Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Vulnerabilities: A Field Guide
Search
Ruan Brandão
February 08, 2019
Technology
160
0
Share
Web Vulnerabilities: A Field Guide
Slides for the talk presented at RubyFuza & Friends 2019.
Ruan Brandão
February 08, 2019
More Decks by Ruan Brandão
See All by Ruan Brandão
Top 10 OWASP: As maiores ameaças para sua aplicação web
ruanbrandao
0
31
Desenvolvimento de jogos com Elixir
ruanbrandao
0
44
Algoritmos Racistas
ruanbrandao
0
110
Software Ethics
ruanbrandao
2
370
Narrativas no Desenvolvimento de Software
ruanbrandao
0
300
Ética no Desenvolvimento de Software
ruanbrandao
4
930
Aplicando o Método Científico no Desenvolvimento de Software
ruanbrandao
2
290
Internet Personalizada
ruanbrandao
0
73
Other Decks in Technology
See All in Technology
クラウドネイティブな開発 ~ 認知負荷に立ち向かうためのコンテナ活用
literalice
0
100
NOSTR, réseau social et espace de liberté décentralisé
rlifchitz
0
200
AI時代のガードレールとしてのAPIガバナンス
nagix
0
200
Introduction to Bill One Development Engineer
sansan33
PRO
0
410
マルチエージェント × ハーネスエンジニアリング × GitLab Duo Agent Platformで実現する「AIエージェントに仕事をさせる時代へ。」 / 20260421 GitLab Duo Agent Platform
n11sh1
0
130
終盤で崩壊させないAI駆動開発
j5ik2o
2
2.2k
自分のハンドルは自分で握れ! ― 自分のケイパビリティを増やし、メンバーのケイパビリティ獲得を支援する ― / Take the wheel yourself
takaking22
1
830
AIエージェントを構築して感じた、AI時代のCDKとの向き合い方
smt7174
1
260
All About Sansan – for New Global Engineers
sansan33
PRO
1
1.4k
ARIA Notifyについて
ryokatsuse
1
120
ハーネスエンジニアリングをやりすぎた話 ~そのハーネスは解体された~
gotalab555
0
150
MLOps導入のための組織作りの第一歩
akasan
0
300
Featured
See All Featured
Beyond borders and beyond the search box: How to win the global "messy middle" with AI-driven SEO
davidcarrasco
3
110
Ecommerce SEO: The Keys for Success Now & Beyond - #SERPConf2024
aleyda
1
1.9k
Typedesign – Prime Four
hannesfritz
42
3k
The Curse of the Amulet
leimatthew05
1
11k
Measuring & Analyzing Core Web Vitals
bluesmoon
9
810
Principles of Awesome APIs and How to Build Them.
keavy
128
17k
30 Presentation Tips
portentint
PRO
1
270
Testing 201, or: Great Expectations
jmmastey
46
8.1k
brightonSEO & MeasureFest 2025 - Christian Goodrich - Winning strategies for Black Friday CRO & PPC
cargoodrich
3
680
YesSQL, Process and Tooling at Scale
rocio
174
15k
Scaling GitHub
holman
464
140k
Taking LLMs out of the black box: A practical guide to human-in-the-loop distillation
inesmontani
PRO
3
2.1k
Transcript
GOOD MORNING RUBYFUZA ☕
RUAN BRANDÃO SOFTWARE ENGINEER AT MAGNETIS (WE ARE HIRING) TWITTER
TIMELINE CURATOR @RUANBRANDAO /RUAN-BRANDAO
Photo by Rafaela Biazi on Unsplash
São Paulo
Paulínia - São Paulo
Pipa - Rio Grande do Norte
Made in "
CYBER ATTACKS
WEB VULNERABILITIES A FIELD GUIDE FOR
THE WEB HTTP HTTPS TLS SSL Databases Servers Credentials TCP/IP
DNS Clusters Cache Browsers
USING COMPONENTS WITH KNOWN VULNERABILITIES
None
UPDATE YOUR APPLICATION DEPENDENCIES Security tip #1
INJECTION ‣ SQL ‣ NOSQL ‣ CODE ‣ COMMANDS
INJECTION VULNERABILITIES ALLOW ATTACKERS TO RUN CODE ON YOUR APPLICATION
SERVERS
SQL INJECTION
XKCD, available at https://xkcd.com/327/
None
BE CAREFUL WITH THE ORDER METHOD
CODE INJECTION & COMMAND INJECTION
BE EXTRA CAREFUL WITH EVAL AND BACKTICKS
BE CAREFUL WITH CONSTANTIZE
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING ALLOWS ATTACKERS TO RUN CODE ON YOUR
APPLICATION USERS BROWSERS
None
None
None
RAILS DOES THE HARD WORK
BE CAREFUL WITH THE RAW AND HTML_SAFE
NEVER TRUST USER INPUT Security tip #2
BROKEN ACCESS CONTROL
None
None
None
None
BE CAREFUL WITH ACCESS TO SENSIBLE DATA Security tip #3
BROKEN AUTHENTICATION
DO NOT REINVENT THE WHEEL. UNLESS YOU REALLY, REALLY, KNOW
WHAT YOU ARE DOING. Security tip #4
AND MUCH MORE… ‣ CROSS-SITE REQUEST FORGERY (CSRF) ‣ REMOTE
CODE EXECUTION (RCE) ‣ SENSITIVE DATA EXPOSURE ‣ SECURITY MISCONFIGURATION
None
Photo by Patrick Tomasso on Unsplash
https://owasp.org
None
Photo by Barn Images on Unsplash
STATIC CODE ANALYSIS
None
TOOLS STATIC CODE ANALYSIS TOOLS
TOOLS STATIC CODE ANALYSIS TOOLS
TOOLS STATIC CODE ANALYSIS TOOLS GitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/
SECURITY SCANNERS
TOOLS SECURITY SCANNER TOOLS http://www.arachni-scanner.com/
PENETRATION TESTS (PENTESTS)
SECURITY IS NOT A PRODUCT. SECURITY IS AN ONGOING PROCESS.
Security tip #0
THANK YOU! ❤ @RUANBRANDAO /RUAN-BRANDAO
ruanbrandao
literalice
rlifchitz
nagix
sansan33
n11sh1
j5ik2o
takaking22
smt7174
ryokatsuse
gotalab555
akasan
davidcarrasco
aleyda
hannesfritz
leimatthew05
bluesmoon
keavy
portentint
jmmastey
.jpg){kind=avatar}
cargoodrich
rocio
holman
inesmontani
