SlideShare una empresa de Scribd logo

Looking for Vulnerable Code. Vlad Savitsky

Vlad Savitsky
Vlad Savitsky

How to find vulnerable code in your Drupal project? Different attacks and how to protect your site? What to do if you find security problem in code/site?

Tecnología
1 de 41
Descargar para leer sin conexión
Are you sure that your site is secure? secure
Site security ● Trusted, experienced and secure hosting ● Secure code ● Security updates
Security Updates ● Subscribe to Security-news http://lists.drupal.org/mailman/listinfo/security-news ● Use Drupal 7 core module Update Manager.
How secure is Drupal code? code
Types of vulnerabilities
Is Your Drupal-site Code Secure?
Speaker: Vlad Savitsky Working at Skype: vlad_savitsky ICQ: 205535814 vlad.savitsky@gmail.com +38096 530 27 12
Challenge ● http://google-gruyere.appspot.com/start ● Gruyere /ɡruːˈjɛər/ - a small, cheesy web application that allows its users to publish snippets of text and store assorted files. ● "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross- site request forgery, to information disclosure, denial of service, and remote code execution. The goal is to discover bugs in Gruyere.
Cross-site scripting (XSS) ● Allows attackers to inject script into Web pages viewed by other users. ● http://en.wikipedia.org/wiki/Cross-site_scripting
Handling Data Golden Rule ● Store exactly what the user typed. ● When handling and outputting text in HTML, you need to be careful that proper filtering or escaping is done.
1. User sends some data User Input Drupal User Invalid Input Code Validated User Input Database
2. Attacker sends code 1. Input JS Drupal User Code 2. Not Well Validated Input JS Database
3. User request a page 1. Request Drupal User JS 3. Not Well Code Escaped Data 2. SQL-Query JS Database
4. User runs Attacker's code Browser 1. View page User HTML page Attacker's 2. Send data JavaScript Code User
Access Bypass 1. Request /devel/php Drupal User Code 2. Get Access
Cross-site request forgery ● Ability to run some actions at server accessing some URL. ● Also known as a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF. ● http://en.wikipedia.org/wiki/Cross-site_request_forgery
1. Find URL User Profile Save Save Delete Delete http://example.com/user/10/delete http://example.com/user/10/delete
2. Post URL Server 1. Post page User HTML page 2. Send URL <img 3. Open URL src=”URL” /> Admin
Arbitrary code execution ● Ability to execute any commands of the attacker's choice on a target machine or in a target process. ● http://en.wikipedia.org/wiki/Arbitrary_code_execution
Session fixation ● Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID). ● Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data. ● http://en.wikipedia.org/wiki/Session_fixation
1. Send URL with SID 1. Send URL http://example.com/node/2?sid=123 User Admin 2. Login Drupal http://example.com/user/login?sid=123 Code
2. Get Admin's session 3. Login as admin URL http://example.com/user/login?sid=123 User Drupal Code
http://drupal.org/project/sharedsignon
http://drupal.org/node/592488
How to find a vulnerability?
XSS high-risk zones ● theme(). ● Templates (.tpl.php). ● t() and l(). ● Theme's code. ● dpm(). ● Preprocess functions. ● echo(). ● $form_state values. ● var_dump(). ● Validation messages ● console.log(). and default values. ● watchdog(). ● Field type 'select' and 'options' attribute. ● drupal_set_message(). ● drupal_set_title().
XSS Test <script>alert('xss');</script> <img src=”notfound.png” onerror=”alert('xss');”> watchdog('type', 'message <script type="text/javascript">alert("xss");</script>');
How to find XSRF? ● Inspect hook_menu(). ● Inspect AJAX callbacks. ● If secure tokens not used used then XSRF is possible ● See drupal_get_token().
Access bypass ● Check hook_permissions(). ● Search for permission names. ● Check 'access_callback's in hook_menu(). ● Check if code works correctly with other contributed modules and respects their access restrictions.
Code Execution ● Search for 'eval', 'system' and etc. ● Check code includes. ● Check if files with code could be executed. ● Search for php input format for blocks, nodes, fields and etc. ● Check if modules like devel, php and etc. enabled. ● Check if uploading files with php-code is possible.
SQL injection ● Static queries.
Drupal Security Team
Goals of the security team ● Resolve reported security issues. ● Provide assistance for contributed module maintainers in resolving security issues. ● Provide documentation on how to write secure code. ● Provide documentation on securing your site.
How to report a security issue ● Do not post in the issue tracker or discuss it in IRC. ● Mail to security@drupal.org ● Provide as many details as you can. At least: ● Drupal version and/or module version. ● Steps to reproduce the problem. ● Do not disclose the vulnerability to anyone before the advisory is issued. ● You will be credited in the security announcement.
How the security team works with issues? ● Review the issue and evaluate the potential impact on all supported releases of Drupal. ● If it is indeed a valid problem, the security team is mobilized to eliminate it. ● New versions are created and tested. ● New packages are created and uploaded to Drupal.org. ● When an issue has been fixed, use all available communication channels to inform users of steps that must be taken to protect themselves.
Issues with contributed modules ● The module maintainer is contacted with a deadline. ● When the maintainer fixes the problem, the security team issues an advisory. ● If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.
Additional Reading ● Core Security Advisories http://drupal.org/security ● Contributed Project Security Advisories http://drupal.org/security/contrib ● The Drupal Security Team http://drupal.org/security-team ● Secure confguration of your Drupal site http://drupal.org/security/secure-confguration ● Writing secure code http://drupal.org/writing-secure-code ● Cracking Drupal – The Drupal security book http://crackingdrupal.com/ ● This paper's website http://drupalsecurityreport.org ● OWASP Top Ten Project http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
Questions to speaker Vlad Savitsky http://shvetsgroup.com Skype: vlad_savitsky ICQ: 205535814 vlad.savitsky@gmail.com +38 096 530 27 12

