Making Drupal secure is so boring. Let's talk about breaking into Drupal. This session will look at code and configuration vulnerabilities from the perspective of a hacker. We'll review common misconfigurations and several vulnerabilities in Drupal 7 from the past few years to see how an attacker could leverage them to break into a Drupal site.
What does that mean? It means we'll see each of these vulnerabilities at play:
- Getting remote code execution from optimistic CSRF protection
- Using Cross Site Scripting to change a password, and protecting against it
- The many forms of "Access Bypass"
- SQLi and why it should make you squeel
And as we finish exploiting each one we'll go through how to use Drupal's API and configuration to protect against the vulnerability in its various forms.
I'm the author of Cracking Drupal, the book to go in-depth on Drupal security. While I've given similar presentations dozens of times, this will be the first time to approach it from this particular perspective. I hope it will be fun and eye-opening experience for all.
This session is complementary to the attacking Drupal session - both cover different areas.