| | |  | Computer Forensics | Home » » » Cracking Drupal: A Drop in the Bucket | | | | | | | Description: | | The first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing Drupal is an open source framework and content management system that allows users to create and organize content, customize presentation, automate tasks, and manage site visitors and contributors. Authored by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing. The main goal of this guide is to explain how to write code that avoids an attack in the Drupal environment, while also addressing how to proceed if vulnerability has been spotted and then regain control of security. | | | Product Details: | | | Author:
| Greg Knaddison | | Paperback:
| 240 pages | | Publisher:
| Wiley | | Publication Date:
| May 11, 2009 | | Language:
| English | | ISBN:
| 0470429038 | | Product Length:
| 9.18 inches | | Product Width:
| 7.42 inches | | Product Height:
| 0.54 inches | | Product Weight:
| 0.77 pounds | | Package Length:
| 9.2 inches | | Package Width:
| 7.3 inches | | Package Height:
| 0.6 inches | | Package Weight:
| 0.8 pounds | | Average Customer Rating:
|  based on 13 reviews |
| | | | Used and New: | | | |
| All | |
| $7.85 | Used
- VeryGood | | | $7.90 | Used
- Good | | | $7.98 | Used
- Good | | | $7.98 | Used
- VeryGood | | | $12.43 This item is eligible for FREE Super Saver Shipping on orders over $25. | Used
- Good | | | $12.43 This item is eligible for FREE Super Saver Shipping on orders over $25. | Used
- Good | | | $12.77 | Used
- Good | | | $12.96 | Used
- Good | | | $12.98 | Used
- Good | | | $13.31 | Used
- VeryGood | | | $13.48 | Used
- Mint | | | $13.48 | Used
- Mint | | | $13.49 | Used
- VeryGood | | | $14.99 | New | | | $19.00 | Used
- Mint | | | $19.97 | Used
- Mint | | | $20.21 | Used
- Mint | | | $20.35 | New | | | $20.35 | Used
- Mint | | | $21.93 | Used
- Mint | | | $22.00 | Used
- Mint | | | $22.00 | Used
- Mint | | | $22.07 | Used
- Good | | | $22.39 This item is eligible for FREE Super Saver Shipping on orders over $25. | New | | | $22.39 | New | | | $23.69 | New | | | $23.82 | Used
- Mint | | | $23.82 | New | | | $26.05 | Used
- Mint | | | $26.24 | New | | | $26.25 | New | | | $26.97 | New | | | $27.40 | New | | | $27.40 | Used
- Mint | | | $27.41 | New | | | $27.75 | New | | | $28.00 | Used
- Mint | | | $29.59 | New | | | $30.83 | New | | | $31.80 | New | | | $32.19 | New | | | $32.31 | New | | | $32.46 | New | | | $33.54 | New | | | $34.12 | New | | | $34.66 | Used
- Mint | | | $34.68 | New | | | $35.42 | New | | | $35.99 | New | | | $39.25 | Used
- VeryGood | | | $50.39 | New | | | $52.35 | Used
- Mint | | | $58.38 | New | | | $58.69 | New | | | $66.25 | New | | | $400.00 | Used
- Good | |
| New | |
| $14.99 | New | | | $20.35 | New | | | $22.39 This item is eligible for FREE Super Saver Shipping on orders over $25. | New | | | $22.39 | New | | | $23.69 | New | | | $23.82 | New | | | $26.24 | New | | | $26.25 | New | | | $26.97 | New | | | $27.40 | New | | | $27.41 | New | | | $27.75 | New | | | $29.59 | New | | | $30.83 | New | | | $31.80 | New | | | $32.19 | New | | | $32.31 | New | | | $32.46 | New | | | $33.54 | New | | | $34.12 | New | | | $34.68 | New | | | $35.42 | New | | | $35.99 | New | | | $50.39 | New | | | $58.38 | New | | | $58.69 | New | | | $66.25 | New | |
| Used | |
| $7.85 | Used
- VeryGood | | | $7.90 | Used
- Good | | | $7.98 | Used
- Good | | | $7.98 | Used
- VeryGood | | | $12.43 This item is eligible for FREE Super Saver Shipping on orders over $25. | Used
- Good | | | $12.43 This item is eligible for FREE Super Saver Shipping on orders over $25. | Used
- Good | | | $12.77 | Used
- Good | | | $12.96 | Used
- Good | | | $12.98 | Used
- Good | | | $13.31 | Used
- VeryGood | | | $13.48 | Used
- Mint | | | $13.48 | Used
- Mint | | | $13.49 | Used
- VeryGood | | | $19.00 | Used
- Mint | | | $19.97 | Used
- Mint | | | $20.21 | Used
- Mint | | | $20.35 | Used
- Mint | | | $21.93 | Used
- Mint | | | $22.00 | Used
- Mint | | | $22.00 | Used
- Mint | | | $22.07 | Used
- Good | | | $23.82 | Used
- Mint | | | $26.05 | Used
- Mint | | | $27.40 | Used
- Mint | | | $28.00 | Used
- Mint | | | $34.66 | Used
- Mint | | | $39.25 | Used
- VeryGood | | | $52.35 | Used
- Mint | | | $400.00 | Used
- Good | |
| | | | Customer Reviews: | |
Average Customer Review:
 ( 13 customer reviews )
Write an online review and share your thoughts with other customers.
