Drupal Penetration Testing

We search for critical security vulnerabilities in your Drupal application and write a pentest report with technical details and suggested solutions.

Our experts conduct thorough penetration tests to detect and fix potential security vulnerabilities in your Drupal system. Through targeted analyses and realistic attack simulations, we improve the resilience of your websites against cyber threats.

Drupal Penetrationstests

Why is a Drupal penetration test worth it?

Drupal is a popular modular content management system that many companies use for various purposes. Accordingly, interesting data can be found in the database of a Drupal application. The same applies to solutions based on Drupal, such as "Drupal Commerce". In these applications, an attacker will find not only personal data (PII) but also financial data (credit card data). This is an attractive target for attackers.

Our tip: Ask yourself what happens if your Drupal application is hacked and data is stolen.

If the answer is rather unpleasant, you may want to contact us. We have extensive experience with Drupal applications - both in development and in the area of security. A web application penetration test with a heavy focus on Drupal might be a great idea!

What is a Drupal pentest?

A Drupal pentest is a manual penetration test in which either the relevant source code of the application is searched line by line for security vulnerabilities by a human (Drupal whitebox pentest). The alternative is a Drupal blackbox test - here, a search is made for security vulnerabilities without access to the source code. The result is a report that has a management part and a technical part - the latter can be used to close security gaps.

What is a Drupal vulnerability scan? Difference to the Drupal pentest.

There are various Drupal scanners on the market that do a poor job of searching for weaknesses and poor settings. This is more of an inventory. Things that most Drupal scanners check are e.g:

  • Is an outdated Drupal version installed?
  • Can an attacker enumerate the login names?
  • Are outdated plugins/themes installed that may have known security vulnerabilities?
  • Can anyone register?
  • Is SSL implemented correctly?
  • Is the web server basically set up correctly (dir listing, dot files, ...)?

Although this information is interesting and important, it is only ever a superficial analysis. A penetration test goes much deeper. Parameters are checked and various security gaps are searched for (see OWASP TOP10).

Damian Strobel

"Drupal is becoming increasingly important. We see it it more and more frequently within networks."

Damian Strobel - Founder of DSecured

Drupal is a popular CMS - but it is also a popular target for attackers. A pentest can protect you!

How much does a Drupal penetration test cost?

As is so often the case: it depends. Drupal applications can become relatively large. Large agencies are able to build incredibly complex applications with a high proportion of custom programming. This should of course be checked as part of a penetration test. The same applies to the theme and the infrastructure and its settings. There are many cost factors: time, size, complexity, reporting. The article "Pentest costs" provides general information here. A Drupal pentest starts at 2,500 USD - there is no upper limit. Before we make an offer, we take a look at how your Drupal app is structured and whether a pentest is really worthwhile from our point of view.

An alternative: Drupal Hardening

If the budget is small or the need for protection is not so high, it may be wise to look into Drupal hardening. This is how the Drupal installation is secured. First, a normal vulnerability scan is carried out to identify problem areas. These must then - if it makes sense - be corrected. You can then consider how to harden the system against attacks. We are happy to help with this. This service is cheaper than a penetration test.

Drupal Pentest

Drupal security: What vulnerabilities do we often see?

Red Teaming

In the area of configuration problems, we very often see an unfavorable combination of dir listing and access options to dot files. Especially with somewhat more professional Drupal agencies that also take over the hosting, we get access to the entire source code in the course of a Drupal blackbox pentest. This quickly turns the blackbox test into a whitebox test. To be honest, it is easier to take the whitebox approach and look at the server content via SSH/SFTP to avoid wasting time here.

Red Teaming

Classic security vulnerabilities such as cross-site scripting and SQL injection are often found in modules that were developed specifically for the Drupal site. Somewhat less common are deserialization problems and RCE, as code that has to be programmed for this is rather rare in Drupal applications. IDORs are also rather rare, as Drupal applications are usually quite well protected against them if best practices are followed. Finally, Drupal is PHP software. In principle, anything can happen.

Red Teaming

Often with this type of application, especially when agencies are responsible (who outsource internally to various freelancers), we also see problems with known passwords. Users/logins can be enumerated, their default password can be found in some dump and they can log in as a freelancer (who is often an admin). Old backups that have not been deleted can also be found relatively often if you are creative. DSecured has special scanners for this that search for such things in context.

Some companies we have been able to help

Goldman Sachs
Contact DSecured

Get a pentest offer