Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Vulnerabilities: A Field Guide
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Ruan Brandão
February 08, 2019
Technology
0
150
Web Vulnerabilities: A Field Guide
Slides for the talk presented at RubyFuza & Friends 2019.
Ruan Brandão
February 08, 2019
Tweet
Share
More Decks by Ruan Brandão
See All by Ruan Brandão
Top 10 OWASP: As maiores ameaças para sua aplicação web
ruanbrandao
0
27
Desenvolvimento de jogos com Elixir
ruanbrandao
0
40
Algoritmos Racistas
ruanbrandao
0
98
Software Ethics
ruanbrandao
2
360
Narrativas no Desenvolvimento de Software
ruanbrandao
0
280
Ética no Desenvolvimento de Software
ruanbrandao
4
920
Aplicando o Método Científico no Desenvolvimento de Software
ruanbrandao
2
280
Internet Personalizada
ruanbrandao
0
68
Other Decks in Technology
See All in Technology
教育現場のプロンプトエンジニアリング問題を 解決するAIエージェントを作成してみた
ryoshun
0
120
AIに視覚を与えモバイルアプリケーション開発をより円滑に行う
lycorptech_jp
PRO
1
490
Intro SAGA Event Space
midnight480
0
150
Open Table Formatにおけるストレージ抽象化の比較
lycorptech_jp
PRO
1
200
Generative UI を試そう!A2-UIでAIエージェントにダッシュボードを作らせてみた
kamoshika
1
300
生成AI素人でも玄人でもない私がセイセイAIチョットワカルために勉強したこと
wkm2
2
310
Agentic Codingの実践とチームで導入するための工夫
lycorptech_jp
PRO
0
140
AIで「ふとした疑問」を即座に検証する 〜定量で圧倒するN1理解〜
kakehashi
PRO
3
730
AIエージェントで変わる開発プロセス ― レビューボトルネックからの脱却
lycorptech_jp
PRO
2
600
vol11_ねこIoTLT_お遊びVibeCoding
1027kg
0
170
AI駆動開発とRAGプロダクトへの挑戦の軌跡 - 弁護士ドットコムでの学びから -
bengo4com
2
810
サイボウズ 開発本部採用ピッチ / Cybozu Engineer Recruit
cybozuinsideout
PRO
10
74k
Featured
See All Featured
Building the Perfect Custom Keyboard
takai
2
700
Getting science done with accelerated Python computing platforms
jacobtomlinson
2
130
エンジニアに許された特別な時間の終わり
watany
106
230k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
akashhashmi
0
280
A Guide to Academic Writing Using Generative AI - A Workshop
ks91
PRO
0
220
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
3.7k
How To Stay Up To Date on Web Technology
chriscoyier
791
250k
Test your architecture with Archunit
thirion
1
2.2k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
1.8k
Deep Space Network (abreviated)
tonyrice
0
76
Scaling GitHub
holman
464
140k
<Decoding/> the Language of Devs - We Love SEO 2024
nikkihalliwell
1
140
Transcript
GOOD MORNING RUBYFUZA ☕
RUAN BRANDÃO SOFTWARE ENGINEER AT MAGNETIS (WE ARE HIRING) TWITTER
TIMELINE CURATOR @RUANBRANDAO /RUAN-BRANDAO
Photo by Rafaela Biazi on Unsplash
São Paulo
Paulínia - São Paulo
Pipa - Rio Grande do Norte
Made in "
CYBER ATTACKS
WEB VULNERABILITIES A FIELD GUIDE FOR
THE WEB HTTP HTTPS TLS SSL Databases Servers Credentials TCP/IP
DNS Clusters Cache Browsers
USING COMPONENTS WITH KNOWN VULNERABILITIES
None
UPDATE YOUR APPLICATION DEPENDENCIES Security tip #1
INJECTION ‣ SQL ‣ NOSQL ‣ CODE ‣ COMMANDS
INJECTION VULNERABILITIES ALLOW ATTACKERS TO RUN CODE ON YOUR APPLICATION
SERVERS
SQL INJECTION
XKCD, available at https://xkcd.com/327/
None
BE CAREFUL WITH THE ORDER METHOD
CODE INJECTION & COMMAND INJECTION
BE EXTRA CAREFUL WITH EVAL AND BACKTICKS
BE CAREFUL WITH CONSTANTIZE
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING ALLOWS ATTACKERS TO RUN CODE ON YOUR
APPLICATION USERS BROWSERS
None
None
None
RAILS DOES THE HARD WORK
BE CAREFUL WITH THE RAW AND HTML_SAFE
NEVER TRUST USER INPUT Security tip #2
BROKEN ACCESS CONTROL
None
None
None
None
BE CAREFUL WITH ACCESS TO SENSIBLE DATA Security tip #3
BROKEN AUTHENTICATION
DO NOT REINVENT THE WHEEL. UNLESS YOU REALLY, REALLY, KNOW
WHAT YOU ARE DOING. Security tip #4
AND MUCH MORE… ‣ CROSS-SITE REQUEST FORGERY (CSRF) ‣ REMOTE
CODE EXECUTION (RCE) ‣ SENSITIVE DATA EXPOSURE ‣ SECURITY MISCONFIGURATION
None
Photo by Patrick Tomasso on Unsplash
https://owasp.org
None
Photo by Barn Images on Unsplash
STATIC CODE ANALYSIS
None
TOOLS STATIC CODE ANALYSIS TOOLS
TOOLS STATIC CODE ANALYSIS TOOLS
TOOLS STATIC CODE ANALYSIS TOOLS GitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/
SECURITY SCANNERS
TOOLS SECURITY SCANNER TOOLS http://www.arachni-scanner.com/
PENETRATION TESTS (PENTESTS)
SECURITY IS NOT A PRODUCT. SECURITY IS AN ONGOING PROCESS.
Security tip #0
THANK YOU! ❤ @RUANBRANDAO /RUAN-BRANDAO
ruanbrandao
ryoshun
lycorptech_jp
midnight480
kamoshika
wkm2
kakehashi
1027kg
bengo4com
cybozuinsideout
takai
jacobtomlinson
watany
akashhashmi
ks91
raygrieselhuber
chriscoyier
thirion
reverentgeek
tonyrice
holman
nikkihalliwell
