Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Vulnerabilities: A Field Guide
Search
Ruan Brandão
February 08, 2019
Technology
0
130
Web Vulnerabilities: A Field Guide
Slides for the talk presented at RubyFuza & Friends 2019.
Ruan Brandão
February 08, 2019
Tweet
Share
More Decks by Ruan Brandão
See All by Ruan Brandão
Desenvolvimento de jogos com Elixir
ruanbrandao
0
33
Algoritmos Racistas
ruanbrandao
0
91
Software Ethics
ruanbrandao
2
330
Narrativas no Desenvolvimento de Software
ruanbrandao
0
240
Ética no Desenvolvimento de Software
ruanbrandao
4
890
Aplicando o Método Científico no Desenvolvimento de Software
ruanbrandao
2
250
Internet Personalizada
ruanbrandao
0
56
Other Decks in Technology
See All in Technology
バイブスに「型」を!Kent Beckに学ぶ、AI時代のテスト駆動開発
amixedcolor
2
580
DroidKaigi 2025 Androidエンジニアとしてのキャリア
mhidaka
2
380
2つのフロントエンドと状態管理
mixi_engineers
PRO
3
120
プラットフォーム転換期におけるGitHub Copilot活用〜Coding agentがそれを加速するか〜 / Leveraging GitHub Copilot During Platform Transition Periods
aeonpeople
1
230
Snowflake Intelligence × Document AIで“使いにくいデータ”を“使えるデータ”に
kevinrobot34
1
110
💡Ruby 川辺で灯すPicoRubyからの光
bash0c7
0
120
slog.Handlerのよくある実装ミス
sakiengineer
4
470
機械学習を扱うプラットフォーム開発と運用事例
lycorptech_jp
PRO
0
620
COVESA VSSによる車両データモデルの標準化とAWS IoT FleetWiseの活用
osawa
1
390
dbt開発 with Claude Codeのためのガードレール設計
10xinc
2
1.3k
新アイテムをどう使っていくか?みんなであーだこーだ言ってみよう / 20250911-rpi-jam-tokyo
akkiesoft
0
340
Claude Code でアプリ開発をオートパイロットにするためのTips集 Zennの場合 / Claude Code Tips in Zenn
wadayusuke
5
930
Featured
See All Featured
Creating an realtime collaboration tool: Agile Flush - .NET Oxford
marcduiker
31
2.2k
Navigating Team Friction
lara
189
15k
The Invisible Side of Design
smashingmag
301
51k
Embracing the Ebb and Flow
colly
87
4.8k
RailsConf 2023
tenderlove
30
1.2k
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
8
920
Context Engineering - Making Every Token Count
addyosmani
3
58
Intergalactic Javascript Robots from Outer Space
tanoku
272
27k
Done Done
chrislema
185
16k
How GitHub (no longer) Works
holman
315
140k
Rebuilding a faster, lazier Slack
samanthasiow
83
9.2k
Faster Mobile Websites
deanohume
309
31k
Transcript
GOOD MORNING RUBYFUZA ☕
RUAN BRANDÃO SOFTWARE ENGINEER AT MAGNETIS (WE ARE HIRING) TWITTER
TIMELINE CURATOR @RUANBRANDAO /RUAN-BRANDAO
Photo by Rafaela Biazi on Unsplash
São Paulo
Paulínia - São Paulo
Pipa - Rio Grande do Norte
Made in "
CYBER ATTACKS
WEB VULNERABILITIES A FIELD GUIDE FOR
THE WEB HTTP HTTPS TLS SSL Databases Servers Credentials TCP/IP
DNS Clusters Cache Browsers
USING COMPONENTS WITH KNOWN VULNERABILITIES
None
UPDATE YOUR APPLICATION DEPENDENCIES Security tip #1
INJECTION ‣ SQL ‣ NOSQL ‣ CODE ‣ COMMANDS
INJECTION VULNERABILITIES ALLOW ATTACKERS TO RUN CODE ON YOUR APPLICATION
SERVERS
SQL INJECTION
XKCD, available at https://xkcd.com/327/
None
BE CAREFUL WITH THE ORDER METHOD
CODE INJECTION & COMMAND INJECTION
BE EXTRA CAREFUL WITH EVAL AND BACKTICKS
BE CAREFUL WITH CONSTANTIZE
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING ALLOWS ATTACKERS TO RUN CODE ON YOUR
APPLICATION USERS BROWSERS
None
None
None
RAILS DOES THE HARD WORK
BE CAREFUL WITH THE RAW AND HTML_SAFE
NEVER TRUST USER INPUT Security tip #2
BROKEN ACCESS CONTROL
None
None
None
None
BE CAREFUL WITH ACCESS TO SENSIBLE DATA Security tip #3
BROKEN AUTHENTICATION
DO NOT REINVENT THE WHEEL. UNLESS YOU REALLY, REALLY, KNOW
WHAT YOU ARE DOING. Security tip #4
AND MUCH MORE… ‣ CROSS-SITE REQUEST FORGERY (CSRF) ‣ REMOTE
CODE EXECUTION (RCE) ‣ SENSITIVE DATA EXPOSURE ‣ SECURITY MISCONFIGURATION
None
Photo by Patrick Tomasso on Unsplash
https://owasp.org
None
Photo by Barn Images on Unsplash
STATIC CODE ANALYSIS
None
TOOLS STATIC CODE ANALYSIS TOOLS
TOOLS STATIC CODE ANALYSIS TOOLS
TOOLS STATIC CODE ANALYSIS TOOLS GitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/
SECURITY SCANNERS
TOOLS SECURITY SCANNER TOOLS http://www.arachni-scanner.com/
PENETRATION TESTS (PENTESTS)
SECURITY IS NOT A PRODUCT. SECURITY IS AN ONGOING PROCESS.
Security tip #0
THANK YOU! ❤ @RUANBRANDAO /RUAN-BRANDAO