Most Helpful Customer Reviews
17 of 18 found the following review helpful:
 Site Hacked? Read Cracking Drupal!Jul 27, 2009
By Aaron Winborn
"AaronWinborn.com"
Cracking Drupal: A Drop in the Bucket was everything I'd hoped it would be, and more.
I know that's a cliche, but when I first learned about Greg Knaddison's book (greggles in Drupal-land), I'd assumed it would be aimed primarily at Drupal contributed module developers. By the time I finished the excellent book about Drupal security, I realized it was an essential read for anyone connected with developing, theming, or maintaining a Drupal site.
I had been anticipating the release of Knaddison's book for months, as I've been a fan of his for some time, due in part to his active and helpful role in Drupal's forums, and to his work with the Security Team. After reading the book, I feel more secure than ever using Drupal, as its well-documented API and best practices ensure that any module maintainer adhering to them will produce rock-solid code. At the same time, it quite visibly demonstrates the importance of an active community to ensure the modules and themes we use do just that.
Let's look in more detail at the book.
Part One, "Anatomy of Vulnerabilities", offers an extensive overview of the predominate routes of attack that may be taken against a site. It's split logically into two chapters by vulnerabilities possible with Drupal or its contributed modules and themes, and by potential weaknesses introduced by a poorly configured or poorly maintained server environment.
The first two chapters, "That Horrible Sinking Feeling" and "Security Principles and Vulnerabilities outside Drupal", jump right into outlining the more commong things that could expose your site to attack. By beginning with this acopolyptic message. Greg grabs the reader's attention and embues a sense of dread and hopelessness. Fortuntely, he doesn't leave us hanging, and immediately shows us in the next part, "Protecting against Vulnerabilities", relatively easy configurations and optional modules that can buttress our sites with defenses against some of the more common lines of attack, such as tools to subscribe a site for security updates, enforcing strong passwords and reducing the risks of persistant sessions.
Chapter 4, "Drupal's User and Permissions System", begins the section most exciting to me as a developer, by describing the API and hooks offered by Drupal to help create more secure code. It offers, for example, and in-depth examination of the famous t() function, showing its dual nature as an aid to translation and internationalization, and (when used properly) as an easy method to automatically filter user input from XSS attacks. Then, as the title implies, the bulk of that chapter offers an in-depth overview of the user and permission system, and how the menu system hooks into it.
Chapter 5, "Dangerous Input, Cleaning Output", begins with an exciting foray into the database API for Drupal. It covers safely using the database functionality for Drupal 6 and earlier, and the new, improved, and evermore secure system we can look forward to for Drupal 7. It then meanders into sanitizing output, and applying lessons learned to form building.
We learn in Chapter 6 about best practices for developers who work at the theme level (or themers), beginning with an overview of Drupal's theming system and PHPTemplate. The overview is particularly valuable, as Greg poinjts out that many people who work at the theme level do not necessarily come from a PHP background, so have another hurdle to overcome in ensuring a secure site. Fortunately, as he reiterates, it's hard to go wrong as long as we stick to the established standards. For module developers, he cautions the need to maintain a clear seperation of code from form, keeping template files as clean as possible.
