Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Security 101 - Ruby Fun Day 2014

Francesco Rodríguez
October 23, 2014
Programming
0
86

Web Security 101 - Ruby Fun Day 2014

In this workshop you will learn about the basics of web security by starting with a clean application and adding features to prevent the most common attacks.

Francesco Rodríguez

October 23, 2014
Tweet

More Decks by Francesco Rodríguez

See All by Francesco Rodríguez
A Minimalistic Ruby Stack
frodsan
1
48
Web Development with Cuba - Ruby Fun Day 2014
frodsan
0
100
Introduction to Cuba
frodsan
1
47
Aprende a Programar
frodsan
0
150
Metaprogramming: From Zero to Hero. (URU meetup)
frodsan
1
120
Introducción a Cuba
frodsan
0
62

Other Decks in Programming

See All in Programming
スキーマ駆動開発による品質とスピードの両立 - 私達は何故、スキーマを書くのか
kentaroutakeda
0
180
SIMD Parallel Programming with the Vector API
josepaumard
0
230
From Spring Boot 2 to Spring Boot 3 with Java 21 and Jakarta EE
ivargrimstad
0
620
大規模Reactアプリのリアーキテクチャ~8万行のTanStack Query移行の軌跡~
kj455
4
1k
Behind VS Code Extensions for JavaScript / TypeScript Linnting and Formatting
unvalley
6
1.2k
Java 22 Overview
kishida
1
200
Ruby GitHub Packages
bkuhlmann
0
640
Domain-Driven Transformation
hschwentner
2
1.5k
敵対的ポイフル
futabato
0
130
Compose-View Interop in Practice (mDevCamp 2024)
stewemetal
0
170
Git Rebase
bkuhlmann
11
1.6k
Webアプリをできるだけコードを手書きしないで作ってみる
tomokusaba
2
140

Featured

See All Featured
The Art of Programming - Codeland 2020
erikaheidi
43
12k
Optimizing for Happiness
mojombo
370
69k
Why Our Code Smells
bkeepers
PRO
331
56k
The Cult of Friendly URLs
andyhume
74
5.7k
The Cost Of JavaScript in 2023
addyosmani
21
3.9k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
228
16k
What the flash - Photography Introduction
edds
64
11k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
123
39k
A Modern Web Designer's Workflow
chriscoyier
689
190k
Thoughts on Productivity
jonyablonski
60
3.9k
Become a Pro
speakerdeck
PRO
13
4.6k
Automating Front-end Workflow
addyosmani
1357
200k

Transcript

  1. None

  2. Francesco (frodsan) [email protected]

  3. Web Security 101

  4. Passwords

  5. How not to!

  6. #1 Just store it!

  7. None
  8. None
  9. None
  10. None

  11. #2 Encryption

  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None

  20. Encryption is reversible

  21. DES 3DES AES

  22. #3 Hashing

  23. Hashing is irreversible

  24. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

  25. hash(?) “e10adc3949ba59abbe56e057f20f883e”

  26. Hashing is deterministic

  27. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

  28. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mupassword”) “b11d7ccaee763e5840f9d906e0bf2edf”

  29. None
  30. None
  31. None

  32. Hashing is deterministic

  33. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

  34. thelonelyones.heroku.com/passwords.csv
 thelonelyones.heroku.com/login Exercise

  35. Lookup tables

  36. None

  37. Adobe Security Breach (2013) 38 million active users
 passwords, credit

    card information

  38. http://xkcd.com/1286/

  39. MD5
 SHA1 SHA2

  40. ✓ Hashing + Salting

  41. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

  42. hash(“mypassword”, salt)

  43. hash(“mypassword”, e8ed4834c7dd0…) “21b9558e8920bddb04949c068181c…”

  44. hash(“mypassword”, e8ed4834c7dd0…) “21b9558e8920bddb04949c068181c…
 
 hash(“mypassword”, 1bc1fa3bc1d5d85…)
 e92a46f76d413ce73ab5796756bc92…

  45. 1976 - crypt(3)

  46. GPU
 FPGA

  47. PBKDF2
 Bcrypt Scrypt

  48. PBKDF2 (armor, pbkdf2)
 Bcrypt (bcrypt) Scrypt (scrypt)

  49. How to do it

  50. ʕ•ᴥ•ʔ ! • Don’t do it (leave it to GitHub,

    Google, etc.) • If you must do it, use pbkdf2 or bcrypt or scrypt. • Keep password length between 8 and 50. • Nothing can save you easy to guess passwords.

  51. Cross Site Scripting - XSS

  52. 1993

  53. <HTML/>

  54. <html> ! </html>

  55. <html> <b>Web Security 101</b> </html>

  56. None

  57. </>?

  58. Escaping

  59. <html> <b>Angle brackets: &gt; &lt;</b> </html>

  60. None

  61. 1995

  62. JavaScript

  63. <html> ! </html>

  64. <html> <script>
 </script> </html>

  65. <html> <script> var message = "Web Security 101"; ! alert(message);

    </script> </html>
  66. None

  67. <html> <script> var message = "<b>Web Security 101</b>"; ! document.write(message);

    </script> </html>
  68. None

  69. JavaScript == DANGER

  70. None

  71. “Samy is my hero” (2005) • XSS attack propagated by

    Myspace profiles. ! • Over one million affected users within the first 20 hours. ! • 3 years without computer.

  72. How to do it

  73. Escaping

  74. UNSAFE = /[&"'><\/]/ ! HTML_ESCAPE = { "&" => "&amp;",

    ">" => "&gt;", "<" => "&lt;", '"' => "&quot;", "'" => "&#x27;", "/" => "&#x2F;" } ! string.gsub(UNSAFE, HTML_ESCAPE)

  75. UNSAFE = /[&"'><\/]/ ! HTML_ESCAPE = { "&" => "&amp;",

    ">" => "&gt;", "<" => "&lt;", '"' => "&quot;", "'" => "&#x27;", "/" => "&#x2F;" } ! string.gsub(UNSAFE, HTML_ESCAPE)

  76. github.com/frodsan/hache

  77. References

  78. • OWASP Top 10:
 https://www.owasp.org
 
 • Adobe 10GB database

    passwords leak:
 http://bit.ly/188ctZL
 • MySpace XSS vulnerability:
 http://bit.ly/1urMIbG
 • Tweetdeck XSS vulnerability:
 http://bit.ly/1urMGAy


  79. thanks ʕ•ᴥ•ʔ