seguranca em app rails
DESCRIPTION
Apresentação feita no Café Ágil 2011 BH sobre segurança em aplicativos web com foco especial em Ruby on Rails.TRANSCRIPT
@danielvlopes
Daniel Lopes
SEGURANÇA & RAILS
voltando . . .
Segurança
Instituto Gartner
O alvo é ...
App75%
Host25%
WEB APP
XSS
CSRF
Parâmetros
SQL INJECTION
Mass Assign
Logs
Arquivos
Session
Cobaia
MassAssignment
LIVE CODING
SQL INJECTION
LIVE CODING
XSSCross Site Scripting
LIVE CODING
CSRFCross s. ref. forgery
LIVE CODING
Files (download / upload)
class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :styles => { :medium => "300x300#", :thumb => "50x50#" } validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document default_scope :order => "created_at DESC" end
class Asset < ActiveRecord::Base validates_presence_of :title
has_attached_file :document, :path => ":rails_root/uploads/:attachment/:id/:style/:style.:extension", :styles => { :medium => "300x300#", :thumb => "50x50#" }
has_attached_file :document, , :whiny => false
validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document validates_attachment_content_type :document, :content_type => %w(image/jpeg image/pjpeg image/gif image/png)
default_scope :order => "created_at DESC"
end
send_file('/var/www/uploads/' + params[:filename])
../../../etc/passwd
BRUTE FORCE
Devise.setup do |config| config.mailer_sender = "[email protected]"
require 'devise/orm/active_record'
config.encryptor = :bcrypt config.pepper = "e3b0100c8c0ef8a7f09f104de3d2827f..."
config.timeout_in = 10.minutes
config.lock_strategy = :failed_attempts config.maximum_attempts = 20 config.unlock_strategy = :both # email and time config.unlock_in = 1.hourend
Devise
SpamsLog FilteringParâmetros
gem 'reverse_captcha'
class Comment < ActiveRecord::Base captcha :nicknameend
<%= form_for @comment do |f| %> ... <%= f.captcha %><% end %>
Spam
gem 'recaptcha'gem 'captcha'
require File.expand_path('../boot', __FILE__)
require 'rails/all'
Bundler.require(:default, Rails.env) if defined?(Bundler)
module Producer class Application < Rails::Application config.autoload_paths += %W(#{config.root}/app/sweepers) config.i18n.default_locale = "pt-BR" config.encoding = "utf-8"
config.filter_parameters += [:password, :credit_card, :cnpj, :cpf] ... endend
Log Filter
@project = Project.find(params[:id])
Parâmetros
@project = current_user.projects.find(params[:id])
Mass Assign.
Parâmetros
☐☐
SQL Inject.☐XSS☐CSRF☐File System☐
Brute Force☐Spams☐Log☐Session☐
Mass Assign.
Parâmetros
☑
SQL Inject.
XSS
CSRF
File System
Brute Force
Spams
Log
☑☑☑☑☑
☑☑☑
• SSL
• Criptografia
• Automated Protection
• Pen. Testing
• Mantenha-se Atualizado
Contatos
@danielvlopes
www.objetiva.co
Cursos
www.egenial.pro/cursos
