1. @DNNConDon’t forget to include #DNNCon in your tweets!
Are There Security Flaws in Your
Modules?
Joshua Bradley / Web Developer
Engage Software
@JRBradley1
2. @DNNConDon’t forget to include #DNNCon in your tweets!
THANKS TO ALL OF OUR GENEROUS
SPONSORS!
3. @DNNConDon’t forget to include #DNNCon in your tweets!
Agenda
• Introduction
• Cross Site Scripting
• SQL Injection
• Cross Site Request Forgery
• Insecure Direct Object
References
• Q & A
4. @DNNConDon’t forget to include #DNNCon in your tweets!
Introduction
• https://www.owasp.org/index.php/OW
• http://www.dnnsoftware.com/wiki/ana
10. @DNNConDon’t forget to include #DNNCon in your tweets!
XSS Continued…
• Html Encode when not needing
HTML
• Use Anti XSS library when
needing to accept HTML from
user input.
13. @DNNConDon’t forget to include #DNNCon in your tweets!
SQLi Continued…
• Never do string concatenation
with SQL.
• Use an ORM or Parameterized
Stored Procedure.
19. @DNNConDon’t forget to include #DNNCon in your tweets!
IDOR Continued…
• Use built in Folder and File
Manager.
• Avoid using user input when
selecting file.
20. @DNNConDon’t forget to include #DNNCon in your tweets!
Available on GitHub & Slideshare
• https://
github.com/JoshuaBradley/DnnVulner
• http://
www.slideshare.net/JoshuaBradley/dnn
22. @DNNConDon’t forget to include #DNNCon in your tweets!
Resources
• http://
www.troyhunt.com/2012/12/stored-pr
• https://
www.owasp.org/index.php/Main_Page
• http://
www.jwaffinityit.com/Portals/28/Docum
23. @DNNConDon’t forget to include #DNNCon in your tweets!
Resources
• https://msdn.microsoft.com/en-us/libr
aspx
• https://
weblog.west-wind.com/posts/2012/Ju
• http://
www.computerweekly.com/tip/Cross-s
24. @DNNConDon’t forget to include #DNNCon in your tweets!
Resources
• http://resources.infosecinstitute.com/d
/
• https://
www.sql-programmers.com/sql-injecti
• https://msdn.microsoft.com/en-
us/library/bb386929.aspx
• https://msdn.microsoft.com/en-
us/library/cc716760.aspx
25. @DNNConDon’t forget to include #DNNCon in your tweets!
Resources
• http://www.troyhunt.com/2013/
07/everything-you-wanted-to-
know-about-sql.html
• https://github.com/malcomvett
er/WidgetSender