Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Known Drupal Vulnerabilities and OWASP’s Top10

Avatar for andresriancho andresriancho
May 18, 2016
Technology
0
260

Known Drupal Vulnerabilities and OWASP’s Top10

Prepared this talk for the Buenos Aires Drupal meetup

Avatar for andresriancho

andresriancho

May 18, 2016
Tweet

More Decks by andresriancho

See All by andresriancho
Step by step AWS Cloud Hacking
Avatar for andresriancho andresriancho
0
620
Step by step AWS Cloud Hacking
Avatar for andresriancho andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
Avatar for andresriancho andresriancho
1
12k
Threat Modelling
Avatar for andresriancho andresriancho
0
1.5k
Automated Security Analysis AWS Clouds
Avatar for andresriancho andresriancho
1
3.3k
Injecting into URLs / Breaking URL-Encoding
Avatar for andresriancho andresriancho
0
260
Galería de Fallos en Unicornios
Avatar for andresriancho andresriancho
1
250
Esoteric Web Application Vulnerabilities
Avatar for andresriancho andresriancho
0
1.1k
String Compare Timing Attacks
Avatar for andresriancho andresriancho
0
620

Other Decks in Technology

See All in Technology
Claude Codeを使った情報整理術
Avatar for 西岡 賢一郎 (Kenichiro Nishioka) knishioka
15
11k
技術選定、下から見るか?横から見るか?
Avatar for モブエンジニア(Masaki Okuda) masakiokuda
0
170
AgentCore BrowserとClaude Codeスキルを活用した 『初手AI』を実現する業務自動化AIエージェント基盤
Avatar for Hirokatsu Endo ruzia
7
2.1k
投資戦略を量産せよ 2 - マケデコセミナー(2025/12/26)
Avatar for tomo gamella
0
540
まだ間に合う! Agentic AI on AWSの現在地をやさしく一挙おさらい
Avatar for みのるん minorun365
19
3.3k
20251219 OpenIDファウンデーション・ジャパン紹介 / OpenID Foundation Japan Intro
Avatar for OpenID Foundation Japan oidfj
0
590
LayerX QA Night#1
Avatar for koyaman2 koyaman2
0
290
Agentic AIが変革するAWSの開発・運用・セキュリティ ~Frontier Agentsを試してみた~ / Agentic AI transforms AWS development, operations, and security I tried Frontier Agents
Avatar for Yuji Oshima yuj1osm
0
160
Keynoteから見るAWSの頭の中
Avatar for NRI Netcom nrinetcom
PRO
1
140
TED_modeki_共創ラボ_20251203.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
170
Entity Framework Core におけるIN句クエリ最適化について
Avatar for tkym htkym
0
140
戰略轉變:從建構 AI 代理人到發展可擴展的技能生態系統
Avatar for Bo-Yi Wu appleboy
0
170

Featured

See All Featured
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
9
570
Test your architecture with Archunit
Avatar for Yoan thirion
1
2.1k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
3k
Tips & Tricks on How to Get Your First Job In Tech
Avatar for Honza Javorek honzajavorek
0
400
Abbi's Birthday
Avatar for Violet Bock coloredviolet
0
4k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
359
30k
AI Search:
Where Are We & What Can We Do About It?
Avatar for Aleyda Solis aleyda
0
6.8k
Making Projects Easy
Avatar for Brett Harned brettharned
120
6.5k
A designer walks into a library…
Avatar for Paul Jervis Heath pauljervisheath
210
24k
Leo the Paperboy
Avatar for Maya Tellez mayatellez
0
1.3k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.3k
Measuring & Analyzing Core Web Vitals
Avatar for Philip Tellis bluesmoon
9
720

Transcript

  1. None

  2. ▪ ▪ ▪ ▪ ▪ ▪

  3. ▪ ▪ ▪ ▪

  4. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  5. None
  6. None

  7. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  8. ▪ ▪ ▪

  9. None
  10. None
  11. None

  12. ▪ ▪ ▪ ▪ ▪ ▪

  13. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  14. String query = "select * from customers where group =

    "; query += request.getParameter("group"); rowMapper = new RowMapper<Customer>() { @Override public Customer mapRow(ResultSet rs, int rowNum) throws SQLException { return new Customer(rs.getLong("id"), rs.getString("first_name"), rs.getString("group")); } }; jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/customers?group=12

  15. String query = "select * from customers where group =

    " query += request.getParameter("group"); jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/query?group=1 OR 1=1 SELECT * FROM customers where group=1 OR 1=1
  16. None
  17. None

  18. ▪ ▪

  19. ▪ ▪ … ▪ ▪ … ▪ ▪ ▪ ▪

  20. ▪ ▪ ▪

  21. <html> <h1>Comentarios</h1> <h3>Hola!</h3> <p><script>alert("Controlado por el intruso")</script></p> </html>

  22. None

  23. /hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert(‘xss’)</script></p> @RequestMapping("/hello") @ResponseBody protected String handleHello(HttpServletRequest request){ String

    name = request.getParameter("name"); return String.format(“<p>Hi %s</p>", name); }

  24. /hello?name=<script>alert(‘xss’)</script> <p>Hi &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;</p> Hi <script>alert(‘xss’)</script> import org.springframework.web.util.HtmlUtils; @RequestMapping("/hello") @ResponseBody protected

    String handleHello(HttpServletRequest request){ String name = request.getParameter("name"); return String.format("<p>Hi %s</p>", HtmlUtils.htmlEscape(name)); }
  25. None

  26. ▪ ▪ ▪

  27. ▪ ▪ <img src=http://home-banking.com/transfer?dst=1234&amount=3>

  28. None
  29. None

  30. ▪ •

  32. None

  33. ▪ ▪

  34. None

  35. ▪ ▪

  36. ▪ …

  37. ▪ ▪ if not has_authorization(user, action, object): raise AuthorizationException(user, action,

    object) action(user, object)
  38. None

  39. ▪ ▪ ▪ ▪

  40. None
  41. None