seguranca em app rails

@danielvlopes

Daniel Lopes

SEGURANÇA & RAILS

http://objetiva.co/

voltando . . .

Segurança

Instituto Gartner

O alvo é ...

App75%

Host25%

WEB APP

XSS

CSRF

Parâmetros

SQL INJECTION

Mass Assign

Logs

Arquivos

Session

Cobaia

MassAssignment

LIVE CODING

SQL INJECTION

LIVE CODING

XSSCross Site Scripting

LIVE CODING

CSRFCross s. ref. forgery

LIVE CODING

Files (download / upload)

class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :styles => { :medium => "300x300#", :thumb => "50x50#" } validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document default_scope :order => "created_at DESC" end

class Asset < ActiveRecord::Base validates_presence_of :title

has_attached_file :document, :path => ":rails_root/uploads/:attachment/:id/:style/:style.:extension", :styles => { :medium => "300x300#", :thumb => "50x50#" }

has_attached_file :document, , :whiny => false

validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document validates_attachment_content_type :document, :content_type => %w(image/jpeg image/pjpeg image/gif image/png)

default_scope :order => "created_at DESC"

end

send_file('/var/www/uploads/' + params[:filename])

../../../etc/passwd

BRUTE FORCE

Devise.setup do |config| config.mailer_sender = "please-change-me@config-initializers-devise.com"

require 'devise/orm/active_record'

config.encryptor = :bcrypt config.pepper = "e3b0100c8c0ef8a7f09f104de3d2827f..."

config.timeout_in = 10.minutes

config.lock_strategy = :failed_attempts config.maximum_attempts = 20 config.unlock_strategy = :both # email and time config.unlock_in = 1.hourend

Devise

SpamsLog FilteringParâmetros

gem 'reverse_captcha'

class Comment < ActiveRecord::Base captcha :nicknameend

<%= form_for @comment do |f| %> ... <%= f.captcha %><% end %>

Spam

gem 'recaptcha'gem 'captcha'

require File.expand_path('../boot', __FILE__)

require 'rails/all'

Bundler.require(:default, Rails.env) if defined?(Bundler)

module Producer class Application < Rails::Application config.autoload_paths += %W(#{config.root}/app/sweepers) config.i18n.default_locale = "pt-BR" config.encoding = "utf-8"

config.filter_parameters += [:password, :credit_card, :cnpj, :cpf] ... endend

Log Filter

@project = Project.find(params[:id])

Parâmetros

@project = current_user.projects.find(params[:id])

Mass Assign.

Parâmetros

☐☐

SQL Inject.☐XSS☐CSRF☐File System☐

Brute Force☐Spams☐Log☐Session☐

Mass Assign.

Parâmetros

☑

SQL Inject.

XSS

CSRF

File System

Brute Force

Spams

Log

☑☑☑☑☑

☑☑☑

• SSL

• Criptografia

• Automated Protection

• Pen. Testing

• Mantenha-se Atualizado

Contatos

@danielvlopes

daniel@objetiva.co

www.objetiva.co

Cursos

www.egenial.pro/cursos

slides: http://objetiva.co/publications