View
88
Download
3
Category
Preview:
DESCRIPTION
Hire Drupal Developers - Optisol business Solutions is a leading drupal web application development company specializing in custom drupal development services, drupal 7 module, drupal theme development, drupal web development company, hire dedicated drupal developers, drupal consulting services Chennai, India. For more info, http://www.optisolbusiness.com/index.php/drupal-development
Citation preview
How To Avoid Web Application Vulnerabilities In Drupal Based
Web Applications?
Web Applications are
vulnerable to attacks causing harms that may range from nothing, all
the way through putting you out of business.
Businesses have to evaluate the risk
involved and be prepared for mitigating
the risks. To determine the risk to your
organization, you can evaluate the likelihood associated with each threat agent, attack vector, and security weakness and combine it with an estimate of the technical and business impact to your
organization. Together, these factors determine the overall risk.
Research studies across different applications have identified the most common vulnerabilities. The name of these vulnerabilities or risks stem from the type of attack, the type of weakness, or the type
of impact they cause. The top six such vulnerabilities are listed below:
The ways to be prepared for the prevention of these vulnerabilities differ with respect to the context of the web application. Various application frameworks and platforms available in the market provide
guidelines and patterns to be used while developing the application on the specific platforms. This paper discusses about the solution provided by DRUPAL framework in guarding against the listed web
application vulnerabilities.
A1-Injection
Drupal provides a database API with builit-in SQL injection attack prevention. Properly used, it is not possible to inject arbitrary SQL.
Drupal 7’s new database API makes writing insecure database code even more difficult.
Drupal provides a set of functions to process URLs and SQL arguments, making security an easy choice for developers
A2-Broken Authentication and Session Management
Authentication cookies are not modifiable by site users. This prevents users from masquerading
as more powerful users. User sessions (and related cookies) are completely destroyed and recreated on log-in and log-
out. User name, ID and Password are only managed on the server side, not in the user’s cookie.
Passwords are never emailed. Session cookies are named uniquely for each Drupal installation
A3-Insecure Direct Object References
Drupal’s menu and form API encourage validating and sanitizing data submitted from users.
When object references are passed through the form API, Drupal core protects the values from tampering by site users
Drupal and PHP provide fi le and session APIs that allow convenient and secure object reference
passing.
A4-Cross-site Request Forgery
If a site allows users to load any content off external servers, the site can be used to originate attacks. This is configurable either way in Drupal.
Drupal fi lters out scripting variations of this attack, leaving only simpler (GET-type) ones.
The simpler CSRF attacks fail when attacking Drupal because the form API isolates state-
changing operations behind POST requests.
A5-Cross Site Scripting
Drupal has a system of input fi lters that remove potential XSS exploits from user input.
The Form API verifies that a user loaded a form before submitting it. This verification makes effective XSS against Drupal sites considerably more difficult.
A6-Insecure Cryptographic Storage
Passwords are stored using a one-way hash. Even if someone downloads the site database,
recovering usable passwords is difficult.
Drupal provides a randomly generated private key for every installation. Modules can use this
key to use reversible encryption of sensitive data like credit-card numbers.
Commerce modules for Drupal minimize any retention of sensitive data.
For more information about the Drupal Web Development Services, drupal 7 module development,
please visit: http://www.optisolbusiness.com/index.php/drupal-development
Recommended