Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Known Drupal Vulnerabilities and OWASP’s Top10
Search
andresriancho
May 18, 2016
Technology
270
0
Share
Known Drupal Vulnerabilities and OWASP’s Top10
Prepared this talk for the Buenos Aires Drupal meetup
andresriancho
May 18, 2016
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
0
640
Step by step AWS Cloud Hacking
andresriancho
2
3k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
13k
Threat Modelling
andresriancho
0
1.6k
Automated Security Analysis AWS Clouds
andresriancho
1
3.4k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
270
Galería de Fallos en Unicornios
andresriancho
1
260
Esoteric Web Application Vulnerabilities
andresriancho
0
1.2k
String Compare Timing Attacks
andresriancho
0
660
Other Decks in Technology
See All in Technology
大規模災害時でも高い信頼性を維持するアプリケーション基盤の実現/nikkei-tech-talk46
nikkei_engineer_recruiting
0
120
イベントストーミングとKiroの仕様駆動開発で実現する要件の認識合わせプロセス
syobochim
7
980
権限管理設計を完全に理解した
rsugi
2
240
Oracle AI Database@Azure:サービス概要のご紹介
oracle4engineer
PRO
6
1.8k
AI駆動開発でなんでもハンズオン環境をつくってみた
yoshimi0227
0
180
APIテストとは?
nagix
0
160
Anthropic AIネイティブ・スタートアップ構築のプレイブック を理解する
nagatsu
0
230
速さだけじゃない! VoidZero ツールが移行先に選ばれる理由
mizdra
PRO
6
700
Diagnosing performance problems without the guesswork
elenatanasoiu
0
130
TROCCOで始めるクラウドコストを民主化するためのFinOps
tk3fftk
2
490
Dynamic Workersについて
yusukebe
2
520
Generative UI × A2UI で AI エージェントを作った話 AI-DLC も使ってみた!
kmiya84377
1
290
Featured
See All Featured
Java REST API Framework Comparison - PWX 2021
mraible
34
9.3k
Highjacked: Video Game Concept Design
rkendrick25
PRO
1
370
JAMstack: Web Apps at Ludicrous Speed - All Things Open 2022
reverentgeek
1
460
Why You Should Never Use an ORM
jnunemaker
PRO
61
9.9k
Prompt Engineering for Job Search
mfonobong
0
320
Docker and Python
trallard
47
3.9k
The Cost Of JavaScript in 2023
addyosmani
55
10k
Amusing Abliteration
ianozsvald
1
190
How to audit for AI Accessibility on your Front & Back End
davetheseo
0
390
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
38
2.9k
The Impact of AI in SEO - AI Overviews June 2024 Edition
aleyda
5
1.1k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Transcript
None
▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪ ▪
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
None
None
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪
None
None
None
▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
String query = "select * from customers where group =
"; query += request.getParameter("group"); rowMapper = new RowMapper<Customer>() { @Override public Customer mapRow(ResultSet rs, int rowNum) throws SQLException { return new Customer(rs.getLong("id"), rs.getString("first_name"), rs.getString("group")); } }; jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/customers?group=12
String query = "select * from customers where group =
" query += request.getParameter("group"); jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/query?group=1 OR 1=1 SELECT * FROM customers where group=1 OR 1=1
None
None
▪ ▪
▪ ▪ … ▪ ▪ … ▪ ▪ ▪ ▪
▪ ▪ ▪
<html> <h1>Comentarios</h1> <h3>Hola!</h3> <p><script>alert("Controlado por el intruso")</script></p> </html>
None
/hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert(‘xss’)</script></p> @RequestMapping("/hello") @ResponseBody protected String handleHello(HttpServletRequest request){ String
name = request.getParameter("name"); return String.format(“<p>Hi %s</p>", name); }
/hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert("xss")</script></p> Hi <script>alert(‘xss’)</script> import org.springframework.web.util.HtmlUtils; @RequestMapping("/hello") @ResponseBody protected
String handleHello(HttpServletRequest request){ String name = request.getParameter("name"); return String.format("<p>Hi %s</p>", HtmlUtils.htmlEscape(name)); }
None
▪ ▪ ▪
▪ ▪ <img src=http://home-banking.com/transfer?dst=1234&amount=3>
None
None
▪ •
▪
None
▪ ▪
None
▪ ▪
▪ …
▪ ▪ if not has_authorization(user, action, object): raise AuthorizationException(user, action,
object) action(user, object)
None
▪ ▪ ▪ ▪
None
None
andresriancho
nikkei_engineer_recruiting
syobochim
rsugi
oracle4engineer
yoshimi0227
nagix
nagatsu
mizdra
elenatanasoiu
tk3fftk
yusukebe
kmiya84377
mraible
rkendrick25
reverentgeek
jnunemaker
mfonobong
trallard
addyosmani
ianozsvald
davetheseo
eileencodes
aleyda
keithpitt
