Security and Rails apps

Transcript

1. @danielvlopes Daniel Lopes

2. SEGURANÇA & RAILS

3. http://objetiva.co/

4. None

5. voltando . . .

6. Segurança

7. None
8. None

9. Instituto Gartner O alvo é ... App 75% Host 25%

10. WEB APP

11. None
12. None

13. XSS CSRF Parâmetros SQL INJECTION Mass Assign Logs Arquivos Session

14. Cobaia

15. None

16. Mass Assignment

17. LIVE CODING

18. SQL INJECTION

19. LIVE CODING

20. XSS Cross Site Scripting

21. LIVE CODING

22. CSRF Cross s. ref. forgery

23. LIVE CODING

24. Files (download / upload)

25. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :styles =>

    { :medium => "300x300#", :thumb => "50x50#" } validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document default_scope :order => "created_at DESC" end

26. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :path =>

    ":rails_root/uploads/:attachment/:id/:style/:style.:extension", :styles => { :medium => "300x300#", :thumb => "50x50#" } has_attached_file :document, , :whiny => false validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document validates_attachment_content_type :document, :content_type => %w(image/jpeg image/pjpeg image/gif image/png) default_scope :order => "created_at DESC" end

27. send_file('/var/www/uploads/' + params[:filename]) ../../../etc/passwd

28. BRUTE FORCE

29. Devise.setup do |config| config.mailer_sender = "[email protected]" require 'devise/orm/active_record' config.encryptor =

    :bcrypt config.pepper = "e3b0100c8c0ef8a7f09f104de3d2827f..." config.timeout_in = 10.minutes config.lock_strategy = :failed_attempts config.maximum_attempts = 20 config.unlock_strategy = :both # email and time config.unlock_in = 1.hour end Devise

30. Spams Log Filtering Parâmetros

31. gem 'reverse_captcha' class Comment < ActiveRecord::Base captcha :nickname end <%=

    form_for @comment do |f| %> ... <%= f.captcha %> <% end %> Spam gem 'recaptcha' gem 'captcha'

32. require File.expand_path('../boot', __FILE__) require 'rails/all' Bundler.require(:default, Rails.env) if defined?(Bundler) module

    Producer class Application < Rails::Application config.autoload_paths += %W(#{config.root}/app/sweepers) config.i18n.default_locale = "pt-BR" config.encoding = "utf-8" config.filter_parameters += [:password, :credit_card, :cnpj, :cpf] ... end end Log Filter

33. @project = Project.find(params[:id]) Parâmetros @project = current_user.projects.find(params[:id])

34. Mass Assign. Parâmetros ☐ ☐ SQL Inject. ☐ XSS ☐

    CSRF ☐ File System ☐ Brute Force ☐ Spams ☐ Log ☐ Session ☐

35. Mass Assign. Parâmetros ☑ SQL Inject. XSS CSRF File System

    Brute Force Spams Log ☑ ☑ ☑ ☑ ☑ ☑ ☑ ☑
36. None

37. • SSL • Criptografia • Automated Protection • Pen. Testing

    • Mantenha-se Atualizado

38. Contatos @danielvlopes [email protected] www.objetiva.co Cursos www.egenial.pro/cursos

39. slides: http://objetiva.co/publications