Recomendados

Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attackstheratpack
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grailstheratpack
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 

Recomendados

Web security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersWeb security: Securing untrusted web content at browsers
Web security: Securing untrusted web content at browsersPhú Phùng
 
Web security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersWeb security: Securing Untrusted Web Content in Browsers
Web security: Securing Untrusted Web Content in BrowsersPhú Phùng
 
Grails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attacksGrails vs XSS: Defending Grails against XSS attacks
Grails vs XSS: Defending Grails against XSS attackstheratpack
 
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfDefeating xss-and-xsrf-with-my faces-frameworks-steve-wolf
Defeating xss-and-xsrf-with-my faces-frameworks-steve-wolfdrewz lin
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#Siddharth Bezalwar
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grailstheratpack
 
Case Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultCase Study of Django: Web Frameworks that are Secure by Default
Case Study of Django: Web Frameworks that are Secure by DefaultMohammed ALDOUB
 
Phu appsec13
Phu appsec13Phu appsec13
Phu appsec13drewz lin
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps SecurityVictor Bucutea
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection VulnerabilitiesMindfire Solutions
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Concept Fusion
Concept FusionConcept Fusion
Concept FusionAlexander Dubovskoy
 
Алла Тюрина. Авторизация через Ldap
Алла Тюрина. Авторизация через LdapАлла Тюрина. Авторизация через Ldap
Алла Тюрина. Авторизация через LdapKsenia Rogachenko
 
программа компас изменение судьбы
программа компас изменение судьбыпрограмма компас изменение судьбы
программа компас изменение судьбыLiudmila Filippovets
 

Más contenido relacionado

La actualidad más candente

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedOctavio Paguaga
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationKen Belva
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...Mario Heiderich
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoidFilip Šebesta
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security HeadersOWASP
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsPorfirio Tramontana
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.David Busby, CISSP
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupAdam Caudill
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0Mario Heiderich
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application DefenseFrank Kim
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...OWASP Russia
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 

La actualidad más candente (19)

Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
 
Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Bsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicatedBsidesnova- Pentesting Methodology - Making bits less complicated
Bsidesnova- Pentesting Methodology - Making bits less complicated
 
Web Apps Security
Web Apps SecurityWeb Apps Security
Web Apps Security
 
XSS Injection Vulnerabilities
XSS Injection VulnerabilitiesXSS Injection Vulnerabilities
XSS Injection Vulnerabilities
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 
New Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit CreationNew Methods in Automated XSS Detection & Dynamic Exploit Creation
New Methods in Automated XSS Detection & Dynamic Exploit Creation
 
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
ECMAScript 6 from an Attacker's Perspective - Breaking Frameworks, Sandboxes,...
 
