Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Vulnerabilities: A Field Guide

Ruan Brandão
February 08, 2019
Technology
0
100

Web Vulnerabilities: A Field Guide

Slides for the talk presented at RubyFuza & Friends 2019.

Ruan Brandão

February 08, 2019
Tweet

More Decks by Ruan Brandão

See All by Ruan Brandão
Desenvolvimento de jogos com Elixir
ruanbrandao
0
24
Algoritmos Racistas
ruanbrandao
0
66
Software Ethics
ruanbrandao
2
310
Narrativas no Desenvolvimento de Software
ruanbrandao
0
190
Ética no Desenvolvimento de Software
ruanbrandao
4
850
Aplicando o Método Científico no Desenvolvimento de Software
ruanbrandao
2
230
Internet Personalizada
ruanbrandao
0
46

Other Decks in Technology

See All in Technology
Nekko Cloud、 これまでとこれから ~学生サークルが作る、 小さなクラウド
logica0419
2
970
TAMとre:Capセキュリティ編 〜拡張脅威検出デモを添えて〜
fujiihda
2
250
インフラをつくるとはどういうことなのか、 あるいはPlatform Engineeringについて
nwiizo
5
2.6k
Moved to https://speakerdeck.com/toshihue/presales-engineer-career-bridging-tech-biz-ja
toshihue
2
750
Building Products in the LLM Era
ymatsuwitter
10
5.5k
AndroidXR 開発ツールごとの できることできないこと
donabe3
0
130
関東Kaggler会LT: 人狼コンペとLLM量子化について
nejumi
3
600
The Future of SEO: The Impact of AI on Search
badams
0
200
次世代KYC活動報告 / 20250219-BizDay17-KYC-nextgen
oidfj
0
260
地方拠点で エンジニアリングマネージャーってできるの? 〜地方という制約を楽しむオーナーシップとコミュニティ作り〜
1coin
1
230
Raycast AI APIを使ってちょっと便利な拡張機能を作ってみた / created-a-handy-extension-using-the-raycast-ai-api
kawamataryo
0
100
「海外登壇」という 選択肢を与えるために 〜Gophers EX
logica0419
0
710

Featured

See All Featured
Building an army of robots
kneath
303
45k
GraphQLの誤解/rethinking-graphql
sonatard
68
10k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
morganepeng
129
19k
Practical Orchestrator
shlominoach
186
10k
What's in a price? How to price your products and services
michaelherold
244
12k
Gamification - CAS2011
davidbonilla
80
5.1k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
175
51k
Intergalactic Javascript Robots from Outer Space
tanoku
270
27k
Designing Experiences People Love
moore
140
23k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
114
50k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
193
16k
Faster Mobile Websites
deanohume
306
31k

Transcript

  1. GOOD MORNING RUBYFUZA ☕

  2. RUAN BRANDÃO SOFTWARE ENGINEER AT MAGNETIS (WE ARE HIRING) TWITTER

    TIMELINE CURATOR @RUANBRANDAO /RUAN-BRANDAO

  3. Photo by Rafaela Biazi on Unsplash

  4. São Paulo

  5. Paulínia - São Paulo

  6. Pipa - Rio Grande do Norte

  7. Made in "

  8. CYBER ATTACKS

  9. WEB VULNERABILITIES A FIELD GUIDE FOR

  10. THE WEB HTTP HTTPS TLS SSL Databases Servers Credentials TCP/IP

    DNS Clusters Cache Browsers

  11. USING COMPONENTS WITH KNOWN VULNERABILITIES

  12. None

  13. UPDATE YOUR APPLICATION DEPENDENCIES Security tip #1

  14. INJECTION ‣ SQL ‣ NOSQL ‣ CODE ‣ COMMANDS

  15. INJECTION VULNERABILITIES ALLOW ATTACKERS TO RUN CODE ON YOUR APPLICATION

    SERVERS

  16. SQL INJECTION

  17. XKCD, available at https://xkcd.com/327/

  18. None

  19. BE CAREFUL WITH THE ORDER METHOD

  20. CODE INJECTION & COMMAND INJECTION

  21. BE EXTRA CAREFUL WITH EVAL AND BACKTICKS

  22. BE CAREFUL WITH CONSTANTIZE

  23. CROSS SITE SCRIPTING (XSS)

  24. CROSS SITE SCRIPTING ALLOWS ATTACKERS TO RUN CODE ON YOUR

    APPLICATION USERS BROWSERS
  25. None
  26. None
  27. None

  28. RAILS DOES THE HARD WORK

  29. BE CAREFUL WITH THE RAW AND HTML_SAFE

  30. NEVER TRUST USER INPUT Security tip #2

  31. BROKEN ACCESS CONTROL

  32. None
  33. None
  34. None
  35. None

  36. BE CAREFUL WITH ACCESS TO SENSIBLE DATA Security tip #3

  37. BROKEN AUTHENTICATION

  38. DO NOT REINVENT THE WHEEL. UNLESS YOU REALLY, REALLY, KNOW

    WHAT YOU ARE DOING. Security tip #4

  39. AND MUCH MORE… ‣ CROSS-SITE REQUEST FORGERY (CSRF) ‣ REMOTE

    CODE EXECUTION (RCE) ‣ SENSITIVE DATA EXPOSURE ‣ SECURITY MISCONFIGURATION
  40. None

  41. Photo by Patrick Tomasso on Unsplash

  42. https://owasp.org

  43. None

  44. Photo by Barn Images on Unsplash

  45. STATIC CODE ANALYSIS

  46. None

  47. TOOLS STATIC CODE ANALYSIS TOOLS

  48. TOOLS STATIC CODE ANALYSIS TOOLS

  49. TOOLS STATIC CODE ANALYSIS TOOLS GitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/

  50. SECURITY SCANNERS

  51. TOOLS SECURITY SCANNER TOOLS http://www.arachni-scanner.com/

  52. PENETRATION TESTS (PENTESTS)

  53. SECURITY IS NOT A PRODUCT. SECURITY IS AN ONGOING PROCESS.

    Security tip #0

  54. THANK YOU! ❤ @RUANBRANDAO /RUAN-BRANDAO