Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Known Drupal Vulnerabilities and OWASP’s Top10
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
andresriancho
May 18, 2016
Technology
0
260
Known Drupal Vulnerabilities and OWASP’s Top10
Prepared this talk for the Buenos Aires Drupal meetup
andresriancho
May 18, 2016
Tweet
Share
More Decks by andresriancho
See All by andresriancho
Step by step AWS Cloud Hacking
andresriancho
0
630
Step by step AWS Cloud Hacking
andresriancho
2
2.9k
Internet-Scale analysis of AWS Cognito Security
andresriancho
1
12k
Threat Modelling
andresriancho
0
1.5k
Automated Security Analysis AWS Clouds
andresriancho
1
3.3k
Injecting into URLs / Breaking URL-Encoding
andresriancho
0
260
Galería de Fallos en Unicornios
andresriancho
1
250
Esoteric Web Application Vulnerabilities
andresriancho
0
1.1k
String Compare Timing Attacks
andresriancho
0
630
Other Decks in Technology
See All in Technology
AIエージェントを開発しよう!-AgentCore活用の勘所-
yukiogawa
0
180
SRE Enabling戦記 - 急成長する組織にSREを浸透させる戦いの歴史
markie1009
0
150
20260208_第66回 コンピュータビジョン勉強会
keiichiito1978
0
190
OWASP Top 10:2025 リリースと 少しの日本語化にまつわる裏話
okdt
PRO
3
830
【Ubie】AIを活用した広告アセット「爆速」生成事例 | AI_Ops_Community_Vol.2
yoshiki_0316
1
110
Contract One Engineering Unit 紹介資料
sansan33
PRO
0
13k
What happened to RubyGems and what can we learn?
mikemcquaid
0
310
AIエージェントに必要なのはデータではなく文脈だった/ai-agent-context-graph-mybest
jonnojun
1
220
SREが向き合う大規模リアーキテクチャ 〜信頼性とアジリティの両立〜
zepprix
0
470
【Oracle Cloud ウェビナー】[Oracle AI Database + AWS] Oracle Database@AWSで広がるクラウドの新たな選択肢とAI時代のデータ戦略
oracle4engineer
PRO
2
180
2026年、サーバーレスの現在地 -「制約と戦う技術」から「当たり前の実行基盤」へ- /serverless2026
slsops
2
260
ブロックテーマでサイトをリニューアルした話 / 2026-01-31 Kansai WordPress Meetup
torounit
0
480
Featured
See All Featured
Done Done
chrislema
186
16k
Producing Creativity
orderedlist
PRO
348
40k
Collaborative Software Design: How to facilitate domain modelling decisions
baasie
0
140
Art, The Web, and Tiny UX
lynnandtonic
304
21k
How GitHub (no longer) Works
holman
316
140k
Code Review Best Practice
trishagee
74
20k
Sam Torres - BigQuery for SEOs
techseoconnect
PRO
0
190
The Straight Up "How To Draw Better" Workshop
denniskardys
239
140k
A better future with KSS
kneath
240
18k
ラッコキーワード サービス紹介資料
rakko
1
2.3M
Optimizing for Happiness
mojombo
379
71k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
tammyeverts
11
830
Transcript
None
▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪ ▪
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
None
None
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪
None
None
None
▪ ▪ ▪ ▪ ▪ ▪
▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪
String query = "select * from customers where group =
"; query += request.getParameter("group"); rowMapper = new RowMapper<Customer>() { @Override public Customer mapRow(ResultSet rs, int rowNum) throws SQLException { return new Customer(rs.getLong("id"), rs.getString("first_name"), rs.getString("group")); } }; jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/customers?group=12
String query = "select * from customers where group =
" query += request.getParameter("group"); jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/query?group=1 OR 1=1 SELECT * FROM customers where group=1 OR 1=1
None
None
▪ ▪
▪ ▪ … ▪ ▪ … ▪ ▪ ▪ ▪
▪ ▪ ▪
<html> <h1>Comentarios</h1> <h3>Hola!</h3> <p><script>alert("Controlado por el intruso")</script></p> </html>
None
/hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert(‘xss’)</script></p> @RequestMapping("/hello") @ResponseBody protected String handleHello(HttpServletRequest request){ String
name = request.getParameter("name"); return String.format(“<p>Hi %s</p>", name); }
/hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert("xss")</script></p> Hi <script>alert(‘xss’)</script> import org.springframework.web.util.HtmlUtils; @RequestMapping("/hello") @ResponseBody protected
String handleHello(HttpServletRequest request){ String name = request.getParameter("name"); return String.format("<p>Hi %s</p>", HtmlUtils.htmlEscape(name)); }
None
▪ ▪ ▪
▪ ▪ <img src=http://home-banking.com/transfer?dst=1234&amount=3>
None
None
▪ •
▪
None
▪ ▪
None
▪ ▪
▪ …
▪ ▪ if not has_authorization(user, action, object): raise AuthorizationException(user, action,
object) action(user, object)
None
▪ ▪ ▪ ▪
None
None
SiteGround - Reliable hosting with speed, security, and support you can count on.
andresriancho
yukiogawa
markie1009
keiichiito1978
okdt
yoshiki_0316
sansan33
mikemcquaid
jonnojun
zepprix
oracle4engineer
slsops
torounit
chrislema
orderedlist
baasie
lynnandtonic
holman
trishagee
techseoconnect
denniskardys
kneath
rakko
mojombo
tammyeverts
