SlideShare uma empresa Scribd logo

Joomla security nuggets

Transferir como PPT, PDF
G
guestbd1cdca
1 de 15
Presented By Naveen Kumar Malla
Agenda ,[object Object],[object Object],[object Object],[object Object]
Web Application Security Threat Overview ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Common Attacks & Preventative Techniques ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
CSRF ,[object Object],[object Object],[object Object],[object Object]
How Joomla handles CSRF? ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
XSS ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
SQL Injections ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
To prevent SQL injections ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Direct access to folders/code ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Register Globals ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
Writing Secure Web applications ,[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object],[object Object]
References ,[object Object],[object Object],[object Object],[object Object]
Any Queries?
Thank You

Recomendados

Introduction to Web Programming with Perl
Introduction to Web Programming with PerlIntroduction to Web Programming with Perl
Introduction to Web Programming with PerlDave Cross
 
Modern Web Development with Perl
Modern Web Development with PerlModern Web Development with Perl
Modern Web Development with PerlDave Cross
 
Web Development in Perl
Web Development in PerlWeb Development in Perl
Web Development in PerlNaveen Gupta
 
PHP Presentation
PHP PresentationPHP Presentation
PHP PresentationNikhil Jain
 
PHP Presentation
PHP PresentationPHP Presentation
PHP PresentationAnkush Jain
 
Html 5 in a big nutshell
Html 5 in a big nutshellHtml 5 in a big nutshell
Html 5 in a big nutshellLennart Schoors
 
Web develop in flask
Web develop in flaskWeb develop in flask
Web develop in flaskJim Yeh
 
Vb.Net Web Forms
Vb.Net Web FormsVb.Net Web Forms
Vb.Net Web FormsDutch Dasanaike {LION}
 

Recomendados

Introduction to Web Programming with Perl
Introduction to Web Programming with PerlIntroduction to Web Programming with Perl
Introduction to Web Programming with PerlDave Cross
 
Modern Web Development with Perl
Modern Web Development with PerlModern Web Development with Perl
Modern Web Development with PerlDave Cross
 
Web Development in Perl
Web Development in PerlWeb Development in Perl
Web Development in PerlNaveen Gupta
 
PHP Presentation
PHP PresentationPHP Presentation
PHP PresentationNikhil Jain
 
PHP Presentation
PHP PresentationPHP Presentation
PHP PresentationAnkush Jain
 
Html 5 in a big nutshell
Html 5 in a big nutshellHtml 5 in a big nutshell
Html 5 in a big nutshellLennart Schoors
 
Web develop in flask
Web develop in flaskWeb develop in flask
Web develop in flaskJim Yeh
 
Vb.Net Web Forms
Vb.Net Web FormsVb.Net Web Forms
Vb.Net Web FormsDutch Dasanaike {LION}
 
Looking into HTML5
Looking into HTML5Looking into HTML5
Looking into HTML5Christopher Schmitt
 
RESTful API Design & Implementation with CodeIgniter PHP Framework
RESTful API Design & Implementation with CodeIgniter PHP FrameworkRESTful API Design & Implementation with CodeIgniter PHP Framework
RESTful API Design & Implementation with CodeIgniter PHP FrameworkBo-Yi Wu
 
Web development
Web developmentWeb development
Web developmentSeerat Bakhtawar
 
Google Cloud Endpoints: Building Third-Party APIs on Google AppEngine
Google Cloud Endpoints: Building Third-Party APIs on Google AppEngineGoogle Cloud Endpoints: Building Third-Party APIs on Google AppEngine
Google Cloud Endpoints: Building Third-Party APIs on Google AppEngineRoman Kirillov
 
PHP FUNCTIONS
PHP FUNCTIONSPHP FUNCTIONS
PHP FUNCTIONSZeeshan Ahmed
 
Intro to-php-19 jun10
Intro to-php-19 jun10Intro to-php-19 jun10
Intro to-php-19 jun10Kathy Reid
 
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010singingfish
 
REST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in CodeigniterREST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in CodeigniterSachin G Kulkarni
 
Practical catalyst
Practical catalystPractical catalyst
Practical catalystdwm042
 
Writing Pluggable Software
Writing Pluggable SoftwareWriting Pluggable Software
Writing Pluggable SoftwareTatsuhiko Miyagawa
 
Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006guestfbf1e1
 
Plaxo OSCON 2006
Plaxo OSCON 2006Plaxo OSCON 2006
Plaxo OSCON 2006gueste8e0fb
 
Css, xhtml, javascript
Css, xhtml, javascriptCss, xhtml, javascript
Css, xhtml, javascriptTrần Khải Hoàng
 
