Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Seguranca em APP Rails

1,317 views

Published on

Apresentação feita no Café Ágil 2011 BH sobre segurança em aplicativos web com foco especial em Ruby on Rails.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Seguranca em APP Rails

  1. 1. Daniel Lopes@danielvlopes
  2. 2. SEGURANÇA& RAILS
  3. 3. http://objetiva.co/
  4. 4. voltando . . .
  5. 5. Segurança
  6. 6. é ... lv oO a App 75% Host 25% Instituto Gartner
  7. 7. WEB APP
  8. 8. XSS SQL INJECTIONCSRF Session Mass AssignParâmetros Arquivos Logs
  9. 9. Cobaia
  10. 10. MassAssignment
  11. 11. LIVE CODING
  12. 12. SQLINJECTION
  13. 13. LIVE CODING
  14. 14. XSSCross Site Scripting
  15. 15. LIVE CODING
  16. 16. CSRFCross s. ref. forgery
  17. 17. LIVE CODING
  18. 18. Files(download / upload)
  19. 19. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :styles => { :medium => "300x300#", :thumb => "50x50#" } validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document default_scope :order => "created_at DESC"end
  20. 20. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :path => ":rails_root/uploads/:attachment/:id/:style/:style.:extension", :styles => { :medium => "300x300#", :thumb => "50x50#" } has_attached_file :document, , :whiny => false validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document validates_attachment_content_type :document, :content_type => %w(image/jpeg image/pjpeg image/gif image/png) default_scope :order => "created_at DESC"end
  21. 21. send_file(/var/www/uploads/ + params[:filename]) ../../../etc/passwd
  22. 22. BRUTE FORCE
  23. 23. DeviseDevise.setup do |config| config.mailer_sender = "please-change-me@config-initializers-devise.com" require devise/orm/active_record config.encryptor = :bcrypt config.pepper = "e3b0100c8c0ef8a7f09f104de3d2827f..." config.timeout_in = 10.minutes config.lock_strategy = :failed_attempts config.maximum_attempts = 20 config.unlock_strategy = :both # email and time config.unlock_in = 1.hourend
  24. 24. SpamsLog FilteringParâmetros
  25. 25. Spamgem reverse_captchaclass Comment < ActiveRecord::Base captcha :nicknameend<%= form_for @comment do |f| %> ... <%= f.captcha %><% end %>gem recaptchagem captcha
  26. 26. Log Filterrequire File.expand_path(../boot, __FILE__)require rails/allBundler.require(:default, Rails.env) if defined?(Bundler)module Producer class Application < Rails::Application config.autoload_paths += %W(#{config.root}/app/sweepers) config.i18n.default_locale = "pt-BR" config.encoding = "utf-8" config.filter_parameters += [:password, :credit_card, :cnpj, :cpf] ... endend
  27. 27. Parâmetros @project = Project.find(params[:id])@project = current_user.projects.find(params[:id])
  28. 28. ☐ Mass Assign. ☐ Brute Force☐ Parâmetros ☐ Spams☐ SQL Inject. ☐ Log☐ XSS ☐ Session☐ CSRF☐ File System
  29. 29. ☑ Mass Assign. ☑ Brute Force☑ Parâmetros ☑ Spams☑ SQL Inject. ☑ Log☑ XSS☑ CSRF☑ File System
  30. 30. • SSL• Criptografia• Automated Protection• Pen. Testing• Mantenha-se Atualizado
  31. 31. Contatos @danielvlopes daniel@objetiva.co www.objetiva.coCursos www.egenial.pro/cursos
  32. 32. slides: http://objetiva.co/publications

×