This posts looks at two common cyber-attack methods, SQL Injection and Cross-Site Scripting (XSS) and explains how Drupal 9 builds on existing Drupal security controls to protect your organisation.

CMS build convenience comes with security risks

Building an internet presence for your organisation has never been so easy, with specialist services from developers and ISPs that allow customers to deploy sites as soon as their content is ready; no coding or expensive developer outsourcing required. There’s also management tools available that make ongoing maintenance easier than ever before. However, this level of simplicity and abstraction away from building the infrastructure means you don’t have control over important aspects of running any digital service, especially security and privacy protection where you still maintain accountability should you suffer a data breach.

It is possible to choose an established and trusted development framework with robust security controls built in, if you select Drupal as the basis for your content management system (CMS). The team at Drupal has prioritised security as a core capability. The open source platform has a global team of security experts continually analysing the codebase for vulnerabilities. Beyond that, the Drupal security team creates security advisories that it publishes to the Drupal user community to explain issues and offer advice to developers on ways to mitigate potential security risks.

Web security vulnerabilities

Choosing Drupal doesn’t mean your website is automatically secure. After deploying an out-of-the-box Drupal installation, you first need to configure several security controls to ensure your organisation is protected.
Our earlier post listed several important Drupal security controls. However, we are now going to go into more detail about how Drupal protects against two common attack methods.

Cross-site scripting

XSS cyber attack type

Cross-site scripting (XSS) attacks occur when malicious scripts are injected into otherwise benign and trusted websites.

Older Drupal versions were not as robust and resilient to XSS cyber-attacks as Drupal 9. Even as far back as Drupal 7, the CMS had some inbuilt protections against XSS attacks. The failing back in Drupal 7 was that it made it easier for an inexperienced site administrator or developer to introduce XSS vulnerabilities. Templates were at risk, as they were always based on PHP, where developers don’t always follow secure coding practices. This introduces vulnerabilities by not sanitising user input.

Many of the concerns from older versions of Drupal are now fixed in Drupal 9, especially with the introduction of Twig templating. Twig allows site security administrators to separate the business logic of their site from the presentation layer. This is an important step in preventing user interface (UI) developers from making security mistakes in the core Drupal security model. By adding layers of protection between the Drupal UI and the foundational APIs that control access to data, it prevents mistakes in their code from affecting the fundamental integrity of the site.

The Drupal Support Team here at Catalyst IT can integrate deeper API capability into the Drupal UI using Twig extensions and filters. We follow secure coding practices and establish appropriate filtering rules inside custom modules. Further scrutiny by the Development Team can introduce Twig auto-escaping. This manages input strings that don’t meet certain security rules. They become what is called escaped, which changes their ability to cause harm if they contain embedded exploitation code.

Explore Catalyst IT Services for Drupal

SQL injection

SQL injection

SQL Injection is a common and highly effective technique used by attackers targeting websites. Also known as SQLI, it uses malicious SQL code for backend database manipulation to access information that was not intended to be displayed.

Drupal uses a clever method of protecting against SQL Injection by removing the database from direct access through what’s called an abstraction layer. Protection is particularly important when you use the Drupal database API, as any database queries sent directly to the API with improper formatting can pass database commands through the protection mechanisms and allow an attacker to corrupt, access or take over the database. This level of scrutiny over your site’s security model is where Catalyst IT experts can assist in protecting against competent attackers that specialise in SQL Injection attacks. Our team knows how to leverage a variety of supporting countermeasures against SQL Injection attacks to bolster your defences.

Upgrade to Drupal 9

Drupal 9 introduces several new and extended security features that add layers of protection to CMS users. This includes useful protections in themes, to protect against XSS attacks and SQL Injection.  It also has a variety of other extensions to its core, to protect against attacks such as Cross-Site Request Forgery (CSRF).

Catalyst IT support to build Drupal CMS security

Drupal Partner Badge - Premium Supporting Partner

No CMS is ever fully secure, that is an impossible goal. However, expert Drupal support can help you to avoid the mistakes that introduce vulnerabilities.

The Catalyst IT Team use the latest version of Drupal to build your security model, based on your business requirements. We ensure you are protected across the entire Drupal deployment architecture, from hosting services and CMS installation, through to integration with third party services, such as a learning management systems like Moodle. During our analysis of your business, we will focus on the security challenges of implementing your business workflows, following the best advice and guidelines from the Drupal security team, as well as following best practice for deploying authentication services and encryption.


Catalyst IT uses the Open Wen Application Security Protect (known as OWASP) Framework for all our Drupal 9 deployments and any code we write aligns to OWASP’s secure coding practices; installed modules are thoroughly tested and secured prior to including in your deployment.  All integration code that interfaces with the API follows SQL Injection protection guidelines. This protection means your integration with other business services, such as with your authentication services and platforms like an LMS, HR system or office solution is protected.

Find out more

Catalyst IT’s approach to Drupal deployments includes protection against a number of attack patterns, including XSS and SQL Injection attacks. We will work with your IT Team and Security Team to understand what controls are needed and how they should be configured to meet your unique set of needs. Get in touch today.

Contact Catalyst IT Today