Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Web Vulnerabilities: A Field Guide
Search
Ruan Brandão
February 08, 2019
Technology
0
150
Web Vulnerabilities: A Field Guide
Slides for the talk presented at RubyFuza & Friends 2019.
Ruan Brandão
February 08, 2019
Tweet
Share
More Decks by Ruan Brandão
See All by Ruan Brandão
Desenvolvimento de jogos com Elixir
ruanbrandao
0
36
Algoritmos Racistas
ruanbrandao
0
96
Software Ethics
ruanbrandao
2
350
Narrativas no Desenvolvimento de Software
ruanbrandao
0
270
Ética no Desenvolvimento de Software
ruanbrandao
4
910
Aplicando o Método Científico no Desenvolvimento de Software
ruanbrandao
2
270
Internet Personalizada
ruanbrandao
0
63
Other Decks in Technology
See All in Technology
2025年の医用画像AI/AI×medical_imaging_in_2025_generated_by_AI
tdys13
0
140
[Neurogica] 採用ポジション/ Recruitment Position
neurogica
1
130
MariaDB Connector/C のcaching_sha2_passwordプラグインの仕様について
boro1234
0
1.1k
[2025-12-12]あの日僕が見た胡蝶の夢 〜人の夢は終わらねェ AIによるパフォーマンスチューニングのすゝめ〜
tosite
0
200
Next.js 16の新機能 Cache Components について
sutetotanuki
0
190
Knowledge Work の AI Backend
kworkdev
PRO
0
290
モダンデータスタックの理想と現実の間で~1.3億人Vポイントデータ基盤の現在地とこれから~
taromatsui_cccmkhd
2
270
松尾研LLM講座2025 応用編Day3「軽量化」 講義資料
aratako
11
4.4k
日本の AI 開発と世界の潮流 / GenAI Development in Japan
hariby
1
510
コールドスタンバイ構成でCDは可能か
hiramax
0
100
『君の名は』と聞く君の名は。 / Your name, you who asks for mine.
nttcom
1
120
NIKKEI Tech Talk #41: セキュア・バイ・デザインからクラウド管理を考える
sekido
PRO
0
230
Featured
See All Featured
Leading Effective Engineering Teams in the AI Era
addyosmani
9
1.4k
Navigating Weather and Climate Data
rabernat
0
54
Digital Ethics as a Driver of Design Innovation
axbom
PRO
0
130
The Cost Of JavaScript in 2023
addyosmani
55
9.4k
How To Speak Unicorn (iThemes Webinar)
marktimemedia
1
350
HDC tutorial
michielstock
1
280
The Illustrated Children's Guide to Kubernetes
chrisshort
51
51k
Information Architects: The Missing Link in Design Systems
soysaucechin
0
720
Balancing Empowerment & Direction
lara
5
820
Leveraging Curiosity to Care for An Aging Population
cassininazir
1
130
職位にかかわらず全員がリーダーシップを発揮するチーム作り / Building a team where everyone can demonstrate leadership regardless of position
madoxten
53
47k
Exploring the relationship between traditional SERPs and Gen AI search
raygrieselhuber
PRO
2
3.5k
Transcript
GOOD MORNING RUBYFUZA ☕
RUAN BRANDÃO SOFTWARE ENGINEER AT MAGNETIS (WE ARE HIRING) TWITTER
TIMELINE CURATOR @RUANBRANDAO /RUAN-BRANDAO
Photo by Rafaela Biazi on Unsplash
São Paulo
Paulínia - São Paulo
Pipa - Rio Grande do Norte
Made in "
CYBER ATTACKS
WEB VULNERABILITIES A FIELD GUIDE FOR
THE WEB HTTP HTTPS TLS SSL Databases Servers Credentials TCP/IP
DNS Clusters Cache Browsers
USING COMPONENTS WITH KNOWN VULNERABILITIES
None
UPDATE YOUR APPLICATION DEPENDENCIES Security tip #1
INJECTION ‣ SQL ‣ NOSQL ‣ CODE ‣ COMMANDS
INJECTION VULNERABILITIES ALLOW ATTACKERS TO RUN CODE ON YOUR APPLICATION
SERVERS
SQL INJECTION
XKCD, available at https://xkcd.com/327/
None
BE CAREFUL WITH THE ORDER METHOD
CODE INJECTION & COMMAND INJECTION
BE EXTRA CAREFUL WITH EVAL AND BACKTICKS
BE CAREFUL WITH CONSTANTIZE
CROSS SITE SCRIPTING (XSS)
CROSS SITE SCRIPTING ALLOWS ATTACKERS TO RUN CODE ON YOUR
APPLICATION USERS BROWSERS
None
None
None
RAILS DOES THE HARD WORK
BE CAREFUL WITH THE RAW AND HTML_SAFE
NEVER TRUST USER INPUT Security tip #2
BROKEN ACCESS CONTROL
None
None
None
None
BE CAREFUL WITH ACCESS TO SENSIBLE DATA Security tip #3
BROKEN AUTHENTICATION
DO NOT REINVENT THE WHEEL. UNLESS YOU REALLY, REALLY, KNOW
WHAT YOU ARE DOING. Security tip #4
AND MUCH MORE… ‣ CROSS-SITE REQUEST FORGERY (CSRF) ‣ REMOTE
CODE EXECUTION (RCE) ‣ SENSITIVE DATA EXPOSURE ‣ SECURITY MISCONFIGURATION
None
Photo by Patrick Tomasso on Unsplash
https://owasp.org
None
Photo by Barn Images on Unsplash
STATIC CODE ANALYSIS
None
TOOLS STATIC CODE ANALYSIS TOOLS
TOOLS STATIC CODE ANALYSIS TOOLS
TOOLS STATIC CODE ANALYSIS TOOLS GitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/
SECURITY SCANNERS
TOOLS SECURITY SCANNER TOOLS http://www.arachni-scanner.com/
PENETRATION TESTS (PENTESTS)
SECURITY IS NOT A PRODUCT. SECURITY IS AN ONGOING PROCESS.
Security tip #0
THANK YOU! ❤ @RUANBRANDAO /RUAN-BRANDAO
ruanbrandao
tdys13
neurogica
boro1234
tosite
sutetotanuki
kworkdev
taromatsui_cccmkhd
.jpg){kind=avatar}
aratako
hariby
hiramax
nttcom
sekido
addyosmani
rabernat
axbom
marktimemedia
michielstock
chrisshort
soysaucechin
lara
cassininazir
madoxten
raygrieselhuber
