Apresentação feita no Café Ágil 2011 BH sobre segurança em aplicativos web com foco especial em Ruby on Rails.

1. Daniel Lopes
@danielvlopes

2. SEGURANÇA
& RAILS

3. http://objetiva.co/

5. voltando . . .

6. Segurança

9. é ...
lv o
O a
App
75%
Host
25%
Instituto Gartner

10. WEB APP

13. XSS SQL INJECTION
CSRF Session
Mass Assign
Parâmetros Arquivos
Logs

14. Cobaia

16. Mass
Assignment

17. LIVE CODING

18. SQL
INJECTION

19. LIVE CODING

20. XSS
Cross Site Scripting

21. LIVE CODING

22. CSRF
Cross s. ref. forgery

23. LIVE CODING

24. Files
(download / upload)

25. class Asset < ActiveRecord::Base
validates_presence_of :title
has_attached_file :document, :styles => {
:medium => "300x300#",
:thumb => "50x50#"
}
validates_attachment_size :document, :less_than => 5.megabyte
validates_attachment_presence :document
default_scope :order => "created_at DESC"
end

26. class Asset < ActiveRecord::Base
validates_presence_of :title
has_attached_file :document,
:path => ":rails_root/uploads/:attachment/:id/:style/:style.:extension",
:styles => {
:medium => "300x300#",
:thumb => "50x50#"
}
has_attached_file :document, , :whiny => false
validates_attachment_size :document, :less_than => 5.megabyte
validates_attachment_presence :document
validates_attachment_content_type :document,
:content_type => %w(image/jpeg image/pjpeg image/gif image/png)
default_scope :order => "created_at DESC"
end

27. send_file('/var/www/uploads/' + params[:filename])
../../../etc/passwd

28. BRUTE FORCE

29. Devise
Devise.setup do |config|
config.mailer_sender = "please-change-me@config-initializers-devise.com"
require 'devise/orm/active_record'
config.encryptor = :bcrypt
config.pepper = "e3b0100c8c0ef8a7f09f104de3d2827f..."
config.timeout_in = 10.minutes
config.lock_strategy = :failed_attempts
config.maximum_attempts = 20
config.unlock_strategy = :both # email and time
config.unlock_in = 1.hour
end

30. Spams
Log Filtering
Parâmetros

31. Spam
gem 'reverse_captcha'
class Comment < ActiveRecord::Base
captcha :nickname
end
<%= form_for @comment do |f| %>
...
<%= f.captcha %>
<% end %>
gem 'recaptcha'
gem 'captcha'

32. Log Filter
require File.expand_path('../boot', __FILE__)
require 'rails/all'
Bundler.require(:default, Rails.env) if defined?(Bundler)
module Producer
class Application < Rails::Application
config.autoload_paths += %W(#{config.root}/app/sweepers)
config.i18n.default_locale = "pt-BR"
config.encoding = "utf-8"
config.filter_parameters += [:password, :credit_card, :cnpj, :cpf]
...
end
end

33. Parâmetros
@project = Project.find(params[:id])
@project = current_user.projects.find(params[:id])

34. ☐ Mass Assign. ☐ Brute Force
☐ Parâmetros ☐ Spams
☐ SQL Inject. ☐ Log
☐ XSS ☐ Session
☐ CSRF
☐ File System

35. ☑ Mass Assign. ☑ Brute Force
☑ Parâmetros ☑ Spams
☑ SQL Inject. ☑ Log
☑ XSS
☑ CSRF
☑ File System

37. • SSL
• Criptografia
• Automated Protection
• Pen. Testing
• Mantenha-se Atualizado

38. Contatos
@danielvlopes
daniel@objetiva.co
www.objetiva.co
Cursos
www.egenial.pro/cursos

39. slides: http://objetiva.co/publications