$30 off During Our Annual Pro Sale. View Details »

Web Vulnerabilities: A Field Guide

Web Vulnerabilities: A Field Guide

Slides for the talk presented at RubyFuza & Friends 2019.

Ruan Brandão

February 08, 2019
Tweet

More Decks by Ruan Brandão

Other Decks in Technology

Transcript

  1. GOOD MORNING
    RUBYFUZA ☕

    View Slide

  2. RUAN
    BRANDÃO
    SOFTWARE ENGINEER AT
    MAGNETIS (WE ARE HIRING)
    TWITTER TIMELINE CURATOR
    @RUANBRANDAO
    /RUAN-BRANDAO

    View Slide

  3. Photo by Rafaela Biazi on Unsplash

    View Slide

  4. São Paulo

    View Slide

  5. Paulínia - São Paulo

    View Slide

  6. Pipa - Rio Grande do Norte

    View Slide

  7. Made in "

    View Slide

  8. CYBER ATTACKS

    View Slide

  9. WEB VULNERABILITIES
    A FIELD GUIDE FOR

    View Slide

  10. THE WEB
    HTTP
    HTTPS
    TLS
    SSL
    Databases
    Servers
    Credentials
    TCP/IP
    DNS
    Clusters
    Cache
    Browsers

    View Slide

  11. USING COMPONENTS WITH
    KNOWN VULNERABILITIES

    View Slide

  12. View Slide

  13. UPDATE YOUR APPLICATION
    DEPENDENCIES
    Security tip #1

    View Slide

  14. INJECTION
    ‣ SQL
    ‣ NOSQL
    ‣ CODE
    ‣ COMMANDS

    View Slide

  15. INJECTION VULNERABILITIES
    ALLOW ATTACKERS TO RUN CODE ON
    YOUR APPLICATION SERVERS

    View Slide

  16. SQL INJECTION

    View Slide

  17. XKCD, available at https://xkcd.com/327/

    View Slide

  18. View Slide

  19. BE CAREFUL WITH THE ORDER METHOD

    View Slide

  20. CODE INJECTION &
    COMMAND INJECTION

    View Slide

  21. BE EXTRA CAREFUL WITH EVAL AND BACKTICKS

    View Slide

  22. BE CAREFUL WITH CONSTANTIZE

    View Slide

  23. CROSS SITE
    SCRIPTING (XSS)

    View Slide

  24. CROSS SITE SCRIPTING
    ALLOWS ATTACKERS TO RUN CODE ON
    YOUR APPLICATION USERS BROWSERS

    View Slide

  25. View Slide

  26. View Slide

  27. View Slide

  28. RAILS DOES THE HARD WORK

    View Slide

  29. BE CAREFUL WITH THE RAW AND HTML_SAFE

    View Slide

  30. NEVER TRUST USER INPUT
    Security tip #2

    View Slide

  31. BROKEN ACCESS
    CONTROL

    View Slide

  32. View Slide

  33. View Slide

  34. View Slide

  35. View Slide

  36. BE CAREFUL WITH ACCESS TO
    SENSIBLE DATA
    Security tip #3

    View Slide

  37. BROKEN
    AUTHENTICATION

    View Slide

  38. DO NOT REINVENT THE WHEEL.
    UNLESS YOU REALLY, REALLY,
    KNOW WHAT YOU ARE DOING.
    Security tip #4

    View Slide

  39. AND MUCH MORE…
    ‣ CROSS-SITE REQUEST FORGERY (CSRF)
    ‣ REMOTE CODE EXECUTION (RCE)
    ‣ SENSITIVE DATA EXPOSURE
    ‣ SECURITY MISCONFIGURATION

    View Slide

  40. View Slide

  41. Photo by Patrick Tomasso on Unsplash

    View Slide

  42. https://owasp.org

    View Slide

  43. View Slide

  44. Photo by Barn Images on Unsplash

    View Slide

  45. STATIC CODE
    ANALYSIS

    View Slide

  46. View Slide

  47. TOOLS
    STATIC CODE ANALYSIS TOOLS

    View Slide

  48. TOOLS
    STATIC CODE ANALYSIS TOOLS

    View Slide

  49. TOOLS
    STATIC CODE ANALYSIS TOOLS
    GitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/

    View Slide

  50. SECURITY
    SCANNERS

    View Slide

  51. TOOLS
    SECURITY SCANNER TOOLS
    http://www.arachni-scanner.com/

    View Slide

  52. PENETRATION TESTS
    (PENTESTS)

    View Slide

  53. SECURITY IS NOT A PRODUCT.
    SECURITY IS AN ONGOING
    PROCESS.
    Security tip #0

    View Slide

  54. THANK YOU! ❤
    @RUANBRANDAO
    /RUAN-BRANDAO

    View Slide