SlideShare a Scribd company logo

Joomla! security

Yireo
Yireo

Presentation on Joomla! security, both basic stuff as advanced techniques. Used during Joomla! User Group meeting in Den Bosch, NL (JUG073).

Technology
1 of 31
Download to read offline
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo My name is Jisse Reitsma Joomla! enthousiast PHP programmer Lead developer of Yireo Joomla! templates-book (NL) Helping Tibet Support Group
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo My presentation Part I - Basics Part II - Joomla! security Part III - Advanced things
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Part I Basics of security
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Why bother? Everybody makes mistakes Joomla! is very popular ... also with hackers What can happen? Website defacement (damage to business image) Malware installed (viruses, exploits, zombie-software)
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo What is security? SQL injection POST spoofing Path traversal; Remote path inclusion Cross Site Scripting (XSS), CSRF Session hijacking, cookie theft Rootkits
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Common Joomla! attacks SQL injection http://localhost/joomla/index.php/weblinks-categories?id=0%20%29%20union %20select%20password%20from%20%60jos_users%60%20--%20%29 XSS vulnerability Textarea: <script>alert('test');</script>
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Part II Joomla! security
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (1) Strong passwords Beware for dictionary attacks At least 8 characters, preferably 16 :)
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (2) Do not pick just any extension Keep software up-to-date Joomla! core Joomla! extensions
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (3) Make sure .htaccess is in place Rename from “htaccess.txt” to “.htaccess” Includes quick protection for common attacks
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (4) Create a new Super User No username “admin” Other MySQL ID then 42 or 62
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (5) Backend protection jSecure, kSecure, BackendToken Scanning RsFirewall, jDefender, jHackGuard Joomla! ACLs (ACLmanager)
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (6) Remove the default META-tag generator <?php JFactory::getDocument()­>setGenerator('whatever'); ?>
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (7) Encrypt Joomla! Administrator access with (self-generated) SSL-certificate Use SFTP (or SSH) if available, and not FTP
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (8) Remove files you don't need 3rd party templates, 3rd party extensions Joomla! test setups (and other applications) CHANGELOG.php, CREDITS.php, INSTALL.php, configuration.php-dist, htaccess.txt, LICENSE.php, LICENSES.php phpinfo.php
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (9) Two Factor Authentication Google Authenticator Yubikey
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (10) Do not use Joomla! 1.5 Change database table prefix (Admintools) Do not allow user registration if you don't want it Apache HTTP authentication for backend
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo General advice Be careful with what you install Versioning system like Git Always test things first on testing environment (plg_system_httpauth) Create backups
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Part III Advanced security
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo LAMP security File permissions Firewall Apache settings PHP settings
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo UNIX file permissions Basic rules Three numbers: owner + group + world 4 = read, 2 = write, 1 = execute 644 = readwrite for owner; read for group; read for world Directory must always be executable (755 instead of 644) Do not use: 666 = read-write for owner; read-write for group; read-write for world 777 (same like files, but plus execution bit) Do use: 644 (files) 755 (directories)
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Firewall Only allow what you need HTTP, SSH, FTP, SMTP, DNS Block everything you don't need MySQL, IMAP, POP Check with Nmap
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Apache security Apache settings ServerTokens Prod ServerSignature off TraceEnable off Apache modules mod_rewrite mod_evasive mod_antiloris mod_security2
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo PHP security (1 of 2) PHP settings register_globals = Off expose_php = Off safe_mode = Off magic_quotes = Off allow_url_include = Off allow_url_fopen = On??? open_basedir = [yoursite]???
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo PHP security (2 of 2) PHP disable_functions show_source system, shell_exec, exec, passthru popen, proc_open phpinfo PHP modules Suhosin
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Too late ... maldet (malware detector) rkhunter (rootkit hunter) IDS (intrusion detection system) Tripwire Samhain
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo UNIX hacking ... the greatest game on the internet
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo “Ignorance is bliss” Google Hacking database makes it easy SSL-certificates are only secure, if SSL root-authority servers are We trust TCP/IP to be fairly secure, but is it? (slowloris) When the C-code of a rootkit is actually modified by a script-kiddie, it is no longer detected by rootkit-scanners - bummer, nobody knows if it's there
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo docs.joomla.org/Security
Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo any questions?