WWW and HTTP
WWW and HTTPWWW and HTTP
WWW and HTTPBG Java EE Course
 
Perl in the Internet of Things
Perl in the Internet of ThingsPerl in the Internet of Things
Perl in the Internet of ThingsDave Cross
 
BDD to the Bone: Using Behave and Selenium to Test-Drive Web Applications
BDD to the Bone: Using Behave and Selenium to Test-Drive Web ApplicationsBDD to the Bone: Using Behave and Selenium to Test-Drive Web Applications
BDD to the Bone: Using Behave and Selenium to Test-Drive Web ApplicationsPatrick Viafore
 
Justmeans power point
Justmeans power pointJustmeans power point
Justmeans power pointjustmeanscsr
 
Justmeans power point
Justmeans power pointJustmeans power point
Justmeans power pointjustmeanscsr
 
Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Web Security
Web SecurityWeb Security
Web SecuritySupankar Banik
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 

Mais conteúdo relacionado

Mais procurados

RESTful API Design & Implementation with CodeIgniter PHP Framework
RESTful API Design & Implementation with CodeIgniter PHP FrameworkRESTful API Design & Implementation with CodeIgniter PHP Framework
RESTful API Design & Implementation with CodeIgniter PHP FrameworkBo-Yi Wu
 
Google Cloud Endpoints: Building Third-Party APIs on Google AppEngine
Google Cloud Endpoints: Building Third-Party APIs on Google AppEngineGoogle Cloud Endpoints: Building Third-Party APIs on Google AppEngine
Google Cloud Endpoints: Building Third-Party APIs on Google AppEngineRoman Kirillov
 
Intro to-php-19 jun10
Intro to-php-19 jun10Intro to-php-19 jun10
Intro to-php-19 jun10Kathy Reid
 
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010singingfish
 
REST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in CodeigniterREST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in CodeigniterSachin G Kulkarni
 
Practical catalyst
Practical catalystPractical catalyst
Practical catalystdwm042
 
Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006guestfbf1e1
 
Plaxo OSCON 2006
Plaxo OSCON 2006Plaxo OSCON 2006
Plaxo OSCON 2006gueste8e0fb
 
Perl in the Internet of Things
Perl in the Internet of ThingsPerl in the Internet of Things
Perl in the Internet of ThingsDave Cross
 
BDD to the Bone: Using Behave and Selenium to Test-Drive Web Applications
BDD to the Bone: Using Behave and Selenium to Test-Drive Web ApplicationsBDD to the Bone: Using Behave and Selenium to Test-Drive Web Applications
BDD to the Bone: Using Behave and Selenium to Test-Drive Web ApplicationsPatrick Viafore
 
Justmeans power point
Justmeans power pointJustmeans power point
Justmeans power pointjustmeanscsr
 
Justmeans power point
Justmeans power pointJustmeans power point
Justmeans power pointjustmeanscsr
 

Mais procurados (18)

Looking into HTML5
Looking into HTML5Looking into HTML5
Looking into HTML5
 
RESTful API Design & Implementation with CodeIgniter PHP Framework
RESTful API Design & Implementation with CodeIgniter PHP FrameworkRESTful API Design & Implementation with CodeIgniter PHP Framework
RESTful API Design & Implementation with CodeIgniter PHP Framework
 
Web development
Web developmentWeb development
Web development
 
Google Cloud Endpoints: Building Third-Party APIs on Google AppEngine
Google Cloud Endpoints: Building Third-Party APIs on Google AppEngineGoogle Cloud Endpoints: Building Third-Party APIs on Google AppEngine
Google Cloud Endpoints: Building Third-Party APIs on Google AppEngine
 
PHP FUNCTIONS
PHP FUNCTIONSPHP FUNCTIONS
PHP FUNCTIONS
 
Intro to-php-19 jun10
Intro to-php-19 jun10Intro to-php-19 jun10
Intro to-php-19 jun10
 
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010
Don't RTFM, WTFM - Open Source Documentation - German Perl Workshop 2010
 
REST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in CodeigniterREST API Best Practices & Implementing in Codeigniter
REST API Best Practices & Implementing in Codeigniter
 
Practical catalyst
Practical catalystPractical catalyst
Practical catalyst
 
Writing Pluggable Software
Writing Pluggable SoftwareWriting Pluggable Software
Writing Pluggable Software
 
Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006Joseph-Smarr-Plaxo-OSCON-2006
Joseph-Smarr-Plaxo-OSCON-2006
 
