Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Common Web Security Holes - Paul Grayson

Las Vegas Ruby Group
December 05, 2012
0
47

Common Web Security Holes - Paul Grayson

Supporting files available at https://github.com/LasVegasRubyGroup/presentations

Las Vegas Ruby Group

December 05, 2012
Tweet

More Decks by Las Vegas Ruby Group

See All by Las Vegas Ruby Group
Ruby ISO Standard - David Grayson
lvrug
0
92
Windows Automation - Howard Feldman
lvrug
0
37
Separating Your Application from Rails - Brian Hughes
lvrug
0
70
SWIG and Ruby - David Grayson
lvrug
0
39
Practical Object-Oriented Design in Ruby - Charles Jackson
lvrug
3
96
The Hamster Gem - Ryan Mulligan
lvrug
1
70
Varnish+Redis - Russ Smith
lvrug
1
73
Lambdas and Pops - Jan Hettich
lvrug
0
38
Making Good Use of Fonts - Russ Smith
lvrug
1
53

Featured

See All Featured
Imperfection Machines: The Place of Print at Facebook
scottboms
258
12k
Into the Great Unknown - MozCon
thekraken
10
980
No one is an island. Learnings from fostering a developers community.
thoeni
14
2.1k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
18
1.7k
Docker and Python
trallard
33
2.7k
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
501
140k
Thoughts on Productivity
jonyablonski
57
3.8k
Side Projects
sachag
451
41k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
jcasabona
20
1.6k
Being A Developer After 40
akosma
56
580k
The Cost Of JavaScript in 2023
addyosmani
14
3.8k
Gamification - CAS2011
davidbonilla
76
4.6k

Transcript

  1. Common Web Security Holes Paul Grayson 2012-12-05

  2. Some problems with the web 1.You can't trust the network

    2.You can't trust URLs and HTML 3.You can't trust user-submitted content 4.You can't trust sessions 5.You can't trust browsers

  3. Introduce demo site

  4. 1. You can't trust the network • Requests and pages

    can be intercepted • “Man-in-the-middle” • DNS hijacking A partial solution: SSL ($$)

  5. 2. You can't trust URLs and HTML • Path traversal

    • Form hacking • Cross-site request forgery (CSRF) • Rails: authenticity-token blocks this. • That makes it hard to do other stuff, like caching or emailing links that take an action. • Cross-site scripting (XSS) • Chrome blocks scripts in parameters

  6. 3. You can't trust user content • Persistent XSS •

    SQL injection In Rails: HTML and SQL strings are cleaned (quoted) automatically in most cases. But it is really easy to inadvertently bypass this protection.

  7. 4. You can't trust sessions • Session modification Rails: generally

    blocked • Session fixation e.g. via XSS attack Rails: reset sessions on login • Session replay attacks

  8. 5. You can't trust browsers • CSS visited leak •

    Fixed in Chrome and Firefox April 2010 • Not fixed in IE • 403 error logged in leak • “Clickjacking” • Etc...

  9. • Rails and modern browsers help. • But there are

    still a lot of traps! • Discuss Conclusion