Recommended

Joomla! on Heroku
Joomla! on HerokuJoomla! on Heroku
Joomla! on HerokuYireo
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 

Recommended

Joomla! on Heroku
Joomla! on HerokuJoomla! on Heroku
Joomla! on HerokuYireo
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
Jeff Hoffman
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
Brad Williams
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Brad Williams
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
Dre Armeda
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
Brad Williams
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
Brad Williams
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
SiteGround.com
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPressDre Armeda
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
Lalit Nama
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
Secure & Maintain Your Self-Hosted WordPress Website
Secure & Maintain Your Self-Hosted WordPress WebsiteSecure & Maintain Your Self-Hosted WordPress Website
Secure & Maintain Your Self-Hosted WordPress Website
Online Business Owners
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basicsamiable_indian
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best PracticesWordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
Brecht Ryckaert
 
Joomla!: phpMyAdmin for Beginners
Joomla!: phpMyAdmin for BeginnersJoomla!: phpMyAdmin for Beginners
Joomla!: phpMyAdmin for Beginners
Yireo
 
Joomla! and SSL
Joomla! and SSLJoomla! and SSL
Joomla! and SSL
Yireo
 

More Related Content

What's hot

WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
John Carcutt
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
Brad Williams
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
SiteGround.com
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
Brad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPressDre Armeda
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
Lalit Nama
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
Brad Williams
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
Dre Armeda
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
Shawn Hooper
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
Brad Williams
 
Secure & Maintain Your Self-Hosted WordPress Website
Secure & Maintain Your Self-Hosted WordPress WebsiteSecure & Maintain Your Self-Hosted WordPress Website
Secure & Maintain Your Self-Hosted WordPress Website
Online Business Owners
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best PracticesWordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
Brecht Ryckaert
 

What's hot (20)

WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Secure & Maintain Your Self-Hosted WordPress Website
Secure & Maintain Your Self-Hosted WordPress WebsiteSecure & Maintain Your Self-Hosted WordPress Website
Secure & Maintain Your Self-Hosted WordPress Website
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best PracticesWordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
 

Similar to Joomla! security

Joomla!: phpMyAdmin for Beginners
Joomla!: phpMyAdmin for BeginnersJoomla!: phpMyAdmin for Beginners
Joomla!: phpMyAdmin for Beginners
Yireo
 
Joomla! and SSL
Joomla! and SSLJoomla! and SSL
Joomla! and SSL
Yireo
 
Joomla! templating
Joomla! templatingJoomla! templating
Joomla! templating
Yireo
 
Joomla! Plugin Development
Joomla! Plugin DevelopmentJoomla! Plugin Development
Joomla! Plugin Development
Yireo
 
OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security
Akarawuth Tamrareang
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
ViryaTechnologies
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
Ruth Cheesley
 
Joomladay Switzerland - security
Joomladay Switzerland - securityJoomladay Switzerland - security
Joomladay Switzerland - security
Wilco Jansen
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - Security
Wilco Jansen
 
Extend Joomla Forms Using Plugins
Extend Joomla Forms Using PluginsExtend Joomla Forms Using Plugins
Extend Joomla Forms Using Plugins
Yireo
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
Tiia Rantanen
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
Tim Plummer
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
Shaiffulnizam Mohamad
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
Jim Manico
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
kriptonium
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
Ayoma Wijethunga
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018
Abul Khayer
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
Mike West
 

Similar to Joomla! security (20)

Joomla!: phpMyAdmin for Beginners
Joomla!: phpMyAdmin for BeginnersJoomla!: phpMyAdmin for Beginners
Joomla!: phpMyAdmin for Beginners
 