Plaxo OSCON 2006
Plaxo OSCON 2006Plaxo OSCON 2006
Plaxo OSCON 2006
 
Css, xhtml, javascript
Css, xhtml, javascriptCss, xhtml, javascript
Css, xhtml, javascript
 
WWW and HTTP
WWW and HTTPWWW and HTTP
WWW and HTTP
 
Perl in the Internet of Things
Perl in the Internet of ThingsPerl in the Internet of Things
Perl in the Internet of Things
 
BDD to the Bone: Using Behave and Selenium to Test-Drive Web Applications
BDD to the Bone: Using Behave and Selenium to Test-Drive Web ApplicationsBDD to the Bone: Using Behave and Selenium to Test-Drive Web Applications
BDD to the Bone: Using Behave and Selenium to Test-Drive Web Applications
 
Justmeans power point
Justmeans power pointJustmeans power point
Justmeans power point
 
Justmeans power point
Justmeans power pointJustmeans power point
Justmeans power point
 

Semelhante a Joomla security nuggets

Web application attacks
Web application attacksWeb application attacks
Web application attackshruth
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Website Security
Website SecurityWebsite Security
Website SecurityCarlos Z
 
Website Security
Website SecurityWebsite Security
Website SecurityMODxpo
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Indexwebhostingguy
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesCarol McDonald
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injectionavishkarm
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101brian_dailey
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hoursnoopythesecuritydog
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application SecurityStuart Colville
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmersrobin_bene
 

Semelhante a Joomla security nuggets (20)

Web application attacks
Web application attacksWeb application attacks
Web application attacks
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Web Security
Web SecurityWeb Security
Web Security
 
Website Security
Website SecurityWebsite Security
Website Security
 
Website Security
Website SecurityWebsite Security
Website Security
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index12-security.ppt - PHP and Arabic Language - Index
12-security.ppt - PHP and Arabic Language - Index
 
Security.ppt
Security.pptSecurity.ppt
Security.ppt
 
Top 10 Web Security Vulnerabilities
Top 10 Web Security VulnerabilitiesTop 10 Web Security Vulnerabilities
Top 10 Web Security Vulnerabilities
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
D:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql InjectionD:\Technical\Ppt\Sql Injection
D:\Technical\Ppt\Sql Injection
 
2009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 1012009 Barcamp Nashville Web Security 101
2009 Barcamp Nashville Web Security 101
 
Web Security
Web SecurityWeb Security
Web Security
 
XSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hourXSS Primer - Noob to Pro in 1 hour
XSS Primer - Noob to Pro in 1 hour
 
XSS
XSSXSS
XSS
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Attackers Vs Programmers
Attackers Vs ProgrammersAttackers Vs Programmers
Attackers Vs Programmers
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
ieee
ieeeieee
ieee
 

Joomla security nuggets

Notas do Editor

  1. Today most the business is running through web and even most of the attacks are also done through web hackers only.
  2. Application Attacks vary and evolve rapidly to exploit newly created or identified vulnerabilities as do the reasons and consequences of attacks. Other Attacks: – Cookie Attacks – Database Interaction – Hidden Fields
  3. The attack works by including a link or script in a page that accesses a site to which the user is known (or is supposed) to have been authenticated
  4. Joomla! attempts to protect againt CSRF by inserting a random string called a token into each POST form and each GET query string that is able to modify something in the Joomla! system.
  5. For Integers: $int = JRequest::getInt( $name, $default ); For Floats (decimals): $float = JRequest::getFloat( $name, $default ); For boolean values (true/false): $bool = JRequest::getBool( $name, $default ); For "words" (only allows alpha characters, and the _ character) $word = JRequest::getWord( $name, $default ); For "commands" (Allows alpha characters, numeric characters, . - and _ ) $cmd = JRequest::getCMD( $name, $default ); For NON-HTML text (all HTML will be stripped) $string = JRequest::getString( $name, $default );
  6. Conclusion: Validate all user input before you use it in a SQL query. Apply $string = $database->getEscaped( $string ); $string = $db->getEscaped( $string ); to all strings that will be used in SQL queries, and apply $value = intval( $value ); $value = intval( $value ); to all integer numbers you use in SQL queries. Again, for more information on SQL injections, please take a look at the listed resources, especially .
  7. The files of your component will usually be called by Joomla!. Joomla! is a wrapper around your software, it provides many usefull features like user authentication and so on. Since developers usually test their components only through Joomla!, they tend to forget about the possibility of calling files directly.
  8. (Strip unwanted characters,invisible charaters)