Website security: input, output and vulnerabilities
In this, final episode in our web security series, we examine some of the vulnerabilities often uncovered in penetration tests.
Threats and attacks can come in many guises. Security experts, and particularly pen-test reports, can refer to them by acronym, which often leaves the reader none the wiser.
The OWASP (Open Web Application Security Project) Top 10 is the go-to reference for the biggest threats and most common problems on the web today.
When reading a pen-test report, use OWASP as a reference to illustrate exactly what your security consultant is saying.
Text inputs
A common problem with interactive sites is allowing visitors to do too much. This often manifests as the ability for anonymous users to add JavaScript or even images to, say, comments. Allowing JavaScript to be written by anonymous users will leave a site wide open to abuse.
Sadly, allowing the use of third-party images can also lead to JavaScript execution, because web browsers don’t really care what they are asked to fetch, and are quite happy to pull down a script file instead of an image.
Drupal has measures to deal with this: text input filters, which can be configured to restrict what a user can input, rendering harmless malicious code. However, such text input filters have to be correctly configured to be of use.
Filter on output
Hand in hand with text input filters, Drupal has a second line of defence against malicious input: output filters. These are used by a site’s programmers to strip out or render harmless (by escaping) any content which is output for rendering to the screen.
Used carefully, input and output filters can be a very effective defence against malicious input.
Processing input
When a user interacts with a site, processing occurs. When you click on a link, it sends a request to a server, which processes the request, and returns a response. When you get down to it, it ends up sending text.
Depending upon how the web application deals with them, such text requests can sometimes be carefully crafted to include database commands.
This is known as SQL-injection, where an attacker hides malicious queries in an ordinary request, and can cause untold damage.
Fortunately, Drupal has a database abstraction layer which, when used properly, can be an effective defence against SQL-injection through the use of clever background filtering and escaping dangerous statements and characters.
The Drupal community has excellent resources on secure programming, which details the myriad layers of protection built in to both the front end, back end, and storage engines.
This completes our whistle-stop tour of web application security basics. Drupal as a system is secure by design, but it still requires that it is set up correctly if one is to take full advantage of its protective features.
Anthony Lindsay Director of Managed Services
With decades of experience, Anthony leads the Annertech Managed Services Team, delivering top quality design, development, and, ultimately peace-of-mind services to all of Annertech's wonderful clients.