1 / 22

Security in Moodle plugins

Security in Moodle plugins. the world’s open source learning platform. Marina Glancy Moodle HQ. MoodleMoot Australia 2015 #mootau15. About me. the world’s open source learning platform. Security vulnerabilities. 1 developer mistake. +. 1 hacker exploit. =. ∞ infinite damage.

hackney
Download Presentation

Security in Moodle plugins

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Security in Moodle plugins the world’s open source learning platform Marina Glancy Moodle HQ MoodleMoot Australia 2015 #mootau15

  2. About me the world’s open source learning platform

  3. Security vulnerabilities 1 developer mistake + 1 hacker exploit = ∞ infinite damage the world’s open source learning platform

  4. Typical security vulnerabilities in Moodle https://docs.moodle.org/dev/Security the world’s open source learning platform

  5. Cross-site scripting (XSS) XSS enables attackers to inject client-side script into Web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Example of “bad” JavaScript Example of “good” JavaScript the world’s open source learning platform

  6. After the attack Moodle administrator Hacker Students Developer Teacher the world’s open source learning platform

  7. Cross-site scripting (XSS) the world’s open source learning platform

  8. Cross-site scripting (XSS) the world’s open source learning platform

  9. Cross-site scripting (XSS) the world’s open source learning platform

  10. Cross-site request forgery (CSRF) Cross-site request forgery, also known as a one-click attack or session riding, is a type of malicious exploit of a website whereby unauthorized commands are transmitted from a user that the website trusts. Unlike cross-site scripting, which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. the world’s open source learning platform

  11. Cross-site request forgery (CSRF) the world’s open source learning platform

  12. Cross-site request forgery (CSRF) the world’s open source learning platform

  13. Privilege escalation the world’s open source learning platform

  14. Information leakage the world’s open source learning platform

  15. SQL injection $searchstring = optional_param('s', '', PARAM_NOTAGS); $DB->execute(“SELECT * from {sometable} WHERE name LIKE '%” . $searchstring . ”%'”); the world’s open source learning platform

  16. SQL injection the world’s open source learning platform

  17. the world’s open source learning platform

  18. Command-line and code injection the world’s open source learning platform

  19. Illegal file access the world’s open source learning platform

  20. Denial of service, buffer overflow, timeout the world’s open source learning platform

  21. Moodle security process https://moodle.org/security/ #moodlesecurity the world’s open source learning platform

  22. Thank you the world’s open source learning platform Marina Glancy marina@moodle.com

More Related