Skip to content ↓ | Skip to navigation ↓

The countdown to Security BSides Las Vegas continues, with the August 5th & 6th show fast approaching, and so we are also continuing our series highlighting a few of the many informative presentations that are scheduled to take place at this fifth anniversary event.

picSecurity BSides events are organized by-and-for the security community, and attracts some of the most innovative security practitioners from around the world, and BSidesLV has the reputation for being one of the biggest events of the series.

We have already featured sessions by Guillaume Ross (@gepeto42) on vulnerabilities in URL schemes, a talk by Rachel Keslensky (@lastres0rt) on conference swag hacking strategies, and a session Nick “MasterChen” Rosario (@chenb0x) on how to be successful in social engineering attacks.

Next in line is a talk by Greg Foss (@heinzarelli) on attacking Drupal, the popular content management system which has been widely adopted by government agencies, major businesses, social networks, and more.

Foss is a Senior Security Research Engineer with the LogRhythm Labs Threat Intelligence Team, where he focuses on developing defensive strategies, tools and methodologies to counteract advanced attack scenarios.

He has more than seven years of experience in the security industry, with an extensive background in security operations focusing on penetration testing and Web application security, and he currently holds multiple industry certifications including the OSCP, GPEN, GWAPT, GCIH, and C|EH, among others.

Foss says he hopes to underscore in his session exactly why we need a better understanding how Drupal works and why properly securing these applications is of the utmost importance.

“This talk focuses on the penetration tester’s perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists,” Foss said, “all of which are open-source and can be downloaded and implemented following the presentation.”

With the rise in content management systems and Web application frameworks that are easy to develop and implement, Foss says too often security is an overlooked aspect of the software development life cycle.

“Security teams have little time to adequately assess an application’s (in)securities and normally end up just running scans, finding some low-hanging-fruit and calling it good,” Foss said. “What I plan to talk about is why SQL Injection, XSS, and other common vulnerabilities are only scratching the surface.”

He argues that the real heart of the issue lies in business logic flaws, abuse of functionality, exploitation of popular modules, and attack chaining – with the added benefit of bypassing common application defenses such as a Web application firewall.

“My goal is to show people why scanning alone is not enough, and to demonstrate the need for real penetration tests – providing the audience with a few tools to automate some of these manual tasks, along with detection methods for the more subtle attack vectors,” Foss said.

The session will be of most interest to Web developers, penetration testers, Web app pen testers, security analysts, security administrators, security operations, security leadership, red teams, blue teams, and more – the folks that get things done.

Foss said the audience will learn about:

  • What makes up a Drupal application and about common security misconfigurations associated with the CMS
  • How to identify key weaknesses in Drupal Web applications
  • How to exploit key weaknesses in Drupal Web applications
  • How to automate multiple Drupal web application attacks
  • Ways to defend against key weaknesses in Drupal web applications utilizing a simple security checklist

“In the demonstrations, hopefully I’ll have time to show some of the scripts and attack demos. I am currently in the process of migrating all of my scripts over to Python and I’m working to pull in additional public Drupal exploits and other common web attacks into the tool,” Foss continued.

Essentially his goal is to allow the pentester to completely take over a Drupal application using only these scripts, with minimal configuration and vested time, augmenting a (formerly) manual process of assessing often complex Drupal web applications.

“If I have this done in time for BSidesLV 2014, I’ll gladly present them at that time. If not, I will be saving it for future talks and would be honored to present them at BSidesLV 2015 if given the opportunity.”


Related Articles:



picCheck out Tripwire SecureScan™, a free, cloud-based vulnerability management service for up to 100 Internet Protocol (IP) addresses on internal networks. This new tool makes vulnerability management easily accessible to small and medium-sized businesses that may not have the resources for enterprise-grade security technology – and it detects the Heartbleed vulnerability.


picThe Executive’s Guide to the Top 20 Critical Security Controls

Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].


Title image courtesy of ShutterStock