Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Segurança no Rails

Segurança no Rails

O Rails é um framework muito mais seguro do que você imagina. Infelizmente nem todo desenvolvedor faz a sua parte para garantir que a aplicação continue assim. Nessa palestra você verá alguns vetores de ataque utilizados, porque é importante manter seu aplicativo atualizado e conhecer algumas boas práticas para minimizar as chances de ser hackeado.

Nando Vieira

November 23, 2013
Tweet

More Decks by Nando Vieira

Other Decks in Programming

Transcript

  1. Injection Broken Authentication & Session Management Cross-Site Scripting (XSS) Insecure

    Direct Object References Security Misconfiguration Sensitive Data Exposure Missing Function Level Access Control Cross-Site Request Forgery (CSRF) Using Components with Known Vulnerability Unvalidated Redirects and Forwards OWASP — TOP 10 2013
  2. @fnando $ http http://localhost:9292/ HTTP/1.1 200 OK Cache-Control: max-age=0, private,

    must-revalidate Connection: Keep-Alive Content-Length: 1313 Content-Type: text/html; charset=utf-8 Date: Fri, 27 Sep 2013 23:41:57 GMT Etag: "b313808d614f80d3d28848edf101ef4b" Server: WEBrick/1.3.1 (Ruby/2.0.0/2013-06-27) Set-Cookie: _rails3-app_session=BAh7CEki...3Npa9d; path=/; HttpOnly X-Request-Id: c0f73c4949d60ef75c3d1d8fdf5c15d5 X-Runtime: 0.054038 X-Ua-Compatible: IE=Edge
  3. @fnando class SessionsController < ApplicationController def create user = User.find_by_email(params[:email])

    if user && user.authenticate(params[:password]) reset_session session[:user_id] = user.id redirect_to dashboard_path else render :new end end end
  4. @fnando class ReturnUrl attr_reader :default_url def initialize(default_url) @default_url = default_url

    end ! def return_url(url) return default_url if url.blank? ! uri = URI.parse(url) path = uri.path path << "?#{uri.query}" if uri.query path << "##{uri.fragment}" if uri.fragment path end end
  5. @fnando email = " ' OR 1) --" User.where("email =

    '#{email}'").first #=> #<User id: 1, email: "[email protected]"> ! id = "1) OR 1=1--" User.delete_all("id = #{id}")
  6. @fnando # Using a hash User.where(email: params[:email]) ! # Using

    placeholders User.where("name LIKE ?", "%#{params[:name]}%") ! # Using named placeholders User.where("name LIKE :name", name: "%#{params[:name]}%")
  7. @fnando params[:column] = <<-SQL salary) FROM users WHERE email =

    '[email protected]'; SQL ! User.calculate(:sum, params[:column]) #=> 4200
  8. @fnando require "active_model" require "uri" ! class UrlValidator < ActiveModel::EachValidator

    PROTOCOLS = %w[http https] ! def validate_each(record, attribute, value) uri = URI.parse(value) valid = PROTOCOLS.include?(uri.scheme) rescue URI::InvalidURIError valid = false ensure record.errors.add(attribute, :invalid_url) unless valid end end
  9. @fnando class Article < ActiveRecord::Base # Completely remove unsafe and/or

    # unknown tags. html_fragment :body, scrub: :prune end
  10. @fnando def annotation(text) %[<em class="annotation">#{text}</em>].html_safe end def annotation(text) content_tag :em,

    text, class: "annotation" end def annotation(text) %[<em class="annotation">#{h(text)}</em>].html_safe end