Next on the plate is the Node Access system, thoroughly described in Chapter 7. My first exploration of this initially baffling framework was the concise, though somewhat cryptic, summary in Pro Drupal Developer (an excellent book, by the way, and another essential in any Drupal developer's library). Greg offers more of a leisurely walkthrough, which would have saved me hours of frustration when I first was learning that system.
The final chapter of that section, "Automated Security Testing", explores some currently available modules that should be in the bag of tricks for not only module developers, but anyone deploying a site. He describes how they can be used to test both the modules in use, and a site's custom theme, where many of the vulnerabilities in the wild can be found.
Which brings us, finally, to Part Three, "Weaknesses in the Wild". Chapter 9 offers real world examples of vulnerabilities, showing how to find not only weaknesses in contributed modules using nothing more than a search on your local cvs repository checkout, but also weaknesses in the wild, using nothing more than a Google search. Scared yet? You should be. But before you think, "Maybe Drupal's too insecure for me to use, if you can find weaknesses so easily," just remember that every contributing developer to Drupal is interested in creating and maintaining secure code, and at the very least, we can ensure our own sites will be ahead of the game if we do nothing more than keep them updated to the most secure releases as they become available.
Now for your Homework...
Your homework, if you're interested in putting your knowledge to a test, is to complete a full security audit on a 'Vulnerable' module (a dubious companion to the book), and Knaddison offers his own answers in Chapter 10, "Un-Cracking Drupal". I found this fun exercise to be informative, and it is helping me work through my own code to check for vulnerabilities.
The appendices are useful in their own right. The first appendix examines several useful core functions, explaining specifically how they help maintain security through proper usage. Greg offers useful examples of how to properly use each. The next appendix demonstrates how to create a clean (and secure!) Drupal installation. The final appendix introduces readers to the active Drupal Security Team, and to several useful resources outside the Drupal community, in the larger world of Internet security.
If you've read this far without purchasing the book yet, then get on it! You need Cracking Drupal: A Drop in the Bucket by Greg Knaddison. Your sites will be happy for it.
12 of 13 found the following review helpful:
More than meets the eye!May 03, 2009
By Doug Vann
"dougvann"
Whoa!
This book does not seek to alarm you as much as it seeks to inform you.
The problem is not that Drupal is not secure. What Gregg shows is that its up to the admin to make sure that all of the security features are used properly to ensure a secure site. By showing what hackers might do the reader is informed on how to make sure that those attacks would not cause damage to their sites.
In a word, this book is PRACTICAL. And for a second word I would add ESSENTIAL.
This book is causing a lot of conversation in the Drupal community. We're all glad that it has become an easy to read, one-stop-shop to get the facts on security.
8 of 9 found the following review helpful:
Don' take your site live without this bookMay 11, 2009
By Cary Gordon
In this wonderfully concise and well written book, Greg Knaddison has managed to cover both the theory and practice of securing your Drupal site as well as your users against the myriad dangers of the internet. As professional Drupal site developers, we pay close attention to security. It is great that we can now have so many userful resources together in one place.
3 of 3 found the following review helpful:
Concise and illuminatingDec 29, 2009
By John De Mott
Within 24 hours of reading this book I found and patched a XSS attack on my site at work. It's well written, to the point, and informative. The author goes above and beyond explaining Drupal exploits and shows you how to track them down in the wild using the Drupal CVS repository. Most helpful is knowing how to properly use Drupal's built in security measures that take much of the weight of developing secure code off your shoulders.
3 of 3 found the following review helpful:
 A definate must for Drupal SitesDec 24, 2009
By Mary K. Maguire
"mkmagu"
I'm still in the process of reading this book but have found it very helpful in making my Drupal sites more secure. The only thing I'm disappointed in is some of the modules recommended are still in Development state which means they are not ready for production sites. I know the development of a module is not in the author's control but one would think that when writing a book you would look at modules that site owner can use now. This book does tell what to look at when choosing module so that you know your site is more secure. Over all I'm glad I made the purchase and do recommend it if you have a drupal site.
See all 13 customer reviews on Amazon.com
| | |
|