Joomla! and SSL
Joomla! and SSLJoomla! and SSL
Joomla! and SSL
 
Joomla! templating
Joomla! templatingJoomla! templating
Joomla! templating
 
Joomla! Plugin Development
Joomla! Plugin DevelopmentJoomla! Plugin Development
Joomla! Plugin Development
 
OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security OWASP Thailand 2016 - Joomla Security
OWASP Thailand 2016 - Joomla Security
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Joomla Security
Joomla SecurityJoomla Security
Joomla Security
 
Joomladay Switzerland - security
Joomladay Switzerland - securityJoomladay Switzerland - security
Joomladay Switzerland - security
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - Security
 
Extend Joomla Forms Using Plugins
Extend Joomla Forms Using PluginsExtend Joomla Forms Using Plugins
Extend Joomla Forms Using Plugins
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Making Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking itMaking Joomla Insecure - Explaining security by breaking it
Making Joomla Insecure - Explaining security by breaking it
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5Top Ten Proactive Web Security Controls v5
Top Ten Proactive Web Security Controls v5
 
Brendon Hatcher Joomla Security
Brendon Hatcher Joomla SecurityBrendon Hatcher Joomla Security
Brendon Hatcher Joomla Security
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Recent Trends in Cyber Security
Recent Trends in Cyber SecurityRecent Trends in Cyber Security
Recent Trends in Cyber Security
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018WordPress Security Fundamentals - WordCamp Biratnagar 2018
WordPress Security Fundamentals - WordCamp Biratnagar 2018
 
Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014Anatomy of a Drupal Hack - TechKnowFile 2014
Anatomy of a Drupal Hack - TechKnowFile 2014
 
Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013Mitigate Maliciousness -- jQuery Europe 2013
Mitigate Maliciousness -- jQuery Europe 2013
 

More from Yireo

Faster Magento Integration Tests
Faster Magento Integration TestsFaster Magento Integration Tests
Faster Magento Integration Tests
Yireo
 
Mage-OS Nederland
Mage-OS NederlandMage-OS Nederland
Mage-OS Nederland
Yireo
 
Modernizing Vue Storefront 1
Modernizing Vue Storefront 1Modernizing Vue Storefront 1
Modernizing Vue Storefront 1
Yireo
 
Magento 2 Seminar - Peter-Jaap Blaakmeer - VR-webshop
Magento 2 Seminar - Peter-Jaap Blaakmeer - VR-webshopMagento 2 Seminar - Peter-Jaap Blaakmeer - VR-webshop
Magento 2 Seminar - Peter-Jaap Blaakmeer - VR-webshop
Yireo
 
Magento 2 Seminar - Toon van Dooren - Varnish in Magento 2
Magento 2 Seminar - Toon van Dooren - Varnish in Magento 2Magento 2 Seminar - Toon van Dooren - Varnish in Magento 2
Magento 2 Seminar - Toon van Dooren - Varnish in Magento 2
Yireo
 
Magento 2 Seminar - Andra Lungu - API in Magento 2
Magento 2 Seminar - Andra Lungu - API in Magento 2Magento 2 Seminar - Andra Lungu - API in Magento 2
Magento 2 Seminar - Andra Lungu - API in Magento 2
Yireo
 
Magento 2 Seminar - Roger Keulen - Machine learning
Magento 2 Seminar - Roger Keulen - Machine learningMagento 2 Seminar - Roger Keulen - Machine learning
Magento 2 Seminar - Roger Keulen - Machine learning
Yireo
 
Magento 2 Seminar - Miguel Balparda - M2 with PHP 7 and Varnish
Magento 2 Seminar - Miguel Balparda - M2 with PHP 7 and VarnishMagento 2 Seminar - Miguel Balparda - M2 with PHP 7 and Varnish
Magento 2 Seminar - Miguel Balparda - M2 with PHP 7 and Varnish
Yireo
 
Magento 2 Seminar - Maarten Schuiling - The App Economy
Magento 2 Seminar - Maarten Schuiling - The App EconomyMagento 2 Seminar - Maarten Schuiling - The App Economy
Magento 2 Seminar - Maarten Schuiling - The App Economy
Yireo
 
