Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Security 101 - Ruby Fun Day 2014

Francesco Rodríguez
October 23, 2014
Programming
0
100

Web Security 101 - Ruby Fun Day 2014

In this workshop you will learn about the basics of web security by starting with a clean application and adding features to prevent the most common attacks.

Francesco Rodríguez

October 23, 2014
Tweet

More Decks by Francesco Rodríguez

See All by Francesco Rodríguez
A Minimalistic Ruby Stack
frodsan
1
50
Web Development with Cuba - Ruby Fun Day 2014
frodsan
0
110
Introduction to Cuba
frodsan
1
49
Aprende a Programar
frodsan
0
160
Metaprogramming: From Zero to Hero. (URU meetup)
frodsan
1
120
Introducción a Cuba
frodsan
0
62

Other Decks in Programming

See All in Programming
3rd party scriptでもReactを使いたい! Preact + Reactのハイブリッド開発
righttouch
PRO
1
610
Click-free releases & the making of a CLI app
oheyadam
2
120
Ethereum_.pdf
nekomatu
0
470
Hotwire or React? ~アフタートーク・本編に含めなかった話~ / Hotwire or React? after talk
harunatsujita
1
120
初めてDefinitelyTypedにPRを出した話
syumai
0
420
Figma Dev Modeで変わる!Flutterの開発体験
watanave
0
150
シェーダーで魅せるMapLibreの動的ラスタータイル
satoshi7190
1
480
Flutterを言い訳にしない!アプリの使い心地改善テクニック5選🔥
kno3a87
1
200
色々なIaCツールを実際に触って比較してみる
iriikeita
0
330
Remix on Hono on Cloudflare Workers
yusukebe
1
300
Duckdb-Wasmでローカルダッシュボードを作ってみた
nkforwork
0
130
flutterkaigi_2024.pdf
kyoheig3
0
150

Featured

See All Featured
Code Review Best Practice
trishagee
64
17k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.3k
Fontdeck: Realign not Redesign
paulrobertlloyd
82
5.2k
Statistics for Hackers
jakevdp
796
220k
Sharpening the Axe: The Primacy of Toolmaking
bcantrill
38
1.8k
Ruby is Unlike a Banana
tanoku
97
11k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
44
6.8k
Docker and Python
trallard
40
3.1k
The Straight Up "How To Draw Better" Workshop
denniskardys
232
140k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
tammyeverts
47
2.1k
Speed Design
sergeychernyshev
25
620
Building Applications with DynamoDB
mza
90
6.1k

Transcript

  1. None

  2. Francesco (frodsan) [email protected]

  3. Web Security 101

  4. Passwords

  5. How not to!

  6. #1 Just store it!

  7. None
  8. None
  9. None
  10. None

  11. #2 Encryption

  12. None
  13. None
  14. None
  15. None
  16. None
  17. None
  18. None
  19. None

  20. Encryption is reversible

  21. DES 3DES AES

  22. #3 Hashing

  23. Hashing is irreversible

  24. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

  25. hash(?) “e10adc3949ba59abbe56e057f20f883e”

  26. Hashing is deterministic

  27. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

  28. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mupassword”) “b11d7ccaee763e5840f9d906e0bf2edf”

  29. None
  30. None
  31. None

  32. Hashing is deterministic

  33. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44” ! hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

  34. thelonelyones.heroku.com/passwords.csv
 thelonelyones.heroku.com/login Exercise

  35. Lookup tables

  36. None

  37. Adobe Security Breach (2013) 38 million active users
 passwords, credit

    card information

  38. http://xkcd.com/1286/

  39. MD5
 SHA1 SHA2

  40. ✓ Hashing + Salting

  41. hash(“mypassword”) “34819d7beeabb9260a5c854bc85b3e44”

  42. hash(“mypassword”, salt)

  43. hash(“mypassword”, e8ed4834c7dd0…) “21b9558e8920bddb04949c068181c…”

  44. hash(“mypassword”, e8ed4834c7dd0…) “21b9558e8920bddb04949c068181c…
 
 hash(“mypassword”, 1bc1fa3bc1d5d85…)
 e92a46f76d413ce73ab5796756bc92…

  45. 1976 - crypt(3)

  46. GPU
 FPGA

  47. PBKDF2
 Bcrypt Scrypt

  48. PBKDF2 (armor, pbkdf2)
 Bcrypt (bcrypt) Scrypt (scrypt)

  49. How to do it

  50. ʕ•ᴥ•ʔ ! • Don’t do it (leave it to GitHub,

    Google, etc.) • If you must do it, use pbkdf2 or bcrypt or scrypt. • Keep password length between 8 and 50. • Nothing can save you easy to guess passwords.

  51. Cross Site Scripting - XSS

  52. 1993

  53. <HTML/>

  54. <html> ! </html>

  55. <html> <b>Web Security 101</b> </html>

  56. None

  57. </>?

  58. Escaping

  59. <html> <b>Angle brackets: &gt; &lt;</b> </html>

  60. None

  61. 1995

  62. JavaScript

  63. <html> ! </html>

  64. <html> <script>
 </script> </html>

  65. <html> <script> var message = "Web Security 101"; ! alert(message);

    </script> </html>
  66. None

  67. <html> <script> var message = "<b>Web Security 101</b>"; ! document.write(message);

    </script> </html>
  68. None

  69. JavaScript == DANGER

  70. None

  71. “Samy is my hero” (2005) • XSS attack propagated by

    Myspace profiles. ! • Over one million affected users within the first 20 hours. ! • 3 years without computer.

  72. How to do it

  73. Escaping

  74. UNSAFE = /[&"'><\/]/ ! HTML_ESCAPE = { "&" => "&amp;",

    ">" => "&gt;", "<" => "&lt;", '"' => "&quot;", "'" => "&#x27;", "/" => "&#x2F;" } ! string.gsub(UNSAFE, HTML_ESCAPE)

  75. UNSAFE = /[&"'><\/]/ ! HTML_ESCAPE = { "&" => "&amp;",

    ">" => "&gt;", "<" => "&lt;", '"' => "&quot;", "'" => "&#x27;", "/" => "&#x2F;" } ! string.gsub(UNSAFE, HTML_ESCAPE)

  76. github.com/frodsan/hache

  77. References

  78. • OWASP Top 10:
 https://www.owasp.org
 
 • Adobe 10GB database

    passwords leak:
 http://bit.ly/188ctZL
 • MySpace XSS vulnerability:
 http://bit.ly/1urMIbG
 • Tweetdeck XSS vulnerability:
 http://bit.ly/1urMGAy


  79. thanks ʕ•ᴥ•ʔ