Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Known Drupal Vulnerabilities and OWASP’s Top10
Search
andresriancho
May 18, 2016
Technology
0
230
Known Drupal Vulnerabilities and OWASP’s Top10
Prepared this talk for the Buenos Aires Drupal meetup
andresriancho
May 18, 2016
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
0
590
Step by step AWS Cloud Hacking
andresriancho
2
2.7k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
11k
Threat Modelling
andresriancho
0
1.2k
Automated Security Analysis AWS Clouds
andresriancho
1
3k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
200
Galería de Fallos en Unicornios
andresriancho
1
140
Esoteric Web Application Vulnerabilities
andresriancho
0
820
String Compare Timing Attacks
andresriancho
0
510
Other Decks in Technology
See All in Technology
Agile in Automotive Industry, puzzles and lights.
hiranabe
3
1.4k
コンポーネントテストの手法と その効果を考える
yotahada3
2
120
学術機関におけるID連携とOpenID Connect
fujie
0
310
JEP 480: Structured Concurrency
aya_ebata
0
130
Google CloudのLLM活用の選択肢を広げるVertex AIのパートナーモデル
nayuts
0
130
PdMはどのように全てのスピードを上げられるか ~ 非連続進化のための具体的な取り組み ~
sansantech
PRO
4
1.3k
プログラム検証入門
riru
6
880
Developer Experienceを向上させる基盤づくりの取り組み事例集
coconala_engineer
0
160
サーバー管理しないサーバーサービスManaged DevOps Pool
kkamegawa
0
140
DevRelの始め方
moongift
PRO
2
400
PDF Viewer作成の今までとこれから
hunachi
0
480
株式会社EventHub・エンジニア採用資料
eventhub
0
3k
Featured
See All Featured
A designer walks into a library…
pauljervisheath
201
24k
Fireside Chat
paigeccino
31
2.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
tammyeverts
36
2.1k
Teambox: Starting and Learning
jrom
131
8.7k
Thoughts on Productivity
jonyablonski
66
4.2k
Building a Scalable Design System with Sketch
lauravandoore
459
32k
Responsive Adventures: Dirty Tricks From The Dark Corners of Front-End
smashingmag
248
20k
Designing for humans not robots
tammielis
248
25k
The Art of Programming - Codeland 2020
erikaheidi
48
13k
Distributed Sagas: A Protocol for Coordinating Microservices
caitiem20
326
21k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
45
4.8k
CSS Pre-Processors: Stylus, Less & Sass
bermonpainter
354
29k
Transcript
None
▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪ ▪
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
None
None
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪
None
None
None
▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
String query = "select * from customers where group =
"; query += request.getParameter("group"); rowMapper = new RowMapper<Customer>() { @Override public Customer mapRow(ResultSet rs, int rowNum) throws SQLException { return new Customer(rs.getLong("id"), rs.getString("first_name"), rs.getString("group")); } }; jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/customers?group=12
String query = "select * from customers where group =
" query += request.getParameter("group"); jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/query?group=1 OR 1=1 SELECT * FROM customers where group=1 OR 1=1
None
None
▪ ▪
▪ ▪ … ▪ ▪ … ▪ ▪ ▪ ▪
▪ ▪ ▪
<html> <h1>Comentarios</h1> <h3>Hola!</h3> <p><script>alert("Controlado por el intruso")</script></p> </html>
None
/hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert(‘xss’)</script></p> @RequestMapping("/hello") @ResponseBody protected String handleHello(HttpServletRequest request){ String
name = request.getParameter("name"); return String.format(“<p>Hi %s</p>", name); }
/hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert("xss")</script></p> Hi <script>alert(‘xss’)</script> import org.springframework.web.util.HtmlUtils; @RequestMapping("/hello") @ResponseBody protected
String handleHello(HttpServletRequest request){ String name = request.getParameter("name"); return String.format("<p>Hi %s</p>", HtmlUtils.htmlEscape(name)); }
None
▪ ▪ ▪
▪ ▪ <img src=http://home-banking.com/transfer?dst=1234&amount=3>
None
None
▪ •
▪
None
▪ ▪
None
▪ ▪
▪ …
▪ ▪ if not has_authorization(user, action, object): raise AuthorizationException(user, action,
object) action(user, object)
None
▪ ▪ ▪ ▪
None
None