Drupal Security Audit & Penetration Testing: Steps & Tools
Drupal has been a popular choice for CMS however, it’s security has been a point of debate. The Drupal team has always claimed it to be the more secure CMS among the popular ones. Contrary to this claim, some critics have claimed that Drupal’s security is no different than any other CMS. These claims were backed by serious bugs, Drupalgeddon 1, 2 & 3 discovered during a Drupal security audit and Drupal penetration testing.
Commenting on this in 2018, researcher Troy Mursch said,
Drupal sites are still vulnerable, including websites of a large television network, a mass media and entertainment conglomerate and two well-known computer hardware manufacturers.
What is Drupal Security Audit?
A Drupal Security Audit is a process in which an authorized individual/group tries to identify various security vulnerabilities & loopholes present in a system or a website. It includes – code inspections of the core, plugins & modules; configuration checks, business logic error checks, and more.
In a nutshell, a Drupal Security Audit identifies and enlists security loopholes present in your web system that runs the risk of exploitation.
What is Drupal Penetration Testing?
A Drupal Penetration Test is a step further into the Drupal security audit. In a Drupal Penetration Test, an individual/group tries to actively exploit the vulnerabilities (identified in the audit) emulating a hacker. This is to estimate the damage that each vulnerability can cause, if or when exploited. A penetration test also helps in weeding out false positives, that might have been flagged in the earlier step – Drupal Security Audit.
Why do you need Drupal Security Audit & Penetration Testing?
According to Drupal’s hacking stats, Drupal sites are vulnerable to attacks such as XSS, DoS, Code Execution, SQL Injection, HTTP Response Splitting, and various others.
Another study by Verizon shows that 43% of all data breaches target small and medium-sized businesses.
SMBs (Small & Medium Businesses) are a hacker’s paradise for they are usually vulnerable to sophisticated hacks. Plus, they do not attract much limelight.
Nevertheless, securing a website is not impossible.
A strategic investment in security solutions and measures can make your website impenetrable. One such proven ways remain – Drupal Security Audit & Pentesting. Finding vulnerabilities and then patching them can save a lot of your time and resources which would have otherwise been used in cleaning up a hack.
Is your website powered by Drupal hacked? Clean my website now![
How to carry-out a Drupal Penetration Test?
To conduct a Drupal penetration test or Drupal security audit, certain tools are used. Manually downloading and install each tool may become cumbersome. So, it is advisable to use Kali Linux for this purpose. As this operating system comes loaded with most of the tools. Kali Linux can also be run on a windows machine using virtual box.
sc name=”health-check”] Now that our Drupal security audit and Drupal Penetration testing environment is ready, let us begin!
Before we begin with Drupal penetration testing, it is important to conduct a Drupal security audit first. So, the information gathered during a security audit can help us determine the attack points for penetration testing.
DroopeScan is a tool built using python for specifically finding vulnerabilities in sites using Drupal. To scan your site using this tool:
- Firstly, download it by visiting this link.
- Thereafter, install it using this guide.
- Now open the terminal on your system and type:
droopescan scan drupal -u example.org
Replace example.org with the name of your website and you are good to go!
Another great tool for the Drupal security audit is Nikto. This tool is designed for scanning web server vulnerabilities. However, it is very noisy and may generate many false positives. So, turn off the firewall before using Nikto. These false positives can be later on weeded out during the Drupal penetration testing.
To scan your web server using this tool, open up the terminal in Kali Linux and type:
nikto -h www.example.org
Replace example.org with your website name. For more help, type:
After the injection points have been detected on the website during a Drupal security audit, it is now time for Drupal penetration testing. Here we will attempt to break into the website.
One of the best tools to pentest the database of a website is Sqlmap. Using this tool, we can not only enumerate the databases of your Drupal site but also obtain a reverse shell.
To see the databases of a vulnerable Drupal site, open the terminal in Kali Linux and type the following command:
sqlmap -h "example.com?param1=a" --random-agent --dbs --batch
Here, replace example.com with your website and param1 with the vulnerable parameter. If the website is vulnerable, it will show all the databases. Similarly, any of the Drupal modules or plugins can be pentested for any SQL injection bugs.
For more help, type:
Commix is a tool that can check if your Drupal website is vulnerable to command injections. Therefore, it is a handy tool for Drupal penetration testing. This tool can exploit vulnerable parameters found during the Drupal security audit and upload reverse shells. It can also be used to find OS command injection bugs in Drupal core, modules, plugins, etc. Various examples of commix usage are given here.
For more help, open the terminal and type:
Another most common vulnerability found in the popular CMSes is cross-site scripting vulnerability. To pentest your Drupal modules, plugins, etc for XSS bugs, use the tool Xsser. Moreover, this tool comes with a GUI interface, making it easy for beginners.
To use the graphical interface, open the terminal of your Kali Linux and type:
Thereafter, an interface like this will open. Use it to exploit XSS bugs in your Drupal site.
For more help check out the official documentation.
Professional Drupal Penetration Testing by Astra
By now, it may be clear that Drupal security audit and pen-testing is not an easy task, especially for beginners. Even experienced users may find it cumbersome.
So how to tackle this? The answer is – hire an expert to do the job. Astra Security offers professional Drupal Security audit & Penetration Testing tailored for your website. Our Vulnerability Assessment & Penetration Testing (VAPT) program is done by security experts with the right mix of automated tools and human intelligence. This Drupal security audit finds key vulnerabilities like:
- Configuration and Deployment Misconfiguration.
- Drupal Core, Plugins & Theme Specific Vulnerabilities.
- Broken or Improper Authentication.
- Identifying Technical & Business Logic Vulnerabilities.
and many more in your system!
Get started today!
Don’t forget to download our Comprehensive Drupal Security Checklist developed by our security experts