Crypto failures every developer should avoid
Crypto failures every developer should avoidCrypto failures every developer should avoid
Crypto failures every developer should avoid
 
[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers[Wroclaw #2] Web Application Security Headers
[Wroclaw #2] Web Application Security Headers
 
Identifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web ApplicationsIdentifying Cross Site Scripting Vulnerabilities in Web Applications
Identifying Cross Site Scripting Vulnerabilities in Web Applications
 
Security and why you need to review yours.
Security and why you need to review yours.Security and why you need to review yours.
Security and why you need to review yours.
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Java script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers GroupJava script, security and you - Tri-Cities Javascript Developers Group
Java script, security and you - Tri-Cities Javascript Developers Group
 
Locking the Throneroom 2.0
Locking the Throneroom 2.0Locking the Throneroom 2.0
Locking the Throneroom 2.0
 
Modern Web Application Defense
Modern Web Application DefenseModern Web Application Defense
Modern Web Application Defense
 
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
[1.2] Трюки при анализе защищенности веб приложений – продвинутая версия - С...
 
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn ViệtSecurity Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
Security Bootcamp 2013 - Automated malware analysis - Nguyễn Chấn Việt
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 

Destacado

Алла Тюрина. Авторизация через Ldap
Алла Тюрина. Авторизация через LdapАлла Тюрина. Авторизация через Ldap
Алла Тюрина. Авторизация через LdapKsenia Rogachenko
 
программа компас изменение судьбы
программа компас изменение судьбыпрограмма компас изменение судьбы
программа компас изменение судьбыLiudmila Filippovets
 
Jquery selector optimization in drupal
Jquery selector optimization in drupalJquery selector optimization in drupal
Jquery selector optimization in drupalYury Glushkov
 
Как зарабатывать друпал разработчику. Клют Иван
Как зарабатывать друпал разработчику. Клют ИванКак зарабатывать друпал разработчику. Клют Иван
Как зарабатывать друпал разработчику. Клют ИванPVasili
 
Что, зачем и каким образом следует проверять и тестировать перед запуском сай...
Что, зачем и каким образом следует проверять и тестировать перед запуском сай...Что, зачем и каким образом следует проверять и тестировать перед запуском сай...
Что, зачем и каким образом следует проверять и тестировать перед запуском сай...Alexey Kostin
 
My contribs - Андрей Березовский
My contribs - Андрей БерезовскийMy contribs - Андрей Березовский
My contribs - Андрей БерезовскийAndrey Yurtaev
 
Продвижение образовательных событий в соцсетях
Продвижение образовательных событий в соцсетяхПродвижение образовательных событий в соцсетях
Продвижение образовательных событий в соцсетяхMaria Voul
 
Wodby. cloud infrastructure platform
Wodby. cloud infrastructure platformWodby. cloud infrastructure platform
Wodby. cloud infrastructure platformChingis Sandanov
 
Репутационная работа по версии Стерно.ру
Репутационная работа по версии Стерно.руРепутационная работа по версии Стерно.ру
Репутационная работа по версии Стерно.руSterno_ru
 
Boost your theming skills
Boost your theming skillsBoost your theming skills
Boost your theming skillsArtem Shymko
 
Drupal camp аутсорс услуг тестирования - реальность или вымысел-
Drupal camp аутсорс услуг тестирования - реальность или вымысел-Drupal camp аутсорс услуг тестирования - реальность или вымысел-
Drupal camp аутсорс услуг тестирования - реальность или вымысел-Konstantin Osipenko
 
Drupal организация разработки
Drupal организация разработкиDrupal организация разработки
Drupal организация разработкиAnna Fedoruk
 
Чингис Санданов - Drupal как решение для госсектора
Чингис Санданов - Drupal как решение для госсектораЧингис Санданов - Drupal как решение для госсектора
Чингис Санданов - Drupal как решение для госсектораDrupalSPB
 
How we maintain 200+ Drupal sites in Georgetown University
How we maintain 200+ Drupal sites in Georgetown UniversityHow we maintain 200+ Drupal sites in Georgetown University
How we maintain 200+ Drupal sites in Georgetown UniversityOvadiah Myrgorod
 

Destacado (20)

Concept Fusion
Concept FusionConcept Fusion
Concept Fusion
 
Алла Тюрина. Авторизация через Ldap
Алла Тюрина. Авторизация через LdapАлла Тюрина. Авторизация через Ldap
Алла Тюрина. Авторизация через Ldap
 