Magento 2 Seminar - Jisse Reitsma - Magento 2 techniek vertalen naar voordelen
Magento 2 Seminar - Jisse Reitsma - Magento 2 techniek vertalen naar voordelenMagento 2 Seminar - Jisse Reitsma - Magento 2 techniek vertalen naar voordelen
Magento 2 Seminar - Jisse Reitsma - Magento 2 techniek vertalen naar voordelen
Yireo
 
Magento 2 Seminar - Sander Mangel - Van Magento 1 naar 2
Magento 2 Seminar - Sander Mangel - Van Magento 1 naar 2Magento 2 Seminar - Sander Mangel - Van Magento 1 naar 2
Magento 2 Seminar - Sander Mangel - Van Magento 1 naar 2
Yireo
 
Magento 2 Seminar - Arjen Miedema - Search Engine Optimisation
Magento 2 Seminar - Arjen Miedema - Search Engine OptimisationMagento 2 Seminar - Arjen Miedema - Search Engine Optimisation
Magento 2 Seminar - Arjen Miedema - Search Engine Optimisation
Yireo
 
Magento 2 Seminar - Tjitte Folkertsma - Beaumotica
Magento 2 Seminar - Tjitte Folkertsma - BeaumoticaMagento 2 Seminar - Tjitte Folkertsma - Beaumotica
Magento 2 Seminar - Tjitte Folkertsma - Beaumotica
Yireo
 
Magento 2 Seminar - Jeroen Vermeulen Snelle Magento 2 Shops
Magento 2 Seminar - Jeroen Vermeulen Snelle Magento 2 ShopsMagento 2 Seminar - Jeroen Vermeulen Snelle Magento 2 Shops
Magento 2 Seminar - Jeroen Vermeulen Snelle Magento 2 Shops
Yireo
 
Magento 2 Seminar - Christian Muench - Magerun2
Magento 2 Seminar - Christian Muench - Magerun2Magento 2 Seminar - Christian Muench - Magerun2
Magento 2 Seminar - Christian Muench - Magerun2
Yireo
 
Magento 2 Seminar - Anton Kril - Magento 2 Summary
Magento 2 Seminar - Anton Kril - Magento 2 SummaryMagento 2 Seminar - Anton Kril - Magento 2 Summary
Magento 2 Seminar - Anton Kril - Magento 2 Summary
Yireo
 
Magento 2 Seminar - Daniel Genis - Magento 2 benchmarks
Magento 2 Seminar - Daniel Genis - Magento 2 benchmarksMagento 2 Seminar - Daniel Genis - Magento 2 benchmarks
Magento 2 Seminar - Daniel Genis - Magento 2 benchmarks
Yireo
 
Magento 2 Seminar - Ben Marks - Keynote
Magento 2 Seminar - Ben Marks - KeynoteMagento 2 Seminar - Ben Marks - Keynote
Magento 2 Seminar - Ben Marks - Keynote
Yireo
 
Magento 2 Seminar - Community agenda
Magento 2 Seminar - Community agendaMagento 2 Seminar - Community agenda
Magento 2 Seminar - Community agenda
Yireo
 
Magento 2 Seminar - Jisse Reitsma - Migratie Planning
Magento 2 Seminar - Jisse Reitsma - Migratie PlanningMagento 2 Seminar - Jisse Reitsma - Migratie Planning
Magento 2 Seminar - Jisse Reitsma - Migratie Planning
Yireo
 

More from Yireo (20)

Faster Magento Integration Tests
Faster Magento Integration TestsFaster Magento Integration Tests
Faster Magento Integration Tests
 
Mage-OS Nederland
Mage-OS NederlandMage-OS Nederland
Mage-OS Nederland
 
Modernizing Vue Storefront 1
Modernizing Vue Storefront 1Modernizing Vue Storefront 1
Modernizing Vue Storefront 1
 
Magento 2 Seminar - Peter-Jaap Blaakmeer - VR-webshop
Magento 2 Seminar - Peter-Jaap Blaakmeer - VR-webshopMagento 2 Seminar - Peter-Jaap Blaakmeer - VR-webshop
Magento 2 Seminar - Peter-Jaap Blaakmeer - VR-webshop
 
