$30 off During Our Annual Pro Sale. View Details »

Web Vulnerabilities: A Field Guide

Ruan Brandão
February 08, 2019
Technology
0
80

Web Vulnerabilities: A Field Guide

Slides for the talk presented at RubyFuza & Friends 2019.

Ruan Brandão

February 08, 2019
Tweet

More Decks by Ruan Brandão

See All by Ruan Brandão
Software Ethics
ruanbrandao
2
210
Narrativas no Desenvolvimento de Software
ruanbrandao
0
67
Ética no Desenvolvimento de Software
ruanbrandao
4
710
Aplicando o Método Científico no Desenvolvimento de Software
ruanbrandao
2
200
Internet Personalizada
ruanbrandao
0
40

Other Decks in Technology

See All in Technology
SOLID Is Dead, Long Live SOLID
lemiorhan
2
200
pmconf 2023 プロダクトと事業を無限にスケールするための最強のロードマップの作り方 / The Greatest Roadmap for Unlimited Scaling your Business and Products
yamamuteki
15
8k
ミチビク株式会社エンジニアカンパニーデック
knsg16
0
2.2k
LangChainやるならPythonよりTypeScriptの方がいんじゃね?
optimisuke
0
220
リアルで価値を発揮するデジタルプロダクトを開発する
aki_iinuma
0
950
エンタープライズSaaSへの挑戦〜顧客の事業を成長させるプロダクトマネジメントとは?〜 / pmconf2023
route06
2
660
Autonomous Database - Dedicated 技術詳細 / adb-d_technical_detail_jp
oracle4engineer
PRO
2
4k
なぜ
リアーキテクティング専任チームを作ったのか
kei_s
PRO
2
1k
Java Language Future
chiroito
4
1.3k
AWS re:Invent 2023の期間中に出たコンテナアップデート集
yoshiitaka
3
200
異なる思想で書かれたコードの統一に動く -Terraformの場合-
coconala_engineer
0
210
負債と言わないことが負債と向き合うこと
kenchan
5
1.9k

Featured

See All Featured
Keith and Marios Guide to Fast Websites
keithpitt
407
21k
StorybookのUI Testing Handbookを読んだ
zakiyama
9
4.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
52
19k
Six Lessons from altMBA
skipperchong
18
2.7k
How STYLIGHT went responsive
nonsquared
89
4.5k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
33
8.6k
Principles of Awesome APIs and How to Build Them.
keavy
119
16k
Fantastic passwords and where to find them - at NoRuKo
philnash
34
2.3k
Writing Fast Ruby
sferik
615
59k
Docker and Python
trallard
32
2.4k
How to Ace a Technical Interview
jacobian
272
22k
No one is an island. Learnings from fostering a developers community.
thoeni
14
1.8k

Transcript

  1. GOOD MORNING
    RUBYFUZA ☕

    View Slide

  2. RUAN
    BRANDÃO
    SOFTWARE ENGINEER AT
    MAGNETIS (WE ARE HIRING)
    TWITTER TIMELINE CURATOR
    @RUANBRANDAO
    /RUAN-BRANDAO

    View Slide

  3. Photo by Rafaela Biazi on Unsplash

    View Slide

  4. São Paulo

    View Slide

  5. Paulínia - São Paulo

    View Slide

  6. Pipa - Rio Grande do Norte

    View Slide

  7. Made in "

    View Slide

  8. CYBER ATTACKS

    View Slide

  9. WEB VULNERABILITIES
    A FIELD GUIDE FOR

    View Slide

  10. THE WEB
    HTTP
    HTTPS
    TLS
    SSL
    Databases
    Servers
    Credentials
    TCP/IP
    DNS
    Clusters
    Cache
    Browsers

    View Slide

  11. USING COMPONENTS WITH
    KNOWN VULNERABILITIES

    View Slide

  12. View Slide

  13. UPDATE YOUR APPLICATION
    DEPENDENCIES
    Security tip #1

    View Slide

  14. INJECTION
    ‣ SQL
    ‣ NOSQL
    ‣ CODE
    ‣ COMMANDS

    View Slide

  15. INJECTION VULNERABILITIES
    ALLOW ATTACKERS TO RUN CODE ON
    YOUR APPLICATION SERVERS

    View Slide

  16. SQL INJECTION

    View Slide

  17. XKCD, available at https://xkcd.com/327/

    View Slide

  18. View Slide

  19. BE CAREFUL WITH THE ORDER METHOD

    View Slide

  20. CODE INJECTION &
    COMMAND INJECTION

    View Slide

  21. BE EXTRA CAREFUL WITH EVAL AND BACKTICKS

    View Slide

  22. BE CAREFUL WITH CONSTANTIZE

    View Slide

  23. CROSS SITE
    SCRIPTING (XSS)

    View Slide

  24. CROSS SITE SCRIPTING
    ALLOWS ATTACKERS TO RUN CODE ON
    YOUR APPLICATION USERS BROWSERS

    View Slide

  25. View Slide

  26. View Slide

  27. View Slide

  28. RAILS DOES THE HARD WORK

    View Slide

  29. BE CAREFUL WITH THE RAW AND HTML_SAFE

    View Slide

  30. NEVER TRUST USER INPUT
    Security tip #2

    View Slide

  31. BROKEN ACCESS
    CONTROL

    View Slide

  32. View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. BE CAREFUL WITH ACCESS TO
    SENSIBLE DATA
    Security tip #3

    View Slide

  37. BROKEN
    AUTHENTICATION

    View Slide

  38. DO NOT REINVENT THE WHEEL.
    UNLESS YOU REALLY, REALLY,
    KNOW WHAT YOU ARE DOING.
    Security tip #4

    View Slide

  39. AND MUCH MORE…
    ‣ CROSS-SITE REQUEST FORGERY (CSRF)
    ‣ REMOTE CODE EXECUTION (RCE)
    ‣ SENSITIVE DATA EXPOSURE
    ‣ SECURITY MISCONFIGURATION

    View Slide

  40. View Slide

  41. Photo by Patrick Tomasso on Unsplash

    View Slide

  42. https://owasp.org

    View Slide

  43. View Slide

  44. Photo by Barn Images on Unsplash

    View Slide

  45. STATIC CODE
    ANALYSIS

    View Slide

  46. View Slide

  47. TOOLS
    STATIC CODE ANALYSIS TOOLS

    View Slide

  48. TOOLS
    STATIC CODE ANALYSIS TOOLS

    View Slide

  49. TOOLS
    STATIC CODE ANALYSIS TOOLS
    GitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/

    View Slide

  50. SECURITY
    SCANNERS

    View Slide

  51. TOOLS
    SECURITY SCANNER TOOLS
    http://www.arachni-scanner.com/

    View Slide

  52. PENETRATION TESTS
    (PENTESTS)

    View Slide

  53. SECURITY IS NOT A PRODUCT.
    SECURITY IS AN ONGOING
    PROCESS.
    Security tip #0

    View Slide

  54. THANK YOU! ❤
    @RUANBRANDAO
    /RUAN-BRANDAO

    View Slide