Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Segurança em Aplicações Web

Segurança em Aplicações Web

Palestra apresentada no Encontro Locaweb 2014.

Nando Vieira

March 18, 2014
Tweet

More Decks by Nando Vieira

Other Decks in Programming

Transcript

  1. Injection Broken Authentication & Session Management Cross-Site Scripting (XSS) Insecure

    Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards OWASP — TOP 10 2013
  2. @fnando set :user, "deploy"! set :domain, 'howtocode.com.br'! set :deploy_to, '/var/www/howto-site'!

    set :repository, '[email protected]:fnando/howto-site.git'! set :branch, 'master'! ! set :shared_paths, ['.env', 'log', 'tmp']! ! desc "Deploys the current version to the server."! task :deploy => :environment do! deploy do! invoke :'git:clone'! invoke :'deploy:link_shared_paths'! invoke :'bundle:install'! invoke :'rails:assets_precompile'! ! to :launch do! queue "touch #{deploy_to}/shared/tmp/restart.txt"! end! end! end
  3. @fnando <?php Dotenv::load(".env"); ! $db_name = getenv("DB_NAME"); $db_host = getenv("DB_HOSTNAME");

    $db_user = getenv("DB_USERNAME"); $db_pass = getenv("DB_PASSWORD"); $db_uri = “mysql:dbname=${db_name};host=${db_host}"; ! $db = new PDO($db_uri, $db_user, $db_pass);
  4. @fnando <?php setcookie( "name", // Nome do seu cookie "John

    Doe", // Valor do cookie 0, // Tempo de expiração "/", // Caminho onde o cookie é válido "example.org", // Domínio onde o cookie é válido true, // Marca o cookie como seguro true // Marca o cookie como httponly );
  5. @fnando <?php $password = "darthvader"; $password_salt = sha1(mt_rand()); $password_digest =

    sha1("--${salt}--${password}--"); // a82a101dea442136d49fc1ae32bea0ebd5ba3372
  6. @fnando # Ruby require "bcrypt" ! # Saving to the

    database password = "darthvader" password_digest = BCrypt::Password.create(password, cost: 12) ! # Comparing the password if BCrypt::Password.new(password) == password_digest puts "Valid password!" else puts "Invalid password!" end
  7. @fnando <?php # Saving to the database $password = "darthvader";

    $salt = '$2a$12$mit9bIv8oD6Ic9fE6Hoo'; $password_digest = crypt($password, $salt); ! # Comparing the password if (crypt($password, $salt) == $password_digest) { echo "Valid password!\n"; } else { echo "Invalid password!\n"; }
  8. @fnando class ReturnUrl attr_reader :default_url def initialize(default_url) @default_url = default_url

    end ! def return_url(url) return default_url if url.blank? ! uri = URI.parse(url) path = uri.path path << "?#{uri.query}" if uri.query path << "##{uri.fragment}" if uri.fragment path end end
  9. @fnando <?php class ReturnTo { var $defaultUrl; ! function ReturnTo($defaultUrl)

    { $this->defaultUrl = $defaultUrl; } ! function returnUrl($url) { if (!$url) { return $this->defaultUrl; } ! $uri = parse_url($url); $path = $uri["path"]; $path = $path ?: "/"; ! if ($uri["query"]) { $path .= "?" . $uri["query"]; } if ($uri["fragment"]) { $path .= "#" . $uri["fragment"]; } ! return $path; } }
  10. @fnando # Rails id = params[:id] User.where("id = #{id}").destroy !

