SlideShare une entreprise Scribd logo

Dnn Con Baltimore Security Flaws

Télécharger en tant que PPT, PDF
J
Joshua Bradley

Talk for DNN Con baltimore where I talk about possible security flaws inside custom DNN modules.

Logiciels
1  sur  25
@DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
@DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
@DNNConDon’t forget to include #DNNCon in your tweets! Introduction • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wiki/ana
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 1
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 2
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
@DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… Example
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… Example
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
@DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… Example
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… • Use built in Folder and File Manager. • Avoid using user input when selecting file.
@DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • https:// github.com/JoshuaBradley/DnnVulner • http:// www.slideshare.net/JoshuaBradley/dnn
@DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http:// www.troyhunt.com/2012/12/stored-pr • https:// www.owasp.org/index.php/Main_Page • http:// www.jwaffinityit.com/Portals/28/Docum
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/Cross-s
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute.com/d / • https:// www.sql-programmers.com/sql-injecti • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender

Recommandé

Androidtraining
AndroidtrainingAndroidtraining
AndroidtrainingIzzet Kerem Kusmezer
 
Lagos de croacia
Lagos de croaciaLagos de croacia
Lagos de croaciaPalomagarcia94
 
2 bambú
2 bambú2 bambú
2 bambúLizet Sánchez
 
директори
директоридиректори
директориNataKvasha
 
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...Thongkum Virut
 
Huong dan su dung canon 40016
Huong dan su dung canon 40016Huong dan su dung canon 40016
Huong dan su dung canon 40016Duy Vọng
 
Rush the janazah
Rush the janazahRush the janazah
Rush the janazahFAHIM AKTHAR ULLAL
 
Ch505
Ch505Ch505
Ch505Phi Phi
 

Recommandé

Androidtraining
AndroidtrainingAndroidtraining
AndroidtrainingIzzet Kerem Kusmezer
 
Lagos de croacia
Lagos de croaciaLagos de croacia
Lagos de croaciaPalomagarcia94
 
2 bambú
2 bambú2 bambú
2 bambúLizet Sánchez
 
директори
директоридиректори
директориNataKvasha
 
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...Thongkum Virut
 
Huong dan su dung canon 40016
Huong dan su dung canon 40016Huong dan su dung canon 40016
Huong dan su dung canon 40016Duy Vọng
 
Rush the janazah
Rush the janazahRush the janazah
Rush the janazahFAHIM AKTHAR ULLAL
 
Ch505
Ch505Ch505
Ch505Phi Phi
 
DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?Engage Software
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Winning Customer Engagement with Gamification
Winning Customer Engagement with GamificationWinning Customer Engagement with Gamification
Winning Customer Engagement with GamificationCara Pluff
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_templatePhilipp Becker
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...JAXLondon2014
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"Daniel Bryant
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Adrian Roselli
 
Creating multillingual apps for android
Creating multillingual apps for androidCreating multillingual apps for android
Creating multillingual apps for androidSergi Martínez
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is hereGil Fink
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Plugins on word press
Plugins on word pressPlugins on word press
Plugins on word pressKoombea
 
But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...Horacio Gonzalez
 
Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Daniel Lebrero
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionKris Buytaert
 
Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 

Contenu connexe

Similaire à Dnn Con Baltimore Security Flaws

DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?Engage Software
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Winning Customer Engagement with Gamification
Winning Customer Engagement with GamificationWinning Customer Engagement with Gamification
Winning Customer Engagement with GamificationCara Pluff
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_templatePhilipp Becker
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...JAXLondon2014
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"Daniel Bryant
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Adrian Roselli
 
Creating multillingual apps for android
Creating multillingual apps for androidCreating multillingual apps for android
Creating multillingual apps for androidSergi Martínez
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is hereGil Fink
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Plugins on word press
Plugins on word pressPlugins on word press
Plugins on word pressKoombea
 
But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...Horacio Gonzalez
 
Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Daniel Lebrero
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionKris Buytaert
 

Similaire à Dnn Con Baltimore Security Flaws (20)

DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnn
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobile
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure Pack
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1
 
Winning Customer Engagement with Gamification
Winning Customer Engagement with GamificationWinning Customer Engagement with Gamification
Winning Customer Engagement with Gamification
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_template
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom Extensions
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016
 
Creating multillingual apps for android
Creating multillingual apps for androidCreating multillingual apps for android
Creating multillingual apps for android
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is here
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Plugins on word press
Plugins on word pressPlugins on word press
Plugins on word press
 
But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...
 
Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017Stability patterns devoxx_pl_2017
Stability patterns devoxx_pl_2017
 
Run stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 EditionRun stuff, Deploy Stuff, Jax London 2017 Edition
Run stuff, Deploy Stuff, Jax London 2017 Edition
 

Dernier

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsJhone kinadey
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfonteinmasabamasaba
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrainmasabamasaba
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...masabamasaba
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...masabamasaba
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is insideshinachiaurasa2
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...masabamasaba
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrandmasabamasaba
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentVictorSzoltysek
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park masabamasaba
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidPhilip Schwarz
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastPapp Krisztián
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech studentsHimanshiGarg82
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in sowetomasabamasaba
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareJim McKeeth
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2
 

Dernier (20)

Right Money Management App For Your Financial Goals
Right Money Management App For Your Financial GoalsRight Money Management App For Your Financial Goals
Right Money Management App For Your Financial Goals
 
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
%in kaalfontein+277-882-255-28 abortion pills for sale in kaalfontein
 
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
%+27788225528 love spells in Boston Psychic Readings, Attraction spells,Bring...
 
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
%+27788225528 love spells in new york Psychic Readings, Attraction spells,Bri...
 
The title is not connected to what is inside
The title is not connected to what is insideThe title is not connected to what is inside
The title is not connected to what is inside
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
%+27788225528 love spells in Colorado Springs Psychic Readings, Attraction sp...
 
%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand%in Midrand+277-882-255-28 abortion pills for sale in midrand
%in Midrand+277-882-255-28 abortion pills for sale in midrand
 
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile EnvironmentHarnessing ChatGPT - Elevating Productivity in Today's Agile Environment
Harnessing ChatGPT - Elevating Productivity in Today's Agile Environment
 
WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?WSO2CON 2024 - Does Open Source Still Matter?
WSO2CON 2024 - Does Open Source Still Matter?
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park %in ivory park+277-882-255-28 abortion pills for sale in ivory park
%in ivory park+277-882-255-28 abortion pills for sale in ivory park
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
Architecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the pastArchitecture decision records - How not to get lost in the past
Architecture decision records - How not to get lost in the past
 
8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students8257 interfacing 2 in microprocessor for btech students
8257 interfacing 2 in microprocessor for btech students
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 

Dnn Con Baltimore Security Flaws

  • 1. @DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
  • 2. @DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
  • 3. @DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
  • 4. @DNNConDon’t forget to include #DNNCon in your tweets! Introduction • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wiki/ana
  • 5. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
  • 6. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
  • 7. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 1
  • 8. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
  • 9. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 2
  • 10. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
  • 11. @DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
  • 12. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… Example
  • 13. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
  • 14. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
  • 15. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… Example
  • 16. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
  • 17. @DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
  • 18. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… Example
  • 19. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… • Use built in Folder and File Manager. • Avoid using user input when selecting file.
  • 20. @DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • https:// github.com/JoshuaBradley/DnnVulner • http:// www.slideshare.net/JoshuaBradley/dnn
  • 21. @DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
  • 22. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http:// www.troyhunt.com/2012/12/stored-pr • https:// www.owasp.org/index.php/Main_Page • http:// www.jwaffinityit.com/Portals/28/Docum
  • 23. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/Cross-s
  • 24. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute.com/d / • https:// www.sql-programmers.com/sql-injecti • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
  • 25. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender