Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Web Vulnerabilities: A Field Guide

Ruan Brandão
February 08, 2019
Technology
0
91

Web Vulnerabilities: A Field Guide

Slides for the talk presented at RubyFuza & Friends 2019.

Ruan Brandão

February 08, 2019
Tweet

More Decks by Ruan Brandão

See All by Ruan Brandão
Desenvolvimento de jogos com Elixir
ruanbrandao
0
22
Algoritmos Racistas
ruanbrandao
0
58
Software Ethics
ruanbrandao
2
290
Narrativas no Desenvolvimento de Software
ruanbrandao
0
160
Ética no Desenvolvimento de Software
ruanbrandao
4
820
Aplicando o Método Científico no Desenvolvimento de Software
ruanbrandao
2
210
Internet Personalizada
ruanbrandao
0
46

Other Decks in Technology

See All in Technology
Making your applications cross-environment - OSCG 2024 NA
salaboy
0
190
OS 標準のデザインシステムを超えて - より柔軟な Flutter テーマ管理 | FlutterKaigi 2024
ronnnnn
0
230
ノーコードデータ分析ツールで体験する時系列データ分析超入門
negi111111
0
420
インフラとバックエンドとフロントエンドをくまなく調べて遅いアプリを早くした件
tubone24
1
430
SRE×AIOpsを始めよう!GuardDutyによるお手軽脅威検出
amixedcolor
0
180
RubyのWebアプリケーションを50倍速くする方法 / How to Make a Ruby Web Application 50 Times Faster
hogelog
3
950
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
1
110
いざ、BSC討伐の旅
nikinusu
2
780
オープンソースAIとは何か? --「オープンソースAIの定義 v1.0」詳細解説
shujisado
10
1.1k
飲食店データの分析事例とそれを支えるデータ基盤
kimujun
0
160
Why App Signing Matters for Your Android Apps - Android Bangkok Conference 2024
akexorcist
0
130
Amazon CloudWatch Network Monitor のススメ
yuki_ink
1
210

Featured

See All Featured
Writing Fast Ruby
sferik
627
61k
Facilitating Awesome Meetings
lara
50
6.1k
It's Worth the Effort
3n
183
27k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Bootstrapping a Software Product
garrettdimon
PRO
305
110k
Testing 201, or: Great Expectations
jmmastey
38
7.1k
Building a Modern Day 
E-commerce SEO Strategy
aleyda
38
6.9k
Automating Front-end Workflow
addyosmani
1366
200k
Scaling GitHub
holman
458
140k
The Art of Programming - Codeland 2020
erikaheidi
52
13k
Statistics for Hackers
jakevdp
796
220k
5 minutes of I Can Smell Your CMS
philhawksworth
202
19k

Transcript

  1. GOOD MORNING RUBYFUZA ☕

  2. RUAN BRANDÃO SOFTWARE ENGINEER AT MAGNETIS (WE ARE HIRING) TWITTER

    TIMELINE CURATOR @RUANBRANDAO /RUAN-BRANDAO

  3. Photo by Rafaela Biazi on Unsplash

  4. São Paulo

  5. Paulínia - São Paulo

  6. Pipa - Rio Grande do Norte

  7. Made in "

  8. CYBER ATTACKS

  9. WEB VULNERABILITIES A FIELD GUIDE FOR

  10. THE WEB HTTP HTTPS TLS SSL Databases Servers Credentials TCP/IP

    DNS Clusters Cache Browsers

  11. USING COMPONENTS WITH KNOWN VULNERABILITIES

  12. None

  13. UPDATE YOUR APPLICATION DEPENDENCIES Security tip #1

  14. INJECTION ‣ SQL ‣ NOSQL ‣ CODE ‣ COMMANDS

  15. INJECTION VULNERABILITIES ALLOW ATTACKERS TO RUN CODE ON YOUR APPLICATION

    SERVERS

  16. SQL INJECTION

  17. XKCD, available at https://xkcd.com/327/

  18. None

  19. BE CAREFUL WITH THE ORDER METHOD

  20. CODE INJECTION & COMMAND INJECTION

  21. BE EXTRA CAREFUL WITH EVAL AND BACKTICKS

  22. BE CAREFUL WITH CONSTANTIZE

  23. CROSS SITE SCRIPTING (XSS)

  24. CROSS SITE SCRIPTING ALLOWS ATTACKERS TO RUN CODE ON YOUR

    APPLICATION USERS BROWSERS
  25. None
  26. None
  27. None

  28. RAILS DOES THE HARD WORK

  29. BE CAREFUL WITH THE RAW AND HTML_SAFE

  30. NEVER TRUST USER INPUT Security tip #2

  31. BROKEN ACCESS CONTROL

  32. None
  33. None
  34. None
  35. None

  36. BE CAREFUL WITH ACCESS TO SENSIBLE DATA Security tip #3

  37. BROKEN AUTHENTICATION

  38. DO NOT REINVENT THE WHEEL. UNLESS YOU REALLY, REALLY, KNOW

    WHAT YOU ARE DOING. Security tip #4

  39. AND MUCH MORE… ‣ CROSS-SITE REQUEST FORGERY (CSRF) ‣ REMOTE

    CODE EXECUTION (RCE) ‣ SENSITIVE DATA EXPOSURE ‣ SECURITY MISCONFIGURATION
  40. None

  41. Photo by Patrick Tomasso on Unsplash

  42. https://owasp.org

  43. None

  44. Photo by Barn Images on Unsplash

  45. STATIC CODE ANALYSIS

  46. None

  47. TOOLS STATIC CODE ANALYSIS TOOLS

  48. TOOLS STATIC CODE ANALYSIS TOOLS

  49. TOOLS STATIC CODE ANALYSIS TOOLS GitHub - Available at https://github.blog/2017-10-11-a-more-connected-universe/

  50. SECURITY SCANNERS

  51. TOOLS SECURITY SCANNER TOOLS http://www.arachni-scanner.com/

  52. PENETRATION TESTS (PENTESTS)

  53. SECURITY IS NOT A PRODUCT. SECURITY IS AN ONGOING PROCESS.

    Security tip #0

  54. THANK YOU! ❤ @RUANBRANDAO /RUAN-BRANDAO