Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Known Drupal Vulnerabilities and OWASP’s Top10
Search
Sponsored
·
Your Podcast. Everywhere. Effortlessly.
Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
→
andresriancho
May 18, 2016
Technology
0
260
Known Drupal Vulnerabilities and OWASP’s Top10
Prepared this talk for the Buenos Aires Drupal meetup
andresriancho
May 18, 2016
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
0
630
Step by step AWS Cloud Hacking
andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
13k
Threat Modelling
andresriancho
0
1.6k
Automated Security Analysis AWS Clouds
andresriancho
1
3.3k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
270
Galería de Fallos en Unicornios
andresriancho
1
250
Esoteric Web Application Vulnerabilities
andresriancho
0
1.1k
String Compare Timing Attacks
andresriancho
0
640
Other Decks in Technology
See All in Technology
類似画像検索モデルの開発ノウハウ
lycorptech_jp
PRO
5
1.1k
マルチロールEMが実践する「組織のレジリエンス」を高めるための組織構造と人材配置戦略
coconala_engineer
3
710
[JAWSDAYS2026]Who is responsible for IAM
mizukibbb
0
390
Kubernetesにおける推論基盤
ry
1
300
IBM Bobを使って、PostgreSQLのToDoアプリをDb2へ変換してみよう/202603_Dojo_Bob
mayumihirano
1
300
JAWSDAYS2026_A-6_現場SEが語る 回せるセキュリティ運用~設計で可視化、AIで加速する「楽に回る」運用設計のコツ~
shoki_hata
0
3k
脳内メモリ、思ったより揮発性だった
koutorino
0
130
[JAWS DAYS 2026]私の AWS DevOps Agent 推しポイント
furuton
0
140
SRE NEXT 2026 CfP レビュアーが語る聞きたくなるプロポーザルとは?
yutakawasaki0911
0
230
白金鉱業Meetup_Vol.22_Orbital Senseを支える衛星画像のマルチモーダルエンベディングと地理空間のあいまい検索技術
brainpadpr
2
290
Google系サービスで文字起こしから勝手にカレンダーを埋めるエージェントを作った話
risatube
0
130
JAWS DAYS 2026 楽しく学ぼう!ストレージ 入門
yoshiki0705
2
140
Featured
See All Featured
WENDY [Excerpt]
tessaabrams
9
36k
Efficient Content Optimization with Google Search Console & Apps Script
katarinadahlin
PRO
1
390
Producing Creativity
orderedlist
PRO
348
40k
Designing Experiences People Love
moore
143
24k
Rails Girls Zürich Keynote
gr2m
96
14k
RailsConf 2023
tenderlove
30
1.4k
Pawsitive SEO: Lessons from My Dog (and Many Mistakes) on Thriving as a Consultant in the Age of AI
davidcarrasco
0
82
A designer walks into a library…
pauljervisheath
210
24k
Building Applications with DynamoDB
mza
96
7k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
128
55k
AI: The stuff that nobody shows you
jnunemaker
PRO
3
370
The Spectacular Lies of Maps
axbom
PRO
1
610
Transcript
None
▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪ ▪
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
None
None
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪
None
None
None
▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
String query = "select * from customers where group =
"; query += request.getParameter("group"); rowMapper = new RowMapper<Customer>() { @Override public Customer mapRow(ResultSet rs, int rowNum) throws SQLException { return new Customer(rs.getLong("id"), rs.getString("first_name"), rs.getString("group")); } }; jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/customers?group=12
String query = "select * from customers where group =
" query += request.getParameter("group"); jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/query?group=1 OR 1=1 SELECT * FROM customers where group=1 OR 1=1
None
None
▪ ▪
▪ ▪ … ▪ ▪ … ▪ ▪ ▪ ▪
▪ ▪ ▪
<html> <h1>Comentarios</h1> <h3>Hola!</h3> <p><script>alert("Controlado por el intruso")</script></p> </html>
None
/hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert(‘xss’)</script></p> @RequestMapping("/hello") @ResponseBody protected String handleHello(HttpServletRequest request){ String
name = request.getParameter("name"); return String.format(“<p>Hi %s</p>", name); }
/hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert("xss")</script></p> Hi <script>alert(‘xss’)</script> import org.springframework.web.util.HtmlUtils; @RequestMapping("/hello") @ResponseBody protected
String handleHello(HttpServletRequest request){ String name = request.getParameter("name"); return String.format("<p>Hi %s</p>", HtmlUtils.htmlEscape(name)); }
None
▪ ▪ ▪
▪ ▪ <img src=http://home-banking.com/transfer?dst=1234&amount=3>
None
None
▪ •
▪
None
▪ ▪
None
▪ ▪
▪ …
▪ ▪ if not has_authorization(user, action, object): raise AuthorizationException(user, action,
object) action(user, object)
None
▪ ▪ ▪ ▪
None
None
andresriancho
lycorptech_jp
coconala_engineer
mizukibbb
ry
mayumihirano
shoki_hata
koutorino
furuton
yutakawasaki0911
brainpadpr
risatube
yoshiki0705
tessaabrams
katarinadahlin
orderedlist
moore
gr2m
tenderlove
davidcarrasco
pauljervisheath
mza
aki_iinuma
jnunemaker
axbom
