Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Known Drupal Vulnerabilities and OWASP’s Top10

Avatar for andresriancho andresriancho
May 18, 2016
Technology
0
250

Known Drupal Vulnerabilities and OWASP’s Top10

Prepared this talk for the Buenos Aires Drupal meetup

Avatar for andresriancho

andresriancho

May 18, 2016
Tweet

More Decks by andresriancho

See All by andresriancho
Step by step AWS Cloud Hacking
Avatar for andresriancho andresriancho
0
620
Step by step AWS Cloud Hacking
Avatar for andresriancho andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
Avatar for andresriancho andresriancho
1
12k
Threat Modelling
Avatar for andresriancho andresriancho
0
1.5k
Automated Security Analysis AWS Clouds
Avatar for andresriancho andresriancho
1
3.3k
Injecting into URLs / Breaking URL-Encoding
Avatar for andresriancho andresriancho
0
250
Galería de Fallos en Unicornios
Avatar for andresriancho andresriancho
1
240
Esoteric Web Application Vulnerabilities
Avatar for andresriancho andresriancho
0
1.1k
String Compare Timing Attacks
Avatar for andresriancho andresriancho
0
610

Other Decks in Technology

See All in Technology
LINEスキマニ/LINEバイトにおけるバックエンド開発
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
300
今、MySQLのバックアップを作り直すとしたら何がどう良いのかを考える旅
Avatar for yoku0825 yoku0825
2
440
re:Invent2025 事前勉強会 歴史と愉しみ方10分LT編
Avatar for T.Atsumi toshi_atsumi
0
150
AI × クラウドで シイタケの収穫時期を判定してみた
Avatar for Lamaglama39 lamaglama39
1
360
Flutterで実装する実践的な攻撃対策とセキュリティ向上
Avatar for FujiKinaga fujikinaga
2
460
ZOZOTOWNカート決済リプレイス ── モジュラモノリスという過渡期戦略
Avatar for ZOZO Developers zozotech
PRO
0
450
Amazon ECS デプロイツール ecspresso の開発を支える「正しい抽象化」の探求 / YAPC::Fukuoka 2025
Avatar for FUJIWARA Shunichiro fujiwara3
13
3.9k
AI時代の戦略的アーキテクチャ 〜Adaptable AI をアーキテクチャで実現する〜 / Enabling Adaptable AI Through Strategic Architecture
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
PRO
6
1.7k
ソフトウェア開発現代史: 55%が変化に備えていない現実 ─ AI支援型開発時代のReboot Japan #agilejapan
Avatar for Hiroyuki TAKAHASHI takabow
7
4.4k
アジャイル社内普及ご近所さんマップを作ろう / Let's create an agile neighborhood map
Avatar for Satoshi Harada psj59129
1
130
2ヶ月で新規事業のシステムを0から立ち上げるスタートアップの舞台裏
Avatar for Shoma Okamoto shmokmt
0
220
新しい風。SolidFlutterで実現するシンプルな状態管理
Avatar for ZOZO Developers zozotech
PRO
0
110

Featured

See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
118
20k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
Leading Effective Engineering Teams in the AI Era
Avatar for Addy Osmani addyosmani
8
1.1k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
285
14k
Bash Introduction
Avatar for André Augusto Costa Santos 62gerente
615
210k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
36
6.1k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
10
670
Save Time (by Creating Custom Rails Generators)
Avatar for Garrett Dimon garrettdimon
PRO
32
1.8k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
303
21k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
Avatar for Chris Coyier chriscoyier
508
140k
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
355
21k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k

Transcript

  1. None

  2. ▪ ▪ ▪ ▪ ▪ ▪

  3. ▪ ▪ ▪ ▪

  4. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  5. None
  6. None

  7. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  8. ▪ ▪ ▪

  9. None
  10. None
  11. None

  12. ▪ ▪ ▪ ▪ ▪ ▪

  13. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  14. String query = "select * from customers where group =

    "; query += request.getParameter("group"); rowMapper = new RowMapper<Customer>() { @Override public Customer mapRow(ResultSet rs, int rowNum) throws SQLException { return new Customer(rs.getLong("id"), rs.getString("first_name"), rs.getString("group")); } }; jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/customers?group=12

  15. String query = "select * from customers where group =

    " query += request.getParameter("group"); jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/query?group=1 OR 1=1 SELECT * FROM customers where group=1 OR 1=1
  16. None
  17. None

  18. ▪ ▪

  19. ▪ ▪ … ▪ ▪ … ▪ ▪ ▪ ▪

  20. ▪ ▪ ▪

  21. <html> <h1>Comentarios</h1> <h3>Hola!</h3> <p><script>alert("Controlado por el intruso")</script></p> </html>

  22. None

  23. /hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert(‘xss’)</script></p> @RequestMapping("/hello") @ResponseBody protected String handleHello(HttpServletRequest request){ String

    name = request.getParameter("name"); return String.format(“<p>Hi %s</p>", name); }

  24. /hello?name=<script>alert(‘xss’)</script> <p>Hi &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;</p> Hi <script>alert(‘xss’)</script> import org.springframework.web.util.HtmlUtils; @RequestMapping("/hello") @ResponseBody protected

    String handleHello(HttpServletRequest request){ String name = request.getParameter("name"); return String.format("<p>Hi %s</p>", HtmlUtils.htmlEscape(name)); }
  25. None

  26. ▪ ▪ ▪

  27. ▪ ▪ <img src=http://home-banking.com/transfer?dst=1234&amount=3>

  28. None
  29. None

  30. ▪ •

  32. None

  33. ▪ ▪

  34. None

  35. ▪ ▪

  36. ▪ …

  37. ▪ ▪ if not has_authorization(user, action, object): raise AuthorizationException(user, action,

    object) action(user, object)
  38. None

  39. ▪ ▪ ▪ ▪

  40. None
  41. None