программа компас изменение судьбы
программа компас изменение судьбыпрограмма компас изменение судьбы
программа компас изменение судьбы
 
Drupal association slides us 2013
Drupal association slides us 2013Drupal association slides us 2013
Drupal association slides us 2013
 
Доклад на DrupalCafe Minsk
Доклад на DrupalCafe MinskДоклад на DrupalCafe Minsk
Доклад на DrupalCafe Minsk
 
Jquery selector optimization in drupal
Jquery selector optimization in drupalJquery selector optimization in drupal
Jquery selector optimization in drupal
 
Как зарабатывать друпал разработчику. Клют Иван
Как зарабатывать друпал разработчику. Клют ИванКак зарабатывать друпал разработчику. Клют Иван
Как зарабатывать друпал разработчику. Клют Иван
 
Что, зачем и каким образом следует проверять и тестировать перед запуском сай...
Что, зачем и каким образом следует проверять и тестировать перед запуском сай...Что, зачем и каким образом следует проверять и тестировать перед запуском сай...
Что, зачем и каким образом следует проверять и тестировать перед запуском сай...
 
нанана
нананананана
нанана
 
My contribs - Андрей Березовский
My contribs - Андрей БерезовскийMy contribs - Андрей Березовский
My contribs - Андрей Березовский
 
Продвижение образовательных событий в соцсетях
Продвижение образовательных событий в соцсетяхПродвижение образовательных событий в соцсетях
Продвижение образовательных событий в соцсетях
 
Wodby. cloud infrastructure platform
Wodby. cloud infrastructure platformWodby. cloud infrastructure platform
Wodby. cloud infrastructure platform
 
Репутационная работа по версии Стерно.ру
Репутационная работа по версии Стерно.руРепутационная работа по версии Стерно.ру
Репутационная работа по версии Стерно.ру
 
Boost your theming skills
Boost your theming skillsBoost your theming skills
Boost your theming skills
 
Doc
DocDoc
Doc
 
Drupal camp аутсорс услуг тестирования - реальность или вымысел-
Drupal camp аутсорс услуг тестирования - реальность или вымысел-Drupal camp аутсорс услуг тестирования - реальность или вымысел-
Drupal camp аутсорс услуг тестирования - реальность или вымысел-
 
141112 гчп cnews (2)
141112 гчп cnews (2)141112 гчп cnews (2)
141112 гчп cnews (2)
 
Drupal организация разработки
Drupal организация разработкиDrupal организация разработки
Drupal организация разработки
 
Чингис Санданов - Drupal как решение для госсектора
Чингис Санданов - Drupal как решение для госсектораЧингис Санданов - Drupal как решение для госсектора
Чингис Санданов - Drupal как решение для госсектора
 
How we maintain 200+ Drupal sites in Georgetown University
How we maintain 200+ Drupal sites in Georgetown UniversityHow we maintain 200+ Drupal sites in Georgetown University
How we maintain 200+ Drupal sites in Georgetown University
 

Similar a Looking for Vulnerable Code. Vlad Savitsky

OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupChris Hales
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of themRoberto Suggi Liverani
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaGábor Hojtsy
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with phpMohmad Feroz
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security rightGábor Hojtsy
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentssydneydrupal
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in GrailsOSOCO
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersArunkumar Kupppuswamy
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...nooralmousa
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationSecurity Bootcamp
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Abhishek Kumar
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleNCC Group
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)cgmonroe
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 

Similar a Looking for Vulnerable Code. Vlad Savitsky (20)

Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security Hardening
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Drupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January MeetupDrupal Security Basics for the DrupalJax January Meetup
Drupal Security Basics for the DrupalJax January Meetup
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Drupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp BratislavaDrupal Security from Drupalcamp Bratislava
Drupal Security from Drupalcamp Bratislava
 
Secure programming with php
Secure programming with phpSecure programming with php
Secure programming with php
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 
Doing Drupal security right
Doing Drupal security rightDoing Drupal security right
Doing Drupal security right
 
Drupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidentsDrupal, lessons learnt from real world security incidents
Drupal, lessons learnt from real world security incidents
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
XSS Countermeasures in Grails
XSS Countermeasures in GrailsXSS Countermeasures in Grails
XSS Countermeasures in Grails
 
Drupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and CodersDrupal and security - Advice for Site Builders and Coders
Drupal and security - Advice for Site Builders and Coders
 
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...Mr. Mohammed Aldoub - A case study of django web applications that are secur...
Mr. Mohammed Aldoub - A case study of django web applications that are secur...
 
