Diamond sponsors

Autopsy of Vulnerabilities

Profile picture for user rabbitlair
Experience level
45 minutes
3.02 hassium
Starts at
Ends at
Industry track
Expertise topics

Periodically, security releases are published to patch vulnerabilities and make our websites secure again, but do we know exactly how these vulnerabilities (and their exploits) work behind the scenes? How does the patch change our code, so the vulnerabilities are fixed and the risk mitigated? In this session, some of the most dangerous (and famous) vulnerabilities on Drupal will be analyzed in detail, so attendants will understand step by step how they are triggered to put our websites in risk.


On March 28th, a security update was published to mitigate a critical vulnerability on all Drupal versions. D8, D7, D6, even D5! received patches, so our sites are secured against the threat.

On October 15th, 2014, Drupal core version 7.32 was published including a patch for a critical SQL injection vulnerability which allowed an anonymous user to access directly to site database. Every site not patched within the 7 hours after the public announcement was considered as hacked.

This kind of announcements are common, and best practices strongly recommend paying attention to security bulletins of all components included on our project. Every time a patch is published, we run to apply it and feel "safe" until the next vulnerability is announced, but... what are we applying to our code? How does the "vaccine" work to prevent our website from being attacked? And the attack, what kind of magic ritual is done by hackers to access the internals of our project?

The goal of this session is to explore some common vulnerabilities in the Drupal and PHP world, explaining how the most frequent attacks work, as well as the countermeasures and patches used to reduce the risk. The target public is people with Drupal and PHP coding skills, and they will understand how hacking techniques work against their code once deployed to production, so they can learn to prevent potential attacks and feel more (in)secure.

About the speaker

My name is Ezequiel "Zequi" Vázquez, and I am developer at Lullabot. I am specialized on PHP and Drupal backend development, with strong background on DevOps, interested in high performance websites and with big passion for IT security. I have been speaker twice on DrupalCon Europe, twice on Drupal Developer Days and five times on DrupalCamp Spain, plus I frequently collaborate with local universities and meet-ups to speak about Drupal and IT security.

Platinum sponsors