Magento 2 Seminar - Toon van Dooren - Varnish in Magento 2
Magento 2 Seminar - Toon van Dooren - Varnish in Magento 2Magento 2 Seminar - Toon van Dooren - Varnish in Magento 2
Magento 2 Seminar - Toon van Dooren - Varnish in Magento 2
 
Magento 2 Seminar - Andra Lungu - API in Magento 2
Magento 2 Seminar - Andra Lungu - API in Magento 2Magento 2 Seminar - Andra Lungu - API in Magento 2
Magento 2 Seminar - Andra Lungu - API in Magento 2
 
Magento 2 Seminar - Roger Keulen - Machine learning
Magento 2 Seminar - Roger Keulen - Machine learningMagento 2 Seminar - Roger Keulen - Machine learning
Magento 2 Seminar - Roger Keulen - Machine learning
 
Magento 2 Seminar - Miguel Balparda - M2 with PHP 7 and Varnish
Magento 2 Seminar - Miguel Balparda - M2 with PHP 7 and VarnishMagento 2 Seminar - Miguel Balparda - M2 with PHP 7 and Varnish
Magento 2 Seminar - Miguel Balparda - M2 with PHP 7 and Varnish
 
Magento 2 Seminar - Maarten Schuiling - The App Economy
Magento 2 Seminar - Maarten Schuiling - The App EconomyMagento 2 Seminar - Maarten Schuiling - The App Economy
Magento 2 Seminar - Maarten Schuiling - The App Economy
 
Magento 2 Seminar - Jisse Reitsma - Magento 2 techniek vertalen naar voordelen
Magento 2 Seminar - Jisse Reitsma - Magento 2 techniek vertalen naar voordelenMagento 2 Seminar - Jisse Reitsma - Magento 2 techniek vertalen naar voordelen
Magento 2 Seminar - Jisse Reitsma - Magento 2 techniek vertalen naar voordelen
 
Magento 2 Seminar - Sander Mangel - Van Magento 1 naar 2
Magento 2 Seminar - Sander Mangel - Van Magento 1 naar 2Magento 2 Seminar - Sander Mangel - Van Magento 1 naar 2
Magento 2 Seminar - Sander Mangel - Van Magento 1 naar 2
 
Magento 2 Seminar - Arjen Miedema - Search Engine Optimisation
Magento 2 Seminar - Arjen Miedema - Search Engine OptimisationMagento 2 Seminar - Arjen Miedema - Search Engine Optimisation
Magento 2 Seminar - Arjen Miedema - Search Engine Optimisation
 
Magento 2 Seminar - Tjitte Folkertsma - Beaumotica
Magento 2 Seminar - Tjitte Folkertsma - BeaumoticaMagento 2 Seminar - Tjitte Folkertsma - Beaumotica
Magento 2 Seminar - Tjitte Folkertsma - Beaumotica
 
Magento 2 Seminar - Jeroen Vermeulen Snelle Magento 2 Shops
Magento 2 Seminar - Jeroen Vermeulen Snelle Magento 2 ShopsMagento 2 Seminar - Jeroen Vermeulen Snelle Magento 2 Shops
Magento 2 Seminar - Jeroen Vermeulen Snelle Magento 2 Shops
 
Magento 2 Seminar - Christian Muench - Magerun2
Magento 2 Seminar - Christian Muench - Magerun2Magento 2 Seminar - Christian Muench - Magerun2
Magento 2 Seminar - Christian Muench - Magerun2
 
Magento 2 Seminar - Anton Kril - Magento 2 Summary
Magento 2 Seminar - Anton Kril - Magento 2 SummaryMagento 2 Seminar - Anton Kril - Magento 2 Summary
Magento 2 Seminar - Anton Kril - Magento 2 Summary
 