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web applicationNguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
Nguyen Phuong Truong Anh - Some new vulnerabilities in modern web application
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)Insecurity-In-Security version.1 (2010)
Insecurity-In-Security version.1 (2010)
 
Real World Application Threat Modelling By Example
Real World Application Threat Modelling By ExampleReal World Application Threat Modelling By Example
Real World Application Threat Modelling By Example
 
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
Tips on Securing Drupal Sites - DrupalCamp Atlanta (DCA)
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 

Más de Vlad Savitsky

Art of Estimation. Vlad Savitsky
Art of Estimation. Vlad SavitskyArt of Estimation. Vlad Savitsky
Art of Estimation. Vlad SavitskyVlad Savitsky
 
Css Intro. Vlad Savitsky
Css Intro. Vlad SavitskyCss Intro. Vlad Savitsky
Css Intro. Vlad SavitskyVlad Savitsky
 
HTML. Быстрое погружение. Влад Савицкий
HTML. Быстрое погружение. Влад СавицкийHTML. Быстрое погружение. Влад Савицкий
HTML. Быстрое погружение. Влад СавицкийVlad Savitsky
 
How to be a believer online. Vlad Savitsky. Novomedia forum 2011
How to be a believer online. Vlad Savitsky. Novomedia forum 2011How to be a believer online. Vlad Savitsky. Novomedia forum 2011
How to be a believer online. Vlad Savitsky. Novomedia forum 2011Vlad Savitsky
 
Vlad savitsky. Church Site in 15 minutes
Vlad savitsky. Church Site in 15 minutesVlad savitsky. Church Site in 15 minutes
Vlad savitsky. Church Site in 15 minutesVlad Savitsky
 
Dmitry Drozdik. how to make friendship between drupal and content manager. dr...
Dmitry Drozdik. how to make friendship between drupal and content manager. dr...Dmitry Drozdik. how to make friendship between drupal and content manager. dr...
Dmitry Drozdik. how to make friendship between drupal and content manager. dr...Vlad Savitsky
 
Alexey Kostin. Increase site ctr in serp using google rich snippets. DrupalCa...
Alexey Kostin. Increase site ctr in serp using google rich snippets. DrupalCa...Alexey Kostin. Increase site ctr in serp using google rich snippets. DrupalCa...
Alexey Kostin. Increase site ctr in serp using google rich snippets. DrupalCa...Vlad Savitsky
 
Oleg Natalushko. Drupal server anatomy. DrupalCamp Kyiv 2011
Oleg Natalushko. Drupal server anatomy. DrupalCamp Kyiv 2011Oleg Natalushko. Drupal server anatomy. DrupalCamp Kyiv 2011
Oleg Natalushko. Drupal server anatomy. DrupalCamp Kyiv 2011Vlad Savitsky
 
Dennis popov. scrum for drupal. drupal camp kyiv 2011
Dennis popov. scrum for drupal. drupal camp kyiv 2011Dennis popov. scrum for drupal. drupal camp kyiv 2011
Dennis popov. scrum for drupal. drupal camp kyiv 2011Vlad Savitsky
 
Andriy Kushnarov. BOND: a giant drupal in a huge company. DrupalCamp Kyiv 2011
Andriy Kushnarov. BOND: a giant drupal in a huge company. DrupalCamp Kyiv 2011Andriy Kushnarov. BOND: a giant drupal in a huge company. DrupalCamp Kyiv 2011
Andriy Kushnarov. BOND: a giant drupal in a huge company. DrupalCamp Kyiv 2011Vlad Savitsky
 
Pavlenko Sergey. Drush: using and creating custom commands. DrupalCamp Kyiv 2011
Pavlenko Sergey. Drush: using and creating custom commands. DrupalCamp Kyiv 2011Pavlenko Sergey. Drush: using and creating custom commands. DrupalCamp Kyiv 2011
Pavlenko Sergey. Drush: using and creating custom commands. DrupalCamp Kyiv 2011Vlad Savitsky
 
