Web Vulnerabilities: A Field Guide

Slide 1

Slide 1 text

GOOD MORNING RUBYFUZA ☕

Slide 2

Slide 2 text

RUAN BRANDÃO SOFTWARE ENGINEER AT MAGNETIS (WE ARE HIRING) TWITTER TIMELINE CURATOR @RUANBRANDAO /RUAN-BRANDAO

Slide 3

Slide 3 text

Photo by Rafaela Biazi on Unsplash

Slide 4

Slide 4 text

São Paulo

Slide 5

Slide 5 text

Paulínia - São Paulo

Slide 6

Slide 6 text

Pipa - Rio Grande do Norte

Slide 7

Slide 7 text

Made in "

Slide 8

Slide 8 text

CYBER ATTACKS

Slide 9

Slide 9 text

WEB VULNERABILITIES A FIELD GUIDE FOR

Slide 10

Slide 10 text

THE WEB HTTP HTTPS TLS SSL Databases Servers Credentials TCP/IP DNS Clusters Cache Browsers

Slide 11

Slide 11 text

USING COMPONENTS WITH KNOWN VULNERABILITIES

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

UPDATE YOUR APPLICATION DEPENDENCIES Security tip #1

Slide 14

Slide 14 text

INJECTION ‣ SQL ‣ NOSQL ‣ CODE ‣ COMMANDS

Slide 15

Slide 15 text

INJECTION VULNERABILITIES ALLOW ATTACKERS TO RUN CODE ON YOUR APPLICATION SERVERS

Slide 16

Slide 16 text

SQL INJECTION

Slide 17

Slide 17 text

XKCD, available at https://xkcd.com/327/

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

BE CAREFUL WITH THE ORDER METHOD

Slide 20

Slide 20 text

CODE INJECTION & COMMAND INJECTION

Slide 21

Slide 21 text

BE EXTRA CAREFUL WITH EVAL AND BACKTICKS

Slide 22

Slide 22 text

BE CAREFUL WITH CONSTANTIZE

Slide 23

Slide 23 text

CROSS SITE SCRIPTING (XSS)

Slide 24

Slide 24 text

CROSS SITE SCRIPTING ALLOWS ATTACKERS TO RUN CODE ON YOUR APPLICATION USERS BROWSERS

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

No content

Slide 27

Slide 27 text

No content

Slide 28

Slide 28 text

RAILS DOES THE HARD WORK

Slide 29

Slide 29 text

BE CAREFUL WITH THE RAW AND HTML_SAFE

Slide 30

Slide 30 text

NEVER TRUST USER INPUT Security tip #2

Slide 31

Slide 31 text

BROKEN ACCESS CONTROL

Slide 32

Slide 32 text

No content

Slide 33

Slide 33 text

No content

Slide 34

Slide 34 text

No content

Slide 35

Slide 35 text

No content

Slide 36

Slide 36 text

BE CAREFUL WITH ACCESS TO SENSIBLE DATA Security tip #3

Slide 37

Slide 37 text

BROKEN AUTHENTICATION

Slide 38

Slide 38 text

DO NOT REINVENT THE WHEEL. UNLESS YOU REALLY, REALLY, KNOW WHAT YOU ARE DOING. Security tip #4

Slide 39

Slide 39 text

AND MUCH MORE… ‣ CROSS-SITE REQUEST FORGERY (CSRF) ‣ REMOTE CODE EXECUTION (RCE) ‣ SENSITIVE DATA EXPOSURE ‣ SECURITY MISCONFIGURATION

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

Photo by Patrick Tomasso on Unsplash

Slide 42

Slide 42 text

https://owasp.org

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

Photo by Barn Images on Unsplash

Slide 45

Slide 45 text

STATIC CODE ANALYSIS

Slide 46

Slide 46 text

No content

Slide 47

Slide 47 text

TOOLS STATIC CODE ANALYSIS TOOLS

Slide 48

Slide 48 text

TOOLS STATIC CODE ANALYSIS TOOLS

Slide 49

Slide 49 text

TOOLS STATIC CODE ANALYSIS TOOLS GitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/