SlideShare a Scribd company logo

Dnn Con Baltimore Security Flaws

Download as PPT, PDF
J
Joshua Bradley

Talk for DNN Con baltimore where I talk about possible security flaws inside custom DNN modules.

Software
1 of 25
@DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
@DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
@DNNConDon’t forget to include #DNNCon in your tweets! Introduction • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wiki/ana
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 1
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 2
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
@DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… Example
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… Example
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
@DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… Example
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… • Use built in Folder and File Manager. • Avoid using user input when selecting file.
@DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • https:// github.com/JoshuaBradley/DnnVulner • http:// www.slideshare.net/JoshuaBradley/dnn
@DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http:// www.troyhunt.com/2012/12/stored-pr • https:// www.owasp.org/index.php/Main_Page • http:// www.jwaffinityit.com/Portals/28/Docum
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/Cross-s
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute.com/d / • https:// www.sql-programmers.com/sql-injecti • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender

Recommended

Androidtraining
AndroidtrainingAndroidtraining
AndroidtrainingIzzet Kerem Kusmezer
 
Lagos de croacia
Lagos de croaciaLagos de croacia
Lagos de croaciaPalomagarcia94
 
2 bambú
2 bambú2 bambú
2 bambúLizet Sánchez
 
директори
директоридиректори
директориNataKvasha
 
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...Thongkum Virut
 
Huong dan su dung canon 40016
Huong dan su dung canon 40016Huong dan su dung canon 40016
Huong dan su dung canon 40016Duy Vọng
 
Rush the janazah
Rush the janazahRush the janazah
Rush the janazahFAHIM AKTHAR ULLAL
 
Ch505
Ch505Ch505
Ch505Phi Phi
 

Recommended

Androidtraining
AndroidtrainingAndroidtraining
AndroidtrainingIzzet Kerem Kusmezer
 
Lagos de croacia
Lagos de croaciaLagos de croacia
Lagos de croaciaPalomagarcia94
 
2 bambú
2 bambú2 bambú
2 bambúLizet Sánchez
 
директори
директоридиректори
директориNataKvasha
 
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...Thongkum Virut
 
Huong dan su dung canon 40016
Huong dan su dung canon 40016Huong dan su dung canon 40016
Huong dan su dung canon 40016Duy Vọng
 
Rush the janazah
Rush the janazahRush the janazah
Rush the janazahFAHIM AKTHAR ULLAL
 
Ch505
Ch505Ch505
Ch505Phi Phi
 
DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?Engage Software
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Dnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDon Bishop
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Winning Customer Engagement with Gamification
Winning Customer Engagement with GamificationWinning Customer Engagement with Gamification
Winning Customer Engagement with GamificationCara Pluff
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_templatePhilipp Becker
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"Daniel Bryant
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...JAXLondon2014
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Adrian Roselli
 
Creating multillingual apps for android
Creating multillingual apps for androidCreating multillingual apps for android
Creating multillingual apps for androidSergi Martínez
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is hereGil Fink
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Pushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesPushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesDavid Poindexter
 
Plugins on word press
Plugins on word pressPlugins on word press
Plugins on word pressKoombea
 
But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...Horacio Gonzalez
 
Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfOrtus Solutions, Corp
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSTendenci - The Open Source AMS (Association Management Software)
 

More Related Content

Similar to Dnn Con Baltimore Security Flaws

DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?Engage Software
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Dnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDon Bishop
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Winning Customer Engagement with Gamification
Winning Customer Engagement with GamificationWinning Customer Engagement with Gamification
Winning Customer Engagement with GamificationCara Pluff
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_templatePhilipp Becker
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"Daniel Bryant
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...JAXLondon2014
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Adrian Roselli
 
Creating multillingual apps for android
Creating multillingual apps for androidCreating multillingual apps for android
Creating multillingual apps for androidSergi Martínez
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is hereGil Fink
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Pushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesPushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesDavid Poindexter
 
Plugins on word press
Plugins on word pressPlugins on word press
Plugins on word pressKoombea
 
But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...Horacio Gonzalez
 

Similar to Dnn Con Baltimore Security Flaws (20)

DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnn
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobile
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure Pack
 
Dnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don BishopDnncon Palm Beach presentation about DNN intranets by Don Bishop
Dnncon Palm Beach presentation about DNN intranets by Don Bishop
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1
 
Winning Customer Engagement with Gamification
Winning Customer Engagement with GamificationWinning Customer Engagement with Gamification
Winning Customer Engagement with Gamification
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_template
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom Extensions
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016
 
Creating multillingual apps for android
Creating multillingual apps for androidCreating multillingual apps for android
Creating multillingual apps for android
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is here
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Pushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesPushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
 
Plugins on word press
Plugins on word pressPlugins on word press
Plugins on word press
 
But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...
 