Danilenko Alexander. Drupal 7 theming on Omega. DrupalCamp Kyiv 2011
Danilenko Alexander. Drupal 7 theming on Omega. DrupalCamp Kyiv 2011Danilenko Alexander. Drupal 7 theming on Omega. DrupalCamp Kyiv 2011
Danilenko Alexander. Drupal 7 theming on Omega. DrupalCamp Kyiv 2011Vlad Savitsky
 
Evgeniy Karelin. Mongo DB integration example solving performance and high lo...
Evgeniy Karelin. Mongo DB integration example solving performance and high lo...Evgeniy Karelin. Mongo DB integration example solving performance and high lo...
Evgeniy Karelin. Mongo DB integration example solving performance and high lo...Vlad Savitsky
 
Oleksandr Masovets. Forms in Drupal. Drupal Camp Kyiv 2011
Oleksandr Masovets. Forms in Drupal. Drupal Camp Kyiv 2011Oleksandr Masovets. Forms in Drupal. Drupal Camp Kyiv 2011
Oleksandr Masovets. Forms in Drupal. Drupal Camp Kyiv 2011Vlad Savitsky
 
Yuriy Gerasimov. Drupal Services. Integration with third party applications. ...
Yuriy Gerasimov. Drupal Services. Integration with third party applications. ...Yuriy Gerasimov. Drupal Services. Integration with third party applications. ...
Yuriy Gerasimov. Drupal Services. Integration with third party applications. ...Vlad Savitsky
 
Оптимизация JavaScript в Drupal
Оптимизация JavaScript в DrupalОптимизация JavaScript в Drupal
Оптимизация JavaScript в DrupalVlad Savitsky
 

Más de Vlad Savitsky (18)

Art of Estimation. Vlad Savitsky
Art of Estimation. Vlad SavitskyArt of Estimation. Vlad Savitsky
Art of Estimation. Vlad Savitsky
 
Varnish and Drupal.
Varnish and Drupal.Varnish and Drupal.
Varnish and Drupal.
 
Chapter18
Chapter18Chapter18
Chapter18
 
Css Intro. Vlad Savitsky
Css Intro. Vlad SavitskyCss Intro. Vlad Savitsky
Css Intro. Vlad Savitsky
 
HTML. Быстрое погружение. Влад Савицкий
HTML. Быстрое погружение. Влад СавицкийHTML. Быстрое погружение. Влад Савицкий
HTML. Быстрое погружение. Влад Савицкий
 
How to be a believer online. Vlad Savitsky. Novomedia forum 2011
How to be a believer online. Vlad Savitsky. Novomedia forum 2011How to be a believer online. Vlad Savitsky. Novomedia forum 2011
How to be a believer online. Vlad Savitsky. Novomedia forum 2011
 
Vlad savitsky. Church Site in 15 minutes
Vlad savitsky. Church Site in 15 minutesVlad savitsky. Church Site in 15 minutes
Vlad savitsky. Church Site in 15 minutes
 
Dmitry Drozdik. how to make friendship between drupal and content manager. dr...
Dmitry Drozdik. how to make friendship between drupal and content manager. dr...Dmitry Drozdik. how to make friendship between drupal and content manager. dr...
Dmitry Drozdik. how to make friendship between drupal and content manager. dr...
 
Alexey Kostin. Increase site ctr in serp using google rich snippets. DrupalCa...
Alexey Kostin. Increase site ctr in serp using google rich snippets. DrupalCa...Alexey Kostin. Increase site ctr in serp using google rich snippets. DrupalCa...
Alexey Kostin. Increase site ctr in serp using google rich snippets. DrupalCa...
 
Oleg Natalushko. Drupal server anatomy. DrupalCamp Kyiv 2011
Oleg Natalushko. Drupal server anatomy. DrupalCamp Kyiv 2011Oleg Natalushko. Drupal server anatomy. DrupalCamp Kyiv 2011
Oleg Natalushko. Drupal server anatomy. DrupalCamp Kyiv 2011
 
Dennis popov. scrum for drupal. drupal camp kyiv 2011
Dennis popov. scrum for drupal. drupal camp kyiv 2011Dennis popov. scrum for drupal. drupal camp kyiv 2011
Dennis popov. scrum for drupal. drupal camp kyiv 2011
 
Andriy Kushnarov. BOND: a giant drupal in a huge company. DrupalCamp Kyiv 2011
Andriy Kushnarov. BOND: a giant drupal in a huge company. DrupalCamp Kyiv 2011Andriy Kushnarov. BOND: a giant drupal in a huge company. DrupalCamp Kyiv 2011
Andriy Kushnarov. BOND: a giant drupal in a huge company. DrupalCamp Kyiv 2011
 
