Simple steps to improve security on your Drupal site
https://www.zyxware.com/sites/default/files/styles/user_image/public/pictures/Z_ribbon.png?itok=va3zzVQA
BY webmaster
7 years ago
Drupal
0
comments comment

To ensure the security of confidential data in your Drupal site, testing has to be done to determine whether it protects its data and at the same time maintains its functionality. Web applications are always prone to unauthorized access to or modification of sensitive information. The testing done on the applications to remove such anomalies is called security testing.
The following are some of the test cases for assuring the security of a Drupal website

Authentication

  • Test whether captcha is set to assure that the application keeps unauthorized users from accessing the Drupal site.
  • Test whether the account should be locked after a determined number of failure attempts.
  • Test whether the admin gets alerts or notification when the account is blocked due to failure attempts.
  • Test whether security question is asked while creating an account.
  • Test whether security question is asked for the password recovery.
  • Test when password is encrypted using Secure Socket Layer (SSL) while sending it .
  • Test whether system prints password characters while entering passwords.
  • Test whether the pages can be accessed by copying and pasting the login URL again without entering the password.
  • Test whether the password field support copy operation.
  • Test if password field is reset to blank while moving next/back .
  • Test whether the password is directly passed through the query string/URL without encryption.
  • Test for the access after the session times out. and session time out settings.
  • Test whether the system asks for changing the password periodically.
  • Test whether the data/pages can be downloaded through FTP or any other source without valid authentication.
  • Test whether the secured pages can be accessed through the browser's history.

 

Access Control

  • Test whether the user can access admin data.
  • Test whether the user should be able to access an unauthorized page by copying and pasting the URL.
  • Test whether clicking the back arrow should redirect a user to the URL of the last users’ login or their last pages visited.

 

Buffer Overflows

  • Test whether all data input fields must have reasonable field Lengths and specific data types.
  • Test the amount of text limit allowed in free form fields.

 

Input Validation

  • Test whether the system accepts illegal characters.
  • Test the maximum length in the field.
  • Test the minimum length in the field.
  • Test the data type.
  • Test whether null value is allowed in the field.
  • Test the format in the field.

 

Cross site Scripting

  • Test whether the generated pages are properly encoded to prevent unintended execution of scripts.
  • Test whether the dynamically generated pages do not contain undesired tags

 

SQL Injection

  • Test whether some query inserted in user input fields is being executed by the application.

 

Improper Error Handling

  • Test whether error messages contain only secured information.
  • Test the response time for the error messages.

 

Session Management

  • Test for session hijacking vulnerability, if your application uses session identifier in the URL.

 

Insecure Storage

  • Test whether information must be protected using strong encryption methods.

 

Conclusion Security requirement will change with respect to the external environment. Constant review and attention to the threat environment is necessary for maintaining a Drupal application's security. For more information, check Drupal Security Tips.


RELATED ARTICLE

close

on 01st January 2008 / by webmaster
We have added a few new modules to our site recently. Open Source Web Development Drupal Blogging Free Software Drupalgive Leave a reply Your email address will not be published. Required fields are marker * Sean (not verified) access_time 16 Jul 2019 - 12:48 Hi there, I uploaded the files, enabled the modules to use SU, and now I see the link, but there is no icon... How can I fix this? Thanks, Sean webmaster access_time 16 Jul 2019 - 12:48 In reply to Icon doesn't show by Sean (not verified) What do you see when you view the source? Search for stumblethis_button and you should be able to see the code for the image and the URL. Then you should be able to troubleshoot from there. Juicy Couture Addict (not verified) access_time 16 Jul 2019 - 12:48 thanks for the post. would love to hear more of you. by the way, drupal's really popular nowadays as it has easy and fast features. you agree with me? thanks. Add new comment
more_horiz
close

on 16th January 2008 / by webmaster
Most webmasters do not realize this, but a lot of the content on lot of websites can be accessed from multiple URLs. A simple example would be where www.example.com and example.com leads to the same page. This is a fatal mistake in Search Engine Optimization and search engines penalize you for duplicate content. The correct configuration would be where the above two urls will lead you to the same page but example.com will redirect you to www.example.com with a 301 (Moved permanently) status which will not result in search engines penalizing the page. It is very easy to configure 301 redirects using Apache .htaccess file and the process is the same for a Drupal installation also. Web Development Drupal SEO Drupal Planet Leave a reply Your email address will not be published. Required fields are marker * Anonymous (not verified) access_time 16 Jul 2019 - 12:48 Hello. I'm trying to make example.com show as www.example.com, and I'm running into difficulties. I'm on Apache 2.0 and using the following lines in my httpd.conf file: RewriteEngine on RewriteCond %{HTTP_HOST} ^xxxxxxxxxx\.com$ [NC] RewriteRule ^(.*)$ http://www.xxxxxxxxxx.com/$1 [L,R=301] When I go to http://xxxxxxxxxx.com, I get http://www.xxxxxxxxxx.com (as expected). However, when I go to http://xxxxxxxxxx.com/node/1 (it's a Drupal site), I get a 404 thrown and the URL changes to xxxxxxxxxx.com/var/www/drupal/node/1. Same thing with www.xxxxxxxxxx.com/node/1. Any suggestions? I want to run without Drupal's .htaccess file (instead incorporating these calls into my httpd.conf file). webmaster access_time 16 Jul 2019 - 12:48 In reply to Rewrite including filesystem path by Anonymous (not verified) I think the problem is with the base path which results in the redirection to /var/www/ part. The best approach I would think is to start with drupal htaccess and then strip out parts and move to httpd SNVC (not verified) access_time 16 Jul 2019 - 12:48 This is definitely a good guide. Thanks for this. wellyson access_time 16 Jul 2019 - 12:48 This is really nice and helpful. Add new comment
close

on 07th January 2008 / by webmaster
We have volunteered to take up the maintenance of a very useful Drupal module - Search404. As of today we are the official maintainers of this very useful Drupal module. We know that this is going to be a challenge for us, being a young company and with a young team. But we do feel that it is our responsibility to give back to the Drupal community at least some part of what it has given us. Open Source Web Development Drupal Leave a reply Your email address will not be published. Required fields are marker * ian douglas (not verified) access_time 16 Jul 2019 - 12:48 I notice your updates on the Drupal modules page has some patch files, but they are patches for an older version of the 5.x branch of search404. Do you have any expectation on when a version for Drupal 6 will be ready? webmaster access_time 16 Jul 2019 - 12:48 In reply to when will search404 for drupal 6 be ready? by ian douglas (not verified) Hi Ian, We are currently working on moving Search404 to Drupal 6. The port has already been done and we should have a release up on drupal.org by tomorrow or worst case by monday. Cheers Anoop John Team Zyxware Dejan (not verified) access_time 16 Jul 2019 - 12:48 In reply to when will search404 for drupal 6 be ready? by ian douglas (not verified) I think that's been up for a while... did you check the download page? Add new comment
Leave a reply
Your email address will not be published. Required fields are marker *

Filtered HTML

  • Web page addresses and email addresses turn into links automatically.
  • Allowed HTML tags: <a href hreflang> <em> <strong> <cite> <blockquote cite> <code> <ul type> <ol start type='1 A I'> <li> <dl> <dt> <dd> <h2 id='jump-*'> <h3 id> <h4 id> <h5 id> <h6 id>
  • Lines and paragraphs break automatically.
The content of this field is kept private and will not be shown publicly.
CAPTCHA This question is for testing whether or not you are a human visitor and to prevent automated spam submissions.