Recently uploaded

Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfOrtus Solutions, Corp
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Soroosh Khodami
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdfkalichargn70th171
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfmbmh111980
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandIES VE
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1KnowledgeSeed
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAlluxio, Inc.
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownloadvrstrong314
 
Benefits of Employee Monitoring Software
Benefits of Employee Monitoring SoftwareBenefits of Employee Monitoring Software
Benefits of Employee Monitoring SoftwareMera Monitor
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfkalichargn70th171
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisNeo4j
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockSkilrock Technologies
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Krakówbim.edu.pl
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEJelle | Nordend
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024Shane Coughlan
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesNeo4j
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationHelp Desk Migration
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAlluxio, Inc.
 

Recently uploaded (20)

Into the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdfInto the Box 2024 - Keynote Day 2 Slides.pdf
Into the Box 2024 - Keynote Day 2 Slides.pdf
 
Corporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMSCorporate Management | Session 3 of 3 | Tendenci AMS
Corporate Management | Session 3 of 3 | Tendenci AMS
 
Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024Secure Software Ecosystem Teqnation 2024
Secure Software Ecosystem Teqnation 2024
 
10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf10 Essential Software Testing Tools You Need to Know About.pdf
10 Essential Software Testing Tools You Need to Know About.pdf
 
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdfMastering Windows 7 A Comprehensive Guide for Power Users .pdf
Mastering Windows 7 A Comprehensive Guide for Power Users .pdf
 
Using IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New ZealandUsing IESVE for Room Loads Analysis - Australia & New Zealand
Using IESVE for Room Loads Analysis - Australia & New Zealand
 
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
A Python-based approach to data loading in TM1 - Using Airflow as an ETL for TM1
 
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAGAI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
AI/ML Infra Meetup | Reducing Prefill for LLM Serving in RAG
 
top nidhi software solution freedownload
top nidhi software solution freedownloadtop nidhi software solution freedownload
top nidhi software solution freedownload
 
Benefits of Employee Monitoring Software
Benefits of Employee Monitoring SoftwareBenefits of Employee Monitoring Software
Benefits of Employee Monitoring Software
 
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdfA Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
A Comprehensive Appium Guide for Hybrid App Automation Testing.pdf
 
GraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysisGraphAware - Transforming policing with graph-based intelligence analysis
GraphAware - Transforming policing with graph-based intelligence analysis
 
iGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by SkilrockiGaming Platform & Lottery Solutions by Skilrock
iGaming Platform & Lottery Solutions by Skilrock
 
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital TransformationWSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
WSO2Con2024 - WSO2's IAM Vision: Identity-Led Digital Transformation
 
Agnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in KrakówAgnieszka Andrzejewska - BIM School Course in Kraków
Agnieszka Andrzejewska - BIM School Course in Kraków
 
De mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FMEDe mooiste recreatieve routes ontdekken met RouteYou en FME
De mooiste recreatieve routes ontdekken met RouteYou en FME
 
OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024OpenChain @ LF Japan Executive Briefing - May 2024
OpenChain @ LF Japan Executive Briefing - May 2024
 
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product UpdatesGraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
GraphSummit Stockholm - Neo4j - Knowledge Graphs and Product Updates
 
A Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data MigrationA Guideline to Gorgias to to Re:amaze Data Migration
A Guideline to Gorgias to to Re:amaze Data Migration
 
AI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in MichelangeloAI/ML Infra Meetup | ML explainability in Michelangelo
AI/ML Infra Meetup | ML explainability in Michelangelo
 

Dnn Con Baltimore Security Flaws

  • 1. @DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
  • 2. @DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
  • 3. @DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
  • 4. @DNNConDon’t forget to include #DNNCon in your tweets! Introduction • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wiki/ana
  • 5. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
  • 6. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
  • 7. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 1
  • 8. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
  • 9. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 2
  • 10. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
  • 11. @DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
  • 12. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… Example
  • 13. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
  • 14. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
  • 15. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… Example
  • 16. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
  • 17. @DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
  • 18. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… Example
  • 19. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… • Use built in Folder and File Manager. • Avoid using user input when selecting file.
  • 20. @DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • https:// github.com/JoshuaBradley/DnnVulner • http:// www.slideshare.net/JoshuaBradley/dnn
  • 21. @DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
  • 22. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http:// www.troyhunt.com/2012/12/stored-pr • https:// www.owasp.org/index.php/Main_Page • http:// www.jwaffinityit.com/Portals/28/Docum
  • 23. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/Cross-s
  • 24. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute.com/d / • https:// www.sql-programmers.com/sql-injecti • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
  • 25. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender