Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Known Drupal Vulnerabilities and OWASP’s Top10

Avatar for andresriancho andresriancho
May 18, 2016
Technology
0
240

Known Drupal Vulnerabilities and OWASP’s Top10

Prepared this talk for the Buenos Aires Drupal meetup
Avatar for andresriancho

andresriancho

May 18, 2016
Tweet

More Decks by andresriancho

See All by andresriancho
Step by step AWS Cloud Hacking
Avatar for andresriancho andresriancho
0
610
Step by step AWS Cloud Hacking
Avatar for andresriancho andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
Avatar for andresriancho andresriancho
1
12k
Threat Modelling
Avatar for andresriancho andresriancho
0
1.3k
Automated Security Analysis AWS Clouds
Avatar for andresriancho andresriancho
1
3.2k
Injecting into URLs / Breaking URL-Encoding
Avatar for andresriancho andresriancho
0
240
Galería de Fallos en Unicornios
Avatar for andresriancho andresriancho
1
220
Esoteric Web Application Vulnerabilities
Avatar for andresriancho andresriancho
0
1k
String Compare Timing Attacks
Avatar for andresriancho andresriancho
0
570

Other Decks in Technology

See All in Technology
20250623 Findy Lunch LT Brown
Avatar for Brown 3150
0
850
Uniadex__公開版_20250617-AIxIoTビジネス共創ラボ_ツナガルチカラ_.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
160
Observability infrastructure behind the trillion-messages scale Kafka platform
Avatar for LINEヤフーTech (LY Corporation Tech) lycorptech_jp
PRO
0
140
AIのAIによるAIのための出力評価と改善
Avatar for たまねぎ chocoyama
2
540
_第3回__AIxIoTビジネス共創ラボ紹介資料_20250617.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
150
2年でここまで成長!AWSで育てたAI Slack botの軌跡
Avatar for iwamot iwamot
PRO
4
670
GeminiとNotebookLMによる金融実務の業務革新
Avatar for abenben abenben
0
220
AIエージェント最前線! Amazon Bedrock、Amazon Q、そしてMCPを使いこなそう
Avatar for みのるん minorun365
PRO
13
4.9k
GitHub Copilot の概要
Avatar for tomokusaba tomokusaba
1
130
Кто отправит outbox? Валентин Удальцов, автор канала Пых
Avatar for Lamoda Tech lamodatech
0
330
VISITS_AIIoTビジネス共創ラボ登壇資料.pdf
Avatar for AIxIoTビジネス共創ラボ iotcomjpadmin
0
160
AWS Summit Japan 2025 Community Stage - App workflow automation by AWS Step Functions
Avatar for matsuihidetoshi matsuihidetoshi
1
250

Featured

See All Featured
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
10
660
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
71
4.9k
[RailsConf 2023] Rails as a piece of cake
Avatar for Vladimir Dementyev palkan
55
5.6k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
53
2.8k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
8
670
Writing Fast Ruby
Avatar for Erik Berlin sferik
628
61k
Scaling GitHub
Avatar for Zach Holman holman
459
140k
The MySQL Ecosystem @ GitHub 2015
Avatar for Sam Lambert samlambert
251
13k
Keith and Marios Guide to Fast Websites
Avatar for Keith Pitt keithpitt
411
22k
The Illustrated Children's Guide to Kubernetes
Avatar for Chris Short chrisshort
48
50k
4 Signs Your Business is Dying
Avatar for Josh Pigford shpigford
184
22k

Transcript

  1. None

  2. ▪ ▪ ▪ ▪ ▪ ▪

  3. ▪ ▪ ▪ ▪

  4. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  5. None
  6. None

  7. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  8. ▪ ▪ ▪

  9. None
  10. None
  11. None

  12. ▪ ▪ ▪ ▪ ▪ ▪

  13. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  14. String query = "select * from customers where group =

    "; query += request.getParameter("group"); rowMapper = new RowMapper<Customer>() { @Override public Customer mapRow(ResultSet rs, int rowNum) throws SQLException { return new Customer(rs.getLong("id"), rs.getString("first_name"), rs.getString("group")); } }; jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/customers?group=12

  15. String query = "select * from customers where group =

    " query += request.getParameter("group"); jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/query?group=1 OR 1=1 SELECT * FROM customers where group=1 OR 1=1
  16. None
  17. None

  18. ▪ ▪

  19. ▪ ▪ … ▪ ▪ … ▪ ▪ ▪ ▪

  20. ▪ ▪ ▪

  21. <html> <h1>Comentarios</h1> <h3>Hola!</h3> <p><script>alert("Controlado por el intruso")</script></p> </html>

  22. None

  23. /hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert(‘xss’)</script></p> @RequestMapping("/hello") @ResponseBody protected String handleHello(HttpServletRequest request){ String

    name = request.getParameter("name"); return String.format(“<p>Hi %s</p>", name); }

  24. /hello?name=<script>alert(‘xss’)</script> <p>Hi &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;</p> Hi <script>alert(‘xss’)</script> import org.springframework.web.util.HtmlUtils; @RequestMapping("/hello") @ResponseBody protected

    String handleHello(HttpServletRequest request){ String name = request.getParameter("name"); return String.format("<p>Hi %s</p>", HtmlUtils.htmlEscape(name)); }
  25. None

  26. ▪ ▪ ▪

  27. ▪ ▪ <img src=http://home-banking.com/transfer?dst=1234&amount=3>

  28. None
  29. None

  30. ▪ •

  32. None

  33. ▪ ▪

  34. None

  35. ▪ ▪

  36. ▪ …

  37. ▪ ▪ if not has_authorization(user, action, object): raise AuthorizationException(user, action,

    object) action(user, object)
  38. None

  39. ▪ ▪ ▪ ▪

  40. None
  41. None