Magento 2 Seminar - Daniel Genis - Magento 2 benchmarks
Magento 2 Seminar - Daniel Genis - Magento 2 benchmarksMagento 2 Seminar - Daniel Genis - Magento 2 benchmarks
Magento 2 Seminar - Daniel Genis - Magento 2 benchmarks
 
Magento 2 Seminar - Ben Marks - Keynote
Magento 2 Seminar - Ben Marks - KeynoteMagento 2 Seminar - Ben Marks - Keynote
Magento 2 Seminar - Ben Marks - Keynote
 
Magento 2 Seminar - Community agenda
Magento 2 Seminar - Community agendaMagento 2 Seminar - Community agenda
Magento 2 Seminar - Community agenda
 
Magento 2 Seminar - Jisse Reitsma - Migratie Planning
Magento 2 Seminar - Jisse Reitsma - Migratie PlanningMagento 2 Seminar - Jisse Reitsma - Migratie Planning
Magento 2 Seminar - Jisse Reitsma - Migratie Planning
 

Recently uploaded

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
Jemma Hussein Allen
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
Alison B. Lowndes
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Nexer Digital
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
Peter Spielvogel
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
ViralQR
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
nkrafacyberclub
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
ControlCase
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
OnBoard
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
UiPathCommunity
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
Product School
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
RinaMondal9
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
Ralf Eggert
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
Pierluigi Pugliese
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
Prayukth K V
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 

Recently uploaded (20)

The Future of Platform Engineering
The Future of Platform EngineeringThe Future of Platform Engineering
The Future of Platform Engineering
 
Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........Bits & Pixels using AI for Good.........
Bits & Pixels using AI for Good.........
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?Elizabeth Buie - Older adults: Are we really designing for our future selves?
Elizabeth Buie - Older adults: Are we really designing for our future selves?
 
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdfSAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
SAP Sapphire 2024 - ASUG301 building better apps with SAP Fiori.pdf
 
Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.Welocme to ViralQR, your best QR code generator.
Welocme to ViralQR, your best QR code generator.
 
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptxSecstrike : Reverse Engineering & Pwnable tools for CTF.pptx
Secstrike : Reverse Engineering & Pwnable tools for CTF.pptx
 
PCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase TeamPCI PIN Basics Webinar from the Controlcase Team
PCI PIN Basics Webinar from the Controlcase Team
 
Leading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdfLeading Change strategies and insights for effective change management pdf 1.pdf
Leading Change strategies and insights for effective change management pdf 1.pdf
 
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
Le nuove frontiere dell'AI nell'RPA con UiPath Autopilot™
 
Assure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyesAssure Contact Center Experiences for Your Customers With ThousandEyes
Assure Contact Center Experiences for Your Customers With ThousandEyes
 
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdfFIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
FIDO Alliance Osaka Seminar: Passkeys at Amazon.pdf
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...How world-class product teams are winning in the AI era by CEO and Founder, P...
How world-class product teams are winning in the AI era by CEO and Founder, P...
 
Free Complete Python - A step towards Data Science
Free Complete Python - A step towards Data ScienceFree Complete Python - A step towards Data Science
Free Complete Python - A step towards Data Science
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)PHP Frameworks: I want to break free (IPC Berlin 2024)
PHP Frameworks: I want to break free (IPC Berlin 2024)
 
By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024By Design, not by Accident - Agile Venture Bolzano 2024
By Design, not by Accident - Agile Venture Bolzano 2024
 
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 previewState of ICS and IoT Cyber Threat Landscape Report 2024 preview
State of ICS and IoT Cyber Threat Landscape Report 2024 preview
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 

