Merken

...But Doesn't Rails Take Care of Security for Me?

Zitierlink des Filmsegments
Embed Code

Automatisierte Medienanalyse

Beta
Erkannte Entitäten
Sprachtranskript
and then the the the the good and so on we have like 3 minutes before were supposed to start late who was here for Mike's talk just a few minutes ago OK so this is like part 2 just when you thought it was safe to go back on the web it the yes so Mike uh know covered some specific problems and like some breaches that have happened and when I this was like you know beta you're so I saw again and you you speaking in known and uh we use the product so the um my sentiment e-mail was like a actually your talk sounds really similar to my talk here like talking about breaches of happened I thought I'd go through some real things that have been found element and I like use my list of things that I am my talk about how does this conflict with anything you're talking about and I can really only back is a I'm not talking about any of those although he did highlight his invention Ashley Madison but you know I talked about so and so if you're in a talk this is kind of like uh a similar talk except through the details of vulnerabilities that have been found in different people sites so if you were in case you're curious about this talk respect also I just like to talk so an idea here like to talk we have 1 minute before officially supposed to start I like to use vacation pictures now for my title slides and this is Meteor crater in Arizona is actually the 1st crater that's like anyone actually figured out came from a media effect for a long time they thought it was like a volcanic thing the so yeah this is uh in case you're wondering it's pretty big and I remember exactly how big a specific but at the hospital the I the the the yeah yeah the the and you the no thought that they the they the well so you have to have a detection rate and then you'd try have to have some way of all avoiding it deflecting right and so should say the real talk um my name is Justin Collins at present beef on Twitter and most of the Internet I when this talk I've actually heard people say phrases very similar to this in fact I heard at least 1 person said this week not quite like you know I believe rails they do everything for me but sort that question like what but isn't rails pretty good security doesn't can do a lot stuff for me and so opposable toe for the stock and so the question is does or else take care of security for me the answer is
no it doesn't and that's all I
have uh make you this is uh I would put up pictures of my cats but it's everyone does that minor not as funny looking as Aaron so here's maternal instinct I am so there are some more details
I guess but I hate doing the slides but it's somewhat relevant this is at least snapshot shows you your soul so this is what my soul looks like I've been doing applications security for the about 6 years and working on breaking an open source project for essentially the same amount of time last couple years working on break and pro if you just need to be more professional about your security tools if you really like great man but you don't feel like you need the pro version but you want support break and you can buy licenses for break and pro and you have to use them the you can buy them and that was for open source project OK so that's that's on that's the sales pitch period
so on this talk i Eric Kandel do what it was but and if you're looking for like what rails does give you an what rails does not give you I gave a talk last year and that was the occasion to the Grand Canyon in and about the security things that the rails does well things it doesn't do well on things we should do better and then Brian Helmkamp a couple years before that gave a talk about rails insecure default some of which have changed in the meantime so that's good so if you're interested in that topic which is not what this talk is about you could watch those so
a cup of like in between those 2 talks I did talk with embedded in that pond where we kind of did like a hypothetical scenario and where we acted out like over developers and like we were really bad food and like these are all things are happening because of it and I don't know how well that 1 over but this talk is kind of like that except this is all real and these all come from public
disclosures mostly from but bounties and sometimes from people who didn't necessarily get a bunch of bounding out of it I'm not taking on these companies at all I like most of these companies and uh you know I'm sure the great as specially Twitter still work there and but these are just like the the well done right up that I could find selector share with serve that not just like not stick on my but like matters like the single injection relate what actually happened and none of these are things that rails will save you from essentially the a search where I guess said I I
work there so I so I can share this and it's public anyway but
just let me know not picking on them but exo-skin to own the researcher was looking around on a add site and he noticed something that when you put in a credit card and we check in we go 0 that's not a valid credit card you get this little modal as like 0 you know we weren't able to approve that part and you have 2 options of what to do with it 1 is try again and at the other 1 is dismissed and he noticed what happens when you hit dismissed there's a
method that gets copper you world against it and you can see there's like the account ID and this is this is actually but bounty researchers account of and then payment methods handle failed in an idea so I'm sorry of the talk this is a Rails app were talking about and so you know that thing at the end is probably the ID for the payment method and the he noticed that would happen is the payment method would go away right so he's looking at this number thinking this is probably the idea of the payment