Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Known Drupal Vulnerabilities and OWASP’s Top10

Sponsored · SiteGround - Reliable hosting with speed, security, and support you can count on.
Avatar for andresriancho andresriancho
May 18, 2016
Technology
260
0

Known Drupal Vulnerabilities and OWASP’s Top10

Prepared this talk for the Buenos Aires Drupal meetup

Avatar for andresriancho

andresriancho

May 18, 2016

More Decks by andresriancho

See All by andresriancho
Step by step AWS Cloud Hacking
Avatar for andresriancho andresriancho
0
630
Step by step AWS Cloud Hacking
Avatar for andresriancho andresriancho
2
3k
Internet-Scale analysis of AWS Cognito Security
Avatar for andresriancho andresriancho
1
13k
Threat Modelling
Avatar for andresriancho andresriancho
0
1.6k
Automated Security Analysis AWS Clouds
Avatar for andresriancho andresriancho
1
3.4k
Injecting into URLs / Breaking URL-Encoding
Avatar for andresriancho andresriancho
0
270
Galería de Fallos en Unicornios
Avatar for andresriancho andresriancho
1
260
Esoteric Web Application Vulnerabilities
Avatar for andresriancho andresriancho
0
1.2k
String Compare Timing Attacks
Avatar for andresriancho andresriancho
0
650

Other Decks in Technology

See All in Technology
AI駆動開発で生産性を追いかけたら、行き着いたのは品質とシフトレフトだった
Avatar for Koichiro Matsuoka littlehands
0
490
鹿野さんに聞く!CSSの最新トレンド Ver.2026
Avatar for tonkotsuboy_com tonkotsuboy_com
6
2.9k
Gaussian Splattingの実用化 - 映像制作への展開
Avatar for GPU UNITE gpuunite_official
0
160
[Scram Fest Niigata2026]Quality as Code〜AIにQAの思考を再現させる試み〜
Avatar for Masami Yajiri masamiyajiri
1
310
ボトムアップ限界を越える - 20チームを束る "Drive Map" / Beyond Bottom-Up: A 'Drive Map' for 20 Teams
Avatar for 株式会社カオナビ kaonavi
0
190
いつの間にかデータエンジニア以外の業務も増えていたけど、意外と経験が役に立ってる
Avatar for ZOZO Developers zozotech
PRO
0
490
AI対話分析の夢と、汚いデータの現実 Looker / Dataplex / Dataform で実現する品質ファーストな基盤設計
Avatar for Yuta Ozaki waiwai2111
0
430
PdM・Eng・QAで進めるAI駆動開発の現在地/aidd-with-pdm-eng-qa
Avatar for butatamasoba / Shota Kusaba / 草場翔太 shota_kusaba
0
210
Purview Endpoint DLP 動かしてみた
Avatar for kozakigh kozakigh
0
360
AIと乗り切った1,500ページ超のヘルプサイト基盤刷新とさらにその先の話
Avatar for mugi / Hajime Mugishima mugi_uno
2
340
Databricks 月刊サービスアップデートまとめ 2026年04月号
Avatar for ちょし tyosi1212
0
110
【関西製造業祭り2026春】現場を変える技術はここまで来た〜世界最大の製造業見本市から持って帰ってきたもの〜
Avatar for 田中 聖也 tanakaseiya
0
130

Featured

See All Featured
Discover your Explorer Soul
Avatar for Emna emna__ayadi
2
1.1k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
141
7.4k
Agile Actions for Facilitating Distributed Teams - ADO2019
Avatar for Mark Kilby mkilby
0
180
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
Avatar for David Carrasco davidcarrasco
3
130
Ethics towards AI in product and experience design
Avatar for Skipper Chong Warson skipperchong
2
270
Data-driven link building: lessons from a $708K investment (BrightonSEO talk)
Avatar for Szymon Słowik szymonslowik
1
1k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
Avatar for Tomoya Matsuura tomoyanonymous
2
800
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
320
Visualization
Avatar for Eitan Lees eitanlees
150
17k
Believing is Seeing
Avatar for Spiro Bolos oripsolob
1
120
More Than Pixels: Becoming A User Experience Designer
Avatar for Michelle Schulp Hunt marktimemedia
3
400
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
13
1.2k

Transcript

  1. None

  2. ▪ ▪ ▪ ▪ ▪ ▪

  3. ▪ ▪ ▪ ▪

  4. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  5. None
  6. None

  7. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  8. ▪ ▪ ▪

  9. None
  10. None
  11. None

  12. ▪ ▪ ▪ ▪ ▪ ▪

  13. ▪ ▪ ▪ ▪ ▪ ▪ ▪ ▪

  14. String query = "select * from customers where group =

    "; query += request.getParameter("group"); rowMapper = new RowMapper<Customer>() { @Override public Customer mapRow(ResultSet rs, int rowNum) throws SQLException { return new Customer(rs.getLong("id"), rs.getString("first_name"), rs.getString("group")); } }; jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/customers?group=12

  15. String query = "select * from customers where group =

    " query += request.getParameter("group"); jdbcTemplate.query(query, new Object[] {}, rowMapper); http://host.tld/query?group=1 OR 1=1 SELECT * FROM customers where group=1 OR 1=1
  16. None
  17. None

  18. ▪ ▪

  19. ▪ ▪ … ▪ ▪ … ▪ ▪ ▪ ▪

  20. ▪ ▪ ▪

  21. <html> <h1>Comentarios</h1> <h3>Hola!</h3> <p><script>alert("Controlado por el intruso")</script></p> </html>

  22. None

  23. /hello?name=<script>alert(‘xss’)</script> <p>Hi <script>alert(‘xss’)</script></p> @RequestMapping("/hello") @ResponseBody protected String handleHello(HttpServletRequest request){ String

    name = request.getParameter("name"); return String.format(“<p>Hi %s</p>", name); }

  24. /hello?name=<script>alert(‘xss’)</script> <p>Hi &lt;script&gt;alert(&quot;xss&quot;)&lt;/script&gt;</p> Hi <script>alert(‘xss’)</script> import org.springframework.web.util.HtmlUtils; @RequestMapping("/hello") @ResponseBody protected

    String handleHello(HttpServletRequest request){ String name = request.getParameter("name"); return String.format("<p>Hi %s</p>", HtmlUtils.htmlEscape(name)); }
  25. None

  26. ▪ ▪ ▪

  27. ▪ ▪ <img src=http://home-banking.com/transfer?dst=1234&amount=3>

  28. None
  29. None

  30. ▪ •

  32. None

  33. ▪ ▪

  34. None

  35. ▪ ▪

  36. ▪ …

  37. ▪ ▪ if not has_authorization(user, action, object): raise AuthorizationException(user, action,

    object) action(user, object)
  38. None

  39. ▪ ▪ ▪ ▪

  40. None
  41. None