Pavlenko Sergey. Drush: using and creating custom commands. DrupalCamp Kyiv 2011
Pavlenko Sergey. Drush: using and creating custom commands. DrupalCamp Kyiv 2011Pavlenko Sergey. Drush: using and creating custom commands. DrupalCamp Kyiv 2011
Pavlenko Sergey. Drush: using and creating custom commands. DrupalCamp Kyiv 2011
 
Danilenko Alexander. Drupal 7 theming on Omega. DrupalCamp Kyiv 2011
Danilenko Alexander. Drupal 7 theming on Omega. DrupalCamp Kyiv 2011Danilenko Alexander. Drupal 7 theming on Omega. DrupalCamp Kyiv 2011
Danilenko Alexander. Drupal 7 theming on Omega. DrupalCamp Kyiv 2011
 
Evgeniy Karelin. Mongo DB integration example solving performance and high lo...
Evgeniy Karelin. Mongo DB integration example solving performance and high lo...Evgeniy Karelin. Mongo DB integration example solving performance and high lo...
Evgeniy Karelin. Mongo DB integration example solving performance and high lo...
 
Oleksandr Masovets. Forms in Drupal. Drupal Camp Kyiv 2011
Oleksandr Masovets. Forms in Drupal. Drupal Camp Kyiv 2011Oleksandr Masovets. Forms in Drupal. Drupal Camp Kyiv 2011
Oleksandr Masovets. Forms in Drupal. Drupal Camp Kyiv 2011
 
Yuriy Gerasimov. Drupal Services. Integration with third party applications. ...
Yuriy Gerasimov. Drupal Services. Integration with third party applications. ...Yuriy Gerasimov. Drupal Services. Integration with third party applications. ...
Yuriy Gerasimov. Drupal Services. Integration with third party applications. ...
 
Оптимизация JavaScript в Drupal
Оптимизация JavaScript в DrupalОптимизация JavaScript в Drupal
Оптимизация JavaScript в Drupal
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 

