a report) are the hardest.

Protecting your Drupal module against Cross Site Request Forgeries (CSRF)

Cross Site Request Forgeries (CSRF) are the 3rd most common vulnerability in Drupal and yet they are quite easy to protect against. The precise solution depends on where the problem is, but is never too complex to implement. To start, of course, we need to understand what CSRF actually is: Introduction to CSRF. Now let's learn how to protect it.

Drupal and SSL - Multiple Recipes to Possible Solutions for HTTPS

As Matt Cheney likes to say "Much like Scrabble, the S is an important letter on the internet." If you really care about the data you are sending across the internet you want to make sure you are using SFTP instead of FTP, SSH instead of Telnet, and HTTPS instead of HTTP. So, within a Drupal site how can you use HTTPS to secure the data sent to and from your site and prevent sessions from being hijacked?