SlideShare a Scribd company logo

Dnn Con Baltimore Security Flaws

Download as PPT, PDF
J
Joshua Bradley

Talk for DNN Con baltimore where I talk about possible security flaws inside custom DNN modules.

Software
1 of 25
@DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
@DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
@DNNConDon’t forget to include #DNNCon in your tweets! Introduction • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wiki/ana
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 1
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 2
@DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
@DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… Example
@DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
@DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… Example
@DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
@DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… Example
@DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… • Use built in Folder and File Manager. • Avoid using user input when selecting file.
@DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • https:// github.com/JoshuaBradley/DnnVulner • http:// www.slideshare.net/JoshuaBradley/dnn
@DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http:// www.troyhunt.com/2012/12/stored-pr • https:// www.owasp.org/index.php/Main_Page • http:// www.jwaffinityit.com/Portals/28/Docum
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/Cross-s
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute.com/d / • https:// www.sql-programmers.com/sql-injecti • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
@DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender

Recommended

Androidtraining
AndroidtrainingAndroidtraining
AndroidtrainingIzzet Kerem Kusmezer
 
Lagos de croacia
Lagos de croaciaLagos de croacia
Lagos de croaciaPalomagarcia94
 
2 bambú
2 bambú2 bambú
2 bambúLizet Sánchez
 
директори
директоридиректори
директориNataKvasha
 
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...Thongkum Virut
 
Huong dan su dung canon 40016
Huong dan su dung canon 40016Huong dan su dung canon 40016
Huong dan su dung canon 40016Duy Vọng
 
Rush the janazah
Rush the janazahRush the janazah
Rush the janazahFAHIM AKTHAR ULLAL
 
Ch505
Ch505Ch505
Ch505Phi Phi
 

Recommended

Androidtraining
AndroidtrainingAndroidtraining
AndroidtrainingIzzet Kerem Kusmezer
 
Lagos de croacia
Lagos de croaciaLagos de croacia
Lagos de croaciaPalomagarcia94
 
2 bambú
2 bambú2 bambú
2 bambúLizet Sánchez
 
директори
директоридиректори
директориNataKvasha
 
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...
ในประเทศไทยถ้าพูดถึงเรื่องที่ดิน มีเรื่องเดียว คือ การปฏิรูปที่ดินทั่วประเทศ ...Thongkum Virut
 
Huong dan su dung canon 40016
Huong dan su dung canon 40016Huong dan su dung canon 40016
Huong dan su dung canon 40016Duy Vọng
 
Rush the janazah
Rush the janazahRush the janazah
Rush the janazahFAHIM AKTHAR ULLAL
 
Ch505
Ch505Ch505
Ch505Phi Phi
 
DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?Engage Software
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Engage Software
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Winning Customer Engagement with Gamification
Winning Customer Engagement with GamificationWinning Customer Engagement with Gamification
Winning Customer Engagement with GamificationCara Pluff
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_templatePhilipp Becker
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...JAXLondon2014
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"Daniel Bryant
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Adrian Roselli
 
Creating multillingual apps for android
Creating multillingual apps for androidCreating multillingual apps for android
Creating multillingual apps for androidSergi Martínez
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is hereGil Fink
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Pushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesPushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesDavid Poindexter
 
Plugins on word press
Plugins on word pressPlugins on word press
Plugins on word pressKoombea
 
But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...Horacio Gonzalez
 
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 

More Related Content

Similar to Dnn Con Baltimore Security Flaws

DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?Engage Software
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnjsheely83
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobileashishpd
 
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Engage Software
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackJess Coburn
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1ashishpd
 
Winning Customer Engagement with Gamification
Winning Customer Engagement with GamificationWinning Customer Engagement with Gamification
Winning Customer Engagement with GamificationCara Pluff
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_templatePhilipp Becker
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsEngage Software
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Will Strohl
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web ApplicationsSasha Goldshtein
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...JAXLondon2014
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"Daniel Bryant
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Adrian Roselli
 
Creating multillingual apps for android
Creating multillingual apps for androidCreating multillingual apps for android
Creating multillingual apps for androidSergi Martínez
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is hereGil Fink
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDDaniel Garcia (a.k.a cr0hn)
 
Pushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesPushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesDavid Poindexter
 
Plugins on word press
Plugins on word pressPlugins on word press
Plugins on word pressKoombea
 
But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...Horacio Gonzalez
 

Similar to Dnn Con Baltimore Security Flaws (20)

DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?DNNcon 2016: Are There Security Flaws in Your DNN Modules?
DNNcon 2016: Are There Security Flaws in Your DNN Modules?
 
Reactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnnReactive extensions (rx js) in dnn
Reactive extensions (rx js) in dnn
 
DNN Web API For Mobile
DNN Web API For MobileDNN Web API For Mobile
DNN Web API For Mobile
 
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
Analytics In, Analytics Out: Using Google Analytics to Guide and Grade Web Pr...
 
Continuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure PackContinuous Integration With Windows Azure Pack
Continuous Integration With Windows Azure Pack
 
Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1Search features and architecture in DNN 7.1
Search features and architecture in DNN 7.1
 
Winning Customer Engagement with Gamification
Winning Customer Engagement with GamificationWinning Customer Engagement with Gamification
Winning Customer Engagement with Gamification
 
Dnn con palm_beach_template
Dnn con palm_beach_templateDnn con palm_beach_template
Dnn con palm_beach_template
 
Creating URL Providers for your Custom Extensions
Creating URL Providers for your Custom ExtensionsCreating URL Providers for your Custom Extensions
Creating URL Providers for your Custom Extensions
 
Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924Programming Your Way into Designers Hearts 20100924
Programming Your Way into Designers Hearts 20100924
 
Attacking Web Applications
Attacking Web ApplicationsAttacking Web Applications
Attacking Web Applications
 
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
Moving to a DevOps mode - easy, hard or just plain terrifying? - Daniel Bryan...
 
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
JAX London 2014 "Moving to DevOps Mode: easy, hard or just plain terrifying?"
 
Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016Mind Your lang — Accessibility Camp Toronto 2016
Mind Your lang — Accessibility Camp Toronto 2016
 
Creating multillingual apps for android
Creating multillingual apps for androidCreating multillingual apps for android
Creating multillingual apps for android
 
Web components the future is here
Web components the future is hereWeb components the future is here
Web components the future is here
 
Rooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CDRooted con 2020 - from the heaven to hell in the CI - CD
Rooted con 2020 - from the heaven to hell in the CI - CD
 
Pushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use CasesPushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
Pushing the DNN Envelope - A Journey Through Some Really Creative Use Cases
 
Plugins on word press
Plugins on word pressPlugins on word press
Plugins on word press
 
But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...But there is no web component for that - Web Components Remote Conference - 2...
But there is no web component for that - Web Components Remote Conference - 2...
 

Recently uploaded

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...MyIntelliSource, Inc.
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Modelsaagamshah0812
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Steffen Staab
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVshikhaohhpro
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdfWave PLM
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providermohitmore19
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...panagenda
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsArshad QA
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...kellynguyen01
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️anilsa9823
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxbodapatigopi8531
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AIABDERRAOUF MEHENNI
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionSolGuruz
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsAndolasoft Inc
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfkalichargn70th171
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️Delhi Call girls
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfkalichargn70th171
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceanilsa9823
 

Recently uploaded (20)

Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
Try MyIntelliAccount Cloud Accounting Software As A Service Solution Risk Fre...
 
Unlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language ModelsUnlocking the Future of AI Agents with Large Language Models
Unlocking the Future of AI Agents with Large Language Models
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
Optimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTVOptimizing AI for immediate response in Smart CCTV
Optimizing AI for immediate response in Smart CCTV
 
5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf5 Signs You Need a Fashion PLM Software.pdf
5 Signs You Need a Fashion PLM Software.pdf
 
TECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service providerTECUNIQUE: Success Stories: IT Service provider
TECUNIQUE: Success Stories: IT Service provider
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
Software Quality Assurance Interview Questions
Software Quality Assurance Interview QuestionsSoftware Quality Assurance Interview Questions
Software Quality Assurance Interview Questions
 
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
Short Story: Unveiling the Reasoning Abilities of Large Language Models by Ke...
 