    // PHP $id = $_GET["id"]; mysqli_query("DELETE FROM users WHERE id = '${id}'");
  11. @fnando # Rails id = "0 OR 1=1" User.where("id =

    #{id}").destroy ! // PHP $id = "0 OR 1=1"; mysqli_query("DELETE FROM users WHERE id = ${id}");
  12. @fnando # Rails id = "0 OR 1=1" ! User.where("id

    = ?", id).destroy User.where("id = :id", id: id).destroy
  13. @fnando <?php $db = new PDO("mysql:dbname=test;host=127.0.0.1", "root", ""); ! $id

    = "0 OR 1=1"; ! $query = $db->prepare("delete from users where id = :id"); $query->bindParam(":id", $id, PDO::PARAM_INT); $query->execute();
  14. @fnando <?php function escape_html($content) { $content = strip_tags($content); $content =

    htmlspecialchars($content, ENT_QUOTES, "UTF-8"); return $content; }
  15. @fnando def annotation(text) %[<em class="annotation">#{text}</em>].html_safe end def annotation(text) content_tag :em,

    text, class: "annotation" end def annotation(text) %[<em class="annotation">#{h(text)}</em>].html_safe end
  16. @fnando function annotation($text) { return "<em class='annotation'>${text}</em>"; } function annotation($text)

    { $text = escape_html(text); return "<em class='annotation'>${text}</em>"; }
  17. @fnando Received heartbeat response: 0000: 02 40 00 D8 03

    00 53 43 5B 90 9D 9B 72 0B BC 0C [email protected][...r... 0010: BC 2B 92 A8 48 97 CF BD 39 04 CC 16 0A 85 03 90 .+..H...9....... 00d0: 10 00 11 00 23 00 00 00 0F 00 01 01 2F 33 34 2E ....#......./34. 00e0: 30 2E 31 38 34 37 2E 31 33 37 20 53 61 66 61 72 0.1847.137 Safar 00f0: 69 2F 35 33 37 2E 33 36 0D 0A 52 65 66 65 72 65 i/537.36..Refere 0100: 72 3A 20 68 74 74 70 73 3A 2F 2F 77 77 77 2E 74 r: https://examp 0110: 72 61 79 2E 63 6F 6D 2E 62 72 2F 0D 0A 41 63 63 le.org/......Acc 0120: 65 70 74 2D 45 6E 63 6F 64 69 6E 67 3A 20 67 7A ept-Encoding: gz 0130: 69 70 2C 64 65 66 6C 61 74 65 2C 73 64 63 68 0D ip,deflate,sdch. 0140: 0A 41 63 63 65 70 74 2D 4C 61 6E 67 75 61 67 65 .Accept-Language 0150: 3A 20 70 74 2D 42 52 2C 70 74 3B 71 3D 30 2E 38 : pt-BR,pt;q=0.8 0160: 2C 65 6E 2D 55 53 3B 71 3D 30 2E 36 2C 65 6E 3B ,en-US;q=0.6,en; 0170: 71 3D 30 2E 34 0D 0A 43 6F 6F 6B 69 65 3A 20 5F q=0.4..Cookie: _ 0180: 5F 75 74 6D 61 3D 34 37 35 37 33 32 31 38 2E 31 _utma=47573218.1 0190: 33 31 31 35 32 35 38 34 37 2E 31 34 30 30 30 39 311525847.140009 01a0: 31 35 31 39 2E 31 34 30 30 30 39 36 38 36 35 2E 1519.1400096865. 01b0: 31 34 30 30 31 35 31 35 33 34 2E 33 3B 20 5F 5F 1400151534.3; __ 01c0: 75 74 6D 7A 3D 34 37 35 37 33 32 31 38 2E 31 34 utmz=47573218.14 01d0: 30 30 30 39 31 35 31 39 2E 31 2E 31 2E 75 74 6D 00091519.1.1.utm 01e0: 63 73 72 3D 28 64 69 72 65 63 74 29 7C 75 74 6D csr=(direct)|utm 01f0: 63 63 6E 3D 28 64 69 72 65 63 74 29 7C 75 74 6D ccn=(direct)|utm 0200: 63 6D 64 3D 28 6E 6F 6E 65 29 0D 0A 0D 0A 25 30 cmd=(none)....%0
  18. @fnando apt-get install ufw ! ufw default deny ufw enable

    ufw logging low ufw delete ufw allow ssh ufw allow www ufw allow https ufw limit ssh