Joomla! security

  • 1. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security
  • 2. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo My name is Jisse Reitsma Joomla! enthousiast PHP programmer Lead developer of Yireo Joomla! templates-book (NL) Helping Tibet Support Group
  • 3. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo My presentation Part I - Basics Part II - Joomla! security Part III - Advanced things
  • 4. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Part I Basics of security
  • 5. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Why bother? Everybody makes mistakes Joomla! is very popular ... also with hackers What can happen? Website defacement (damage to business image) Malware installed (viruses, exploits, zombie-software)
  • 6. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo What is security? SQL injection POST spoofing Path traversal; Remote path inclusion Cross Site Scripting (XSS), CSRF Session hijacking, cookie theft Rootkits
  • 7. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Common Joomla! attacks SQL injection http://localhost/joomla/index.php/weblinks-categories?id=0%20%29%20union %20select%20password%20from%20%60jos_users%60%20--%20%29 XSS vulnerability Textarea: <script>alert('test');</script>
  • 8. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Part II Joomla! security
  • 9. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (1) Strong passwords Beware for dictionary attacks At least 8 characters, preferably 16 :)
  • 10. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (2) Do not pick just any extension Keep software up-to-date Joomla! core Joomla! extensions
  • 11. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (3) Make sure .htaccess is in place Rename from “htaccess.txt” to “.htaccess” Includes quick protection for common attacks
  • 12. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (4) Create a new Super User No username “admin” Other MySQL ID then 42 or 62
  • 13. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (5) Backend protection jSecure, kSecure, BackendToken Scanning RsFirewall, jDefender, jHackGuard Joomla! ACLs (ACLmanager)
  • 14. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (6) Remove the default META-tag generator <?php JFactory::getDocument()­>setGenerator('whatever'); ?>
  • 15. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (7) Encrypt Joomla! Administrator access with (self-generated) SSL-certificate Use SFTP (or SSH) if available, and not FTP
  • 16. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (8) Remove files you don't need 3rd party templates, 3rd party extensions Joomla! test setups (and other applications) CHANGELOG.php, CREDITS.php, INSTALL.php, configuration.php-dist, htaccess.txt, LICENSE.php, LICENSES.php phpinfo.php
  • 17. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (9) Two Factor Authentication Google Authenticator Yubikey
  • 18. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Joomla! security (10) Do not use Joomla! 1.5 Change database table prefix (Admintools) Do not allow user registration if you don't want it Apache HTTP authentication for backend
  • 19. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo General advice Be careful with what you install Versioning system like Git Always test things first on testing environment (plg_system_httpauth) Create backups
  • 20. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Part III Advanced security
  • 21. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo LAMP security File permissions Firewall Apache settings PHP settings
  • 22. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo UNIX file permissions Basic rules Three numbers: owner + group + world 4 = read, 2 = write, 1 = execute 644 = readwrite for owner; read for group; read for world Directory must always be executable (755 instead of 644) Do not use: 666 = read-write for owner; read-write for group; read-write for world 777 (same like files, but plus execution bit) Do use: 644 (files) 755 (directories)
  • 23. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Firewall Only allow what you need HTTP, SSH, FTP, SMTP, DNS Block everything you don't need MySQL, IMAP, POP Check with Nmap
  • 24. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Apache security Apache settings ServerTokens Prod ServerSignature off TraceEnable off Apache modules mod_rewrite mod_evasive mod_antiloris mod_security2
  • 25. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo PHP security (1 of 2) PHP settings register_globals = Off expose_php = Off safe_mode = Off magic_quotes = Off allow_url_include = Off allow_url_fopen = On??? open_basedir = [yoursite]???
  • 26. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo PHP security (2 of 2) PHP disable_functions show_source system, shell_exec, exec, passthru popen, proc_open phpinfo PHP modules Suhosin
  • 27. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo Too late ... maldet (malware detector) rkhunter (rootkit hunter) IDS (intrusion detection system) Tripwire Samhain
  • 28. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo UNIX hacking ... the greatest game on the internet
  • 29. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo “Ignorance is bliss” Google Hacking database makes it easy SSL-certificates are only secure, if SSL root-authority servers are We trust TCP/IP to be fairly secure, but is it? (slowloris) When the C-code of a rootkit is actually modified by a script-kiddie, it is no longer detected by rootkit-scanners - bummer, nobody knows if it's there
  • 30. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo docs.joomla.org/Security
  • 31. Presentation “Joomla! Security” - http://slideshare.net/yireo Jisse Reitsma (jisse@yireo.com) - Twitter @yireo any questions?