Experience Express in Alicante: Analytics, Security, and Horizons at DrupalCamp Spain

Atop the Castle of Saint Barbara in Alicante, time sometimes seems to slow down, and words that once held grand meaning seem inadequate. I had a similar feeling both during and on the heels of DrupalCamp Spain, organized by the Spanish Drupal Association and held this year at Las Cigarreras cultural center in a seaside city that is one of the crown jewels of not only the Valencian Community but also of Spain.

The Spanish Drupal community welcomed Acquia with open arms, broad smiles, and mistela in ample supply. At the same time, local communities around Europe are witnessing a surge in activity in preparation for Drupal Europe, the volunteer-led event to be held in Darmstadt in September, and the enthusiasm was palpable throughout the event.

Like the feeling of suspended time at the summit of Alicante's beautiful castle, there were instances at Las Cigarreras where things seemed to come to a halt, where the clock slowed to zero, and true nuance could be found in the most contemplative of moments on stage. This time on the Experience Express, we pause in Alicante to take stock of some of the key moments here in view of the gentle waves of the Mediterranean.

An agnostic future for Drupal content

My featured keynote on Saturday morning, "La próxima década de Drupal" (English: "Drupal's next decade"), inspected some of the issues facing Drupal in the years ahead as digital experiences continue diversifying in the face of accelerating innovation. First, I undertook a breezy summary of content experiences and how new demands are stretching the meaning of the word "content" itself.

In a world where websites are no longer the only digital presence for organizations, how do we prepare? I advocated an approach in which organizations focus on crafting a channel-agnostic content strategy that also succeeds in centralizing content within a single source of truth. With the help of Drupal's API-first initiative and evolving understandings of content strategy, I made a case for why the history of Drupal has only just begun. Check out the slides (in Spanish) for more!

Improving your website with analytics

Laura Bonmatí (previously CEO of Blabup) presented a compelling introduction to Google Analytics and how web analytics in general can improve any organization's website. First, Laura started with a discussion of how knowledge is increasingly hybridized in today's industry, with marketing professionals and front-end developers both needing web analytics expertise to know our users better.

After introducing the audience to Google Analytics, Laura then discussed how the Google service collects and records data, particularly hits, which can be a pageview, transaction, or even a social media operation. According to Laura, Google Analytics also typically collects information such as a user's browser, operating system, and service provider in addition to other details such as screen resolution.

The most intriguing portion of the presentation came during Laura's discussion of best practices when it comes to making the most of Google Analytics. She recommends that Google Analytics users determine ahead of time what website elements they wish to track and that they adopt a naming convention for their categories, actions, and tags which is coherent and clear.

Afterwards, Laura featured Google Optimize, an easy tool to test different variations of your website and then tailor it to deliver your website according to insights gathered from testing. Check out Laura's presentation (in Spanish) for more!

Conducting autopsies on Drupal vulnerabilities

"Every anonymous user can be an attacker. (Todos los usuarios anónimos pueden ser atacantes.)" —Zequi Vázquez

Later in the morning, Zequi Vázquez (Developer at Lullabot), a self-described back-end developer focused on systems administration, DevOps, hacking, and security, embarked on a brisk and entertaining journey through the most important vulnerabilities that can afflict even the most prepared developer teams. Zequi wasted no time, kicking things off with a definition of the term vulnerability as an oversight or issue that could lead to changes in the behavior of a system, such as the introduction of new code and its execution.

Zequi covered each of the three vulnerabilities affecting Drupal in turn, covering in detail how to exploit them. Concerning the first vulnerability, reported in SA-CORE-2014-005 (patch released on October 15, 2014), Zequi described how the name attributes in form elements could contain either strings or arrays, which are sent via HTTP POST to the Drupal server.