Último (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 

Looking for Vulnerable Code. Vlad Savitsky

  • 1.
  • 2. Are you sure that your site is secure? secure
  • 3. Site security ● Trusted, experienced and secure hosting ● Secure code ● Security updates
  • 4. Security Updates ● Subscribe to Security-news http://lists.drupal.org/mailman/listinfo/security-news ● Use Drupal 7 core module Update Manager.
  • 5. How secure is Drupal code? code
  • 7. Is Your Drupal-site Code Secure?
  • 8. Speaker: Vlad Savitsky Working at Skype: vlad_savitsky ICQ: 205535814 vlad.savitsky@gmail.com +38096 530 27 12
  • 9. Challenge ● http://google-gruyere.appspot.com/start ● Gruyere /ɡruːˈjɛər/ - a small, cheesy web application that allows its users to publish snippets of text and store assorted files. ● "Unfortunately," Gruyere has multiple security bugs ranging from cross-site scripting and cross- site request forgery, to information disclosure, denial of service, and remote code execution. The goal is to discover bugs in Gruyere.
  • 10. Cross-site scripting (XSS) ● Allows attackers to inject script into Web pages viewed by other users. ● http://en.wikipedia.org/wiki/Cross-site_scripting
  • 11. Handling Data Golden Rule ● Store exactly what the user typed. ● When handling and outputting text in HTML, you need to be careful that proper filtering or escaping is done.
  • 12. 1. User sends some data User Input Drupal User Invalid Input Code Validated User Input Database
  • 13. 2. Attacker sends code 1. Input JS Drupal User Code 2. Not Well Validated Input JS Database
  • 14. 3. User request a page 1. Request Drupal User JS 3. Not Well Code Escaped Data 2. SQL-Query JS Database
  • 15. 4. User runs Attacker's code Browser 1. View page User HTML page Attacker's 2. Send data JavaScript Code User
  • 16. Access Bypass 1. Request /devel/php Drupal User Code 2. Get Access
  • 17. Cross-site request forgery ● Ability to run some actions at server accessing some URL. ● Also known as a one-click attack or session riding and abbreviated as CSRF (pronounced sea-surf) or XSRF. ● http://en.wikipedia.org/wiki/Cross-site_request_forgery
  • 18. 1. Find URL User Profile Save Save Delete Delete http://example.com/user/10/delete http://example.com/user/10/delete
  • 19. 2. Post URL Server 1. Post page User HTML page 2. Send URL <img 3. Open URL src=”URL” /> Admin
  • 20. Arbitrary code execution ● Ability to execute any commands of the attacker's choice on a target machine or in a target process. ● http://en.wikipedia.org/wiki/Arbitrary_code_execution
  • 21.
  • 22. Session fixation ● Session fixation attacks attempt to exploit the vulnerability of a system which allows one person to fixate (set) another person's session identifier (SID). ● Most session fixation attacks are web based, and most rely on session identifiers being accepted from URLs (query string) or POST data. ● http://en.wikipedia.org/wiki/Session_fixation
  • 23. 1. Send URL with SID 1. Send URL http://example.com/node/2?sid=123 User Admin 2. Login Drupal http://example.com/user/login?sid=123 Code
  • 24. 2. Get Admin's session 3. Login as admin URL http://example.com/user/login?sid=123 User Drupal Code
  • 27. How to find a vulnerability?
  • 28. XSS high-risk zones ● theme(). ● Templates (.tpl.php). ● t() and l(). ● Theme's code. ● dpm(). ● Preprocess functions. ● echo(). ● $form_state values. ● var_dump(). ● Validation messages ● console.log(). and default values. ● watchdog(). ● Field type 'select' and 'options' attribute. ● drupal_set_message(). ● drupal_set_title().
  • 29. XSS Test <script>alert('xss');</script> <img src=”notfound.png” onerror=”alert('xss');”> watchdog('type', 'message <script type="text/javascript">alert("xss");</script>');
  • 30.
  • 31. How to find XSRF? ● Inspect hook_menu(). ● Inspect AJAX callbacks. ● If secure tokens not used used then XSRF is possible ● See drupal_get_token().
  • 32. Access bypass ● Check hook_permissions(). ● Search for permission names. ● Check 'access_callback's in hook_menu(). ● Check if code works correctly with other contributed modules and respects their access restrictions.
  • 33. Code Execution ● Search for 'eval', 'system' and etc. ● Check code includes. ● Check if files with code could be executed. ● Search for php input format for blocks, nodes, fields and etc. ● Check if modules like devel, php and etc. enabled. ● Check if uploading files with php-code is possible.
  • 34. SQL injection ● Static queries.
  • 36. Goals of the security team ● Resolve reported security issues. ● Provide assistance for contributed module maintainers in resolving security issues. ● Provide documentation on how to write secure code. ● Provide documentation on securing your site.
  • 37. How to report a security issue ● Do not post in the issue tracker or discuss it in IRC. ● Mail to security@drupal.org ● Provide as many details as you can. At least: ● Drupal version and/or module version. ● Steps to reproduce the problem. ● Do not disclose the vulnerability to anyone before the advisory is issued. ● You will be credited in the security announcement.
  • 38. How the security team works with issues? ● Review the issue and evaluate the potential impact on all supported releases of Drupal. ● If it is indeed a valid problem, the security team is mobilized to eliminate it. ● New versions are created and tested. ● New packages are created and uploaded to Drupal.org. ● When an issue has been fixed, use all available communication channels to inform users of steps that must be taken to protect themselves.
  • 39. Issues with contributed modules ● The module maintainer is contacted with a deadline. ● When the maintainer fixes the problem, the security team issues an advisory. ● If the maintainer does not fix the problem within the deadline, an advisory is issued, recommending disabling the module and the project on Drupal.org is unpublished.
  • 40. Additional Reading ● Core Security Advisories http://drupal.org/security ● Contributed Project Security Advisories http://drupal.org/security/contrib ● The Drupal Security Team http://drupal.org/security-team ● Secure confguration of your Drupal site http://drupal.org/security/secure-confguration ● Writing secure code http://drupal.org/writing-secure-code ● Cracking Drupal – The Drupal security book http://crackingdrupal.com/ ● This paper's website http://drupalsecurityreport.org ● OWASP Top Ten Project http://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  • 41. Questions to speaker Vlad Savitsky http://shvetsgroup.com Skype: vlad_savitsky ICQ: 205535814 vlad.savitsky@gmail.com +38 096 530 27 12