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
CALL ON ➥8923113531 🔝Call Girls Kakori Lucknow best sexual service Online ☂️
 
Hand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptxHand gesture recognition PROJECT PPT.pptx
Hand gesture recognition PROJECT PPT.pptx
 
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AISyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
SyndBuddy AI 2k Review 2024: Revolutionizing Content Syndication with AI
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
Diamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with PrecisionDiamond Application Development Crafting Solutions with Precision
Diamond Application Development Crafting Solutions with Precision
 
How To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.jsHow To Use Server-Side Rendering with Nuxt.js
How To Use Server-Side Rendering with Nuxt.js
 
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdfThe Ultimate Test Automation Guide_ Best Practices and Tips.pdf
The Ultimate Test Automation Guide_ Best Practices and Tips.pdf
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdfLearn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
Learn the Fundamentals of XCUITest Framework_ A Beginner's Guide.pdf
 
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female serviceCALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
CALL ON ➥8923113531 🔝Call Girls Badshah Nagar Lucknow best Female service
 
Microsoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdfMicrosoft AI Transformation Partner Playbook.pdf
Microsoft AI Transformation Partner Playbook.pdf
 

Dnn Con Baltimore Security Flaws

  • 1. @DNNConDon’t forget to include #DNNCon in your tweets! Are There Security Flaws in Your Modules? Joshua Bradley / Web Developer Engage Software @JRBradley1
  • 2. @DNNConDon’t forget to include #DNNCon in your tweets! THANKS TO ALL OF OUR GENEROUS SPONSORS!
  • 3. @DNNConDon’t forget to include #DNNCon in your tweets! Agenda • Introduction • Cross Site Scripting • SQL Injection • Cross Site Request Forgery • Insecure Direct Object References • Q & A
  • 4. @DNNConDon’t forget to include #DNNCon in your tweets! Introduction • https://www.owasp.org/index.php/OW • http://www.dnnsoftware.com/wiki/ana
  • 5. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Scripting
  • 6. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
  • 7. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 1
  • 8. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued…
  • 9. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… Example 2
  • 10. @DNNConDon’t forget to include #DNNCon in your tweets! XSS Continued… • Html Encode when not needing HTML • Use Anti XSS library when needing to accept HTML from user input.
  • 11. @DNNConDon’t forget to include #DNNCon in your tweets! SQL Injection
  • 12. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… Example
  • 13. @DNNConDon’t forget to include #DNNCon in your tweets! SQLi Continued… • Never do string concatenation with SQL. • Use an ORM or Parameterized Stored Procedure.
  • 14. @DNNConDon’t forget to include #DNNCon in your tweets! Cross Site Request Forgery
  • 15. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… Example
  • 16. @DNNConDon’t forget to include #DNNCon in your tweets! CSRF Continued… • Use HttpPost • ValidateAntiForgery • Never Allow Access from any host
  • 17. @DNNConDon’t forget to include #DNNCon in your tweets! Insecure Direct Object References
  • 18. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… Example
  • 19. @DNNConDon’t forget to include #DNNCon in your tweets! IDOR Continued… • Use built in Folder and File Manager. • Avoid using user input when selecting file.
  • 20. @DNNConDon’t forget to include #DNNCon in your tweets! Available on GitHub & Slideshare • https:// github.com/JoshuaBradley/DnnVulner • http:// www.slideshare.net/JoshuaBradley/dnn
  • 21. @DNNConDon’t forget to include #DNNCon in your tweets! Questions @JRBradley1
  • 22. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http:// www.troyhunt.com/2012/12/stored-pr • https:// www.owasp.org/index.php/Main_Page • http:// www.jwaffinityit.com/Portals/28/Docum
  • 23. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • https://msdn.microsoft.com/en-us/libr aspx • https:// weblog.west-wind.com/posts/2012/Ju • http:// www.computerweekly.com/tip/Cross-s
  • 24. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://resources.infosecinstitute.com/d / • https:// www.sql-programmers.com/sql-injecti • https://msdn.microsoft.com/en- us/library/bb386929.aspx • https://msdn.microsoft.com/en- us/library/cc716760.aspx
  • 25. @DNNConDon’t forget to include #DNNCon in your tweets! Resources • http://www.troyhunt.com/2013/ 07/everything-you-wanted-to- know-about-sql.html • https://github.com/malcomvett er/WidgetSender