Armed with Chrome Developer Tools (or any other browser debugger), an attacker could use this quirk in Drupal-rendered forms to introduce SQL queries into the user login form, for instance, within keys of arrays that weren't sanitized by the expandArguments() method in includes/database/database.inc. Below is an example that Zequi shared of two adjacent elements that would make this exploit possible:

The second vulnerability, reported in SA-CORE-2018-002 (patch released on March 28, 2018), also concerns form inputs, particularly in forms generated using render arrays (introduced in Drupal 7), whose keys are prefixed with #. In many forms, the value is stored alongside the key #value. In the user registration form, it's possible to trick Drupal by using the same technique as before — inserting arrays into certain form fields, including a reference to an executable file on the server, as seen in the sample payload below:

mail[a][#type] = 'markup'
mail[a][#post_render] = 'exec'
mail[a][#markup] = 'echo "Hola" | tee sites/default/files/hola.txt'

And in this case, we can trick Drupal into re-rendering the form through Ajax API, which triggers a post_render and allows for an attacker to execute arbitrary code on the server.

The third exploit discussed, reported in SA-CORE-2018-004 (patch released on April 25, 2018), is more complex still — and well beyond the scope of this blog post — but uses the Ajax API once more to allow an attacker to execute arbitrary code that has been placed on the server.

As a final note, Zequi noted what risks are present when developers haven't patched their sites in time — an unenviable scenario to find oneself in — and what to do next. Attackers can potentially extract the complete database, introduce cryptocurrency miners in the /tmp or /files directories, and infect unwitting users of the site. After an exploit, the most important steps to clean a compromised site are to eliminate any code that may be in the /files directory, ensure no code has been inserted into the database, and verify that no other PHP file has been modified by malicious code.

Ultimately, Zequi offered a fast-paced and uniquely enjoyable autopsy of recent critical vulnerabilities in Drupal, content he will repeat at Drupal Developer Days in Lisbon next week.

Long live JavaScript!

"So flexible that it's easy to shoot yourself in the foot. (Tan flexible que es fácil dispararse en un pie.)" —Ricardo Sanz

Later in the day, Ricardo Sanz (Drupal Developer at Metadrop) presented an amusingly named session with the title "Death to JavaScript! Long live JavaScript!" In his session, Ricardo explored the history behind JavaScript, including its development by Brendan Eich for Netscape in 1995, and why developers alternately love and hate the language that is all the rage in the web development industry today.

Ricardo shared several facts that may not be common knowledge among JavaScript developers entering the field today, namely that it was inspired by other languages like Scheme (functions as objects) and Self (prototypal inheritance) and that it was originally intended for use on the server as well. Perhaps fittingly for an audience full of open source practitioners, Ricardo referred to the period of popularity of JScript (a Microsoft dialect of JavaScript) as the "dark years" of JavaScript.

In the process of describing JavaScript's history, Ricardo also explained some of the reasons why developers more familiar with JavaScript's past might not be so endeared to the language, including the fact that it is difficult to understand at a highly idiomatic level due to its quirks and the mixture of programming paradigms that can prove challenging when it comes to application design and codebase on-boarding. However, Ricardo emphasizes that JavaScript is newly standardized thanks to Ecma, executable on the server, and is part of fulfilling the longstanding promise to "write once, publish everywhere."

Ricardo mentions that one way to maintain your access to key advantages of JavaScript, including the ability to write applications in a cross-platform fashion, is to make use of languages that transpile to JavaScript such as TypeScript, which in Ricardo's view is particularly well-suited for large projects, and Elm.

Most of all, Ricardo's final point was an appropriate bookend to his foray through JavaScript's history: "JavaScript is the assembler or bytecode of the web. (JavaScript es un ensamblador o bytecode de la web.)" I'm absolutely inclined to agree with his sentiment.


All in all, Acquia felt welcomed at DrupalCamp Spain, and we're excited to continue to work with the Spanish Drupal community to advance the Drupal project in Spain and in Europe. From useful information for those interested in analytics to insightful perspectives on Drupal security and JavaScript, DrupalCamp Spain in Alicante was a great experience in a wonderful city. We hope to be back for the next DrupalCamp Spain in Conil de la Frontera!

Next time on the Experience Express, we hop up to Utrecht in the Netherlands for a stop at Frontend United, where Dries Buytaert gave a thrilling keynote and yours truly delivered a talk about conversational design. I'll also see many of you next week in Lisbon for Drupal Developer Days! ¡Hasta la próxima and tot ziens!

Special thanks to Laura Bonmatí, Ricardo Sanz, Zequi Vázquez, and Alex Moreno for their feedback during the writing process.