Start reading Cracking Drupal: A Drop in the Bucket on your Kindle in under a minute. Don't have a Kindle? Get your Kindle here or start reading now with a free Kindle Reading App.

Deliver to your Kindle or other device


Try it free

Sample the beginning of this book for free

Deliver to your Kindle or other device

Sorry, this item is not available in
Image not available for
Image not available

Cracking Drupal: A Drop in the Bucket [Kindle Edition]

Greg Knaddison

Kindle Price: £25.91 includes VAT* & free wireless delivery via Amazon Whispernet
* Unlike print books, digital books are subject to VAT.

Free Kindle Reading App Anybody can read Kindle books—even without a Kindle device—with the FREE Kindle app for smartphones, tablets and computers.

To get the free app, enter your e-mail address or mobile phone number.


Amazon Price New from Used from
Kindle Edition £25.91  
Paperback --  
Kindle Daily Deal
Kindle Daily Deal: Up to 70% off
Each day we unveil a new book deal at a specially discounted price--for that day only. Learn more about the Kindle Daily Deal or sign up for the Kindle Daily Deal Newsletter to receive free e-mail notifications about each day's deal.

Book Description

The first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing Drupal is an open source framework and content management system that allows users to create and organize content, customize presentation, automate tasks, and manage site visitors and contributors. Authored by a Drupal expert, this is the first book to reveal the vulnerabilities and security issues that exist in the sites that have been built with Drupal?and how to prevent them from continuing. The main goal of this guide is to explain how to write code that avoids an attack in the Drupal environment, while also addressing how to proceed if vulnerability has been spotted and then regain control of security.

Product Description

From the Back Cover

Uncover threats and protect your Drupal® site with proven strategies

What is the worst–case scenario if your Web site gets attacked and the security is broken? By following the strategies in this guide, you don′t have to find out. It first walks you through the vulnerabilities you′ll face and the steps you should take to protect a basic Drupal site. You′ll then discover how to review a module to find weaknesses and fix them. And you′ll learn how to keep your site running securely by implementing more advanced techniques.

Take control of your site by learning how to:

  • Prevent the common ways that Drupal gets cracked
  • Uncover parts of the attack surface that can expose your site

  • Install extra modules and configure Drupal to maintain your site′s security

  • Control the security of your site using Drupal′s API

  • Utilize the Drupal Access system to limit who can see specific content

  • Test your site with automated scanners like Grendel

  • Follow strategies to find, exploit, and avoid vulnerabilities

  • Leverage resources from the Drupal Security Team

For all the code in this book, as well as all the latest updates, visit the Web site

About the Author

Greg James Knaddison is Principal of Growing Venture Solutions and a dedicated Drupalista. As a member of the Drupal security team, Knaddison has participated in every part of the process including identifying vulnerabilities, creating fixes, testing fixes, and writing security documentation and advisories. He has also contributed modules and publishes the news site

Product details

  • Format: Kindle Edition
  • File Size: 3039 KB
  • Print Length: 242 pages
  • Page Numbers Source ISBN: 0470429038
  • Publisher: Wiley; 1 edition (4 Mar. 2011)
  • Sold by: Amazon Media EU S.à r.l.
  • Language: English
  • ASIN: B004RD85CQ
  • Text-to-Speech: Enabled
  • X-Ray:
  • Word Wise: Not Enabled
  • Amazon Bestsellers Rank: #692,156 Paid in Kindle Store (See Top 100 Paid in Kindle Store)
  •  Would you like to give feedback on images?

More About the Author

Discover books, learn about writers, and more.

Customer Reviews

There are no customer reviews yet on
5 star
4 star
3 star
2 star
1 star
Most Helpful Customer Reviews on (beta) 4.5 out of 5 stars  15 reviews
18 of 19 people found the following review helpful
5.0 out of 5 stars Site Hacked? Read Cracking Drupal! 27 July 2009
By Aaron Winborn - Published on
Format:Paperback|Verified Purchase
Cracking Drupal: A Drop in the Bucket was everything I'd hoped it would be, and more.

I know that's a cliche, but when I first learned about Greg Knaddison's book (greggles in Drupal-land), I'd assumed it would be aimed primarily at Drupal contributed module developers. By the time I finished the excellent book about Drupal security, I realized it was an essential read for anyone connected with developing, theming, or maintaining a Drupal site.

I had been anticipating the release of Knaddison's book for months, as I've been a fan of his for some time, due in part to his active and helpful role in Drupal's forums, and to his work with the Security Team. After reading the book, I feel more secure than ever using Drupal, as its well-documented API and best practices ensure that any module maintainer adhering to them will produce rock-solid code. At the same time, it quite visibly demonstrates the importance of an active community to ensure the modules and themes we use do just that.

Let's look in more detail at the book.

Part One, "Anatomy of Vulnerabilities", offers an extensive overview of the predominate routes of attack that may be taken against a site. It's split logically into two chapters by vulnerabilities possible with Drupal or its contributed modules and themes, and by potential weaknesses introduced by a poorly configured or poorly maintained server environment.

The first two chapters, "That Horrible Sinking Feeling" and "Security Principles and Vulnerabilities outside Drupal", jump right into outlining the more commong things that could expose your site to attack. By beginning with this acopolyptic message. Greg grabs the reader's attention and embues a sense of dread and hopelessness. Fortuntely, he doesn't leave us hanging, and immediately shows us in the next part, "Protecting against Vulnerabilities", relatively easy configurations and optional modules that can buttress our sites with defenses against some of the more common lines of attack, such as tools to subscribe a site for security updates, enforcing strong passwords and reducing the risks of persistant sessions.

Chapter 4, "Drupal's User and Permissions System", begins the section most exciting to me as a developer, by describing the API and hooks offered by Drupal to help create more secure code. It offers, for example, and in-depth examination of the famous t() function, showing its dual nature as an aid to translation and internationalization, and (when used properly) as an easy method to automatically filter user input from XSS attacks. Then, as the title implies, the bulk of that chapter offers an in-depth overview of the user and permission system, and how the menu system hooks into it.

Chapter 5, "Dangerous Input, Cleaning Output", begins with an exciting foray into the database API for Drupal. It covers safely using the database functionality for Drupal 6 and earlier, and the new, improved, and evermore secure system we can look forward to for Drupal 7. It then meanders into sanitizing output, and applying lessons learned to form building.

We learn in Chapter 6 about best practices for developers who work at the theme level (or themers), beginning with an overview of Drupal's theming system and PHPTemplate. The overview is particularly valuable, as Greg poinjts out that many people who work at the theme level do not necessarily come from a PHP background, so have another hurdle to overcome in ensuring a secure site. Fortunately, as he reiterates, it's hard to go wrong as long as we stick to the established standards. For module developers, he cautions the need to maintain a clear seperation of code from form, keeping template files as clean as possible.

Next on the plate is the Node Access system, thoroughly described in Chapter 7. My first exploration of this initially baffling framework was the concise, though somewhat cryptic, summary in Pro Drupal Developer (an excellent book, by the way, and another essential in any Drupal developer's library). Greg offers more of a leisurely walkthrough, which would have saved me hours of frustration when I first was learning that system.

The final chapter of that section, "Automated Security Testing", explores some currently available modules that should be in the bag of tricks for not only module developers, but anyone deploying a site. He describes how they can be used to test both the modules in use, and a site's custom theme, where many of the vulnerabilities in the wild can be found.

Which brings us, finally, to Part Three, "Weaknesses in the Wild". Chapter 9 offers real world examples of vulnerabilities, showing how to find not only weaknesses in contributed modules using nothing more than a search on your local cvs repository checkout, but also weaknesses in the wild, using nothing more than a Google search. Scared yet? You should be. But before you think, "Maybe Drupal's too insecure for me to use, if you can find weaknesses so easily," just remember that every contributing developer to Drupal is interested in creating and maintaining secure code, and at the very least, we can ensure our own sites will be ahead of the game if we do nothing more than keep them updated to the most secure releases as they become available.

Now for your Homework...

Your homework, if you're interested in putting your knowledge to a test, is to complete a full security audit on a 'Vulnerable' module (a dubious companion to the book), and Knaddison offers his own answers in Chapter 10, "Un-Cracking Drupal". I found this fun exercise to be informative, and it is helping me work through my own code to check for vulnerabilities.

The appendices are useful in their own right. The first appendix examines several useful core functions, explaining specifically how they help maintain security through proper usage. Greg offers useful examples of how to properly use each. The next appendix demonstrates how to create a clean (and secure!) Drupal installation. The final appendix introduces readers to the active Drupal Security Team, and to several useful resources outside the Drupal community, in the larger world of Internet security.

If you've read this far without purchasing the book yet, then get on it! You need Cracking Drupal: A Drop in the Bucket by Greg Knaddison. Your sites will be happy for it.
13 of 14 people found the following review helpful
5.0 out of 5 stars More than meets the eye! 3 May 2009
By Doug Vann - Published on
This book does not seek to alarm you as much as it seeks to inform you.
The problem is not that Drupal is not secure. What Gregg shows is that its up to the admin to make sure that all of the security features are used properly to ensure a secure site. By showing what hackers might do the reader is informed on how to make sure that those attacks would not cause damage to their sites.
In a word, this book is PRACTICAL. And for a second word I would add ESSENTIAL.
This book is causing a lot of conversation in the Drupal community. We're all glad that it has become an easy to read, one-stop-shop to get the facts on security.
10 of 11 people found the following review helpful
5.0 out of 5 stars Don' take your site live without this book 11 May 2009
By Cary Gordon - Published on
In this wonderfully concise and well written book, Greg Knaddison has managed to cover both the theory and practice of securing your Drupal site as well as your users against the myriad dangers of the internet. As professional Drupal site developers, we pay close attention to security. It is great that we can now have so many userful resources together in one place.
4 of 4 people found the following review helpful
5.0 out of 5 stars Concise and illuminating 29 Dec. 2009
By John De Mott - Published on
Format:Paperback|Verified Purchase
Within 24 hours of reading this book I found and patched a XSS attack on my site at work. It's well written, to the point, and informative. The author goes above and beyond explaining Drupal exploits and shows you how to track them down in the wild using the Drupal CVS repository. Most helpful is knowing how to properly use Drupal's built in security measures that take much of the weight of developing secure code off your shoulders.
3 of 3 people found the following review helpful
4.0 out of 5 stars A definate must for Drupal Sites 24 Dec. 2009
By Amazon Customer - Published on
Format:Paperback|Verified Purchase
I'm still in the process of reading this book but have found it very helpful in making my Drupal sites more secure. The only thing I'm disappointed in is some of the modules recommended are still in Development state which means they are not ready for production sites. I know the development of a module is not in the author's control but one would think that when writing a book you would look at modules that site owner can use now. This book does tell what to look at when choosing module so that you know your site is more secure. Over all I'm glad I made the purchase and do recommend it if you have a drupal site.
Were these reviews helpful?   Let us know

Customer Discussions

This product's forum
Discussion Replies Latest Post
No discussions yet

Ask questions, Share opinions, Gain insight
Start a new discussion
First post:
Prompts for sign-in

Search Customer Discussions
Search all Amazon discussions

Look for similar items by category