Attacking Drupal

Presented at BSidesLV 2014, Aug. 6, 2014, 2 p.m. (30 minutes)

Drupal is a very popular content management system that has been widely adopted by government agencies, major businesses, social networks, and more -- underscoring why understanding how Drupal works and properly securing these applications is of the utmost importance. This talk focuses on the penetration tester's perspective of Drupal and dives into streamlining the assessment and remediation of commonly observed application and configuration flaws by way of custom exploit code and security checklists, all of which are open-source and can be downloaded and implemented following the presentation.

Presenters:

• Greg Foss - Head of Global Security Operations - LogRhythm Labs
  Greg Foss is LogRhythm's head of Global Security Operations and a Senior Researcher with Labs - tasked with leading both offensive and defensive aspects of corporate security. He has just under a decade of experience in the information security industry with an extensive background in ethical hacking and penetration testing, focusing on Web application security and red teaming. Greg holds multiple industry certifications including the OSCP, GAWN, GPEN, GWAPT, GCIH, and CEH, among others. He has presented at national information security conferences such as BlackHat, DerbyCon, AppSecUSA, BSidesLV, and is a very active member of the Denver security community.

Links:

• https://bsideslv2014.sched.com/event/1jPlKLT/attacking-drupal
• https://infocon.org/cons/Security BSides/BSides Las Vegas/BSides Las Vegas 2014/attacking drupal greg foss.mp4

Similar Presentations:

• DEF CON 8 (2000) / V1ru5 and *Hobbit*
• DEF CON 30 (2022) / Pulling Passwords out of Configuration Manager: Practical Attacks against Microsoft's Endpoint Management Software