2012/11/30

OWASP BeNeLux 2012: OWASP Top 10 vs Drupal - Erwin Geirnaert

Checkmarx scan: Source Code Analysis (SCA)
  • only issues in the backend
Highest Risks:
  • PHP Injections -> input validation
  • XSS: Blind acces
    • Filter_xss:
    • Check_Plain: html encoding
    • Check_url: url encoding
    • drupal_set_error_message: secure / uniform error messages
  • indirect references:
    • NOK for drupal
    • site can be crawled for hidden pages
  • misconfiguration
    • no ftp
    • ssh
  • insufficient Transport Layer protection
    • Drupal config: full SSL (or mixed mode?)
Other:
  • Make sure you update the modules
  • Drupal 8: different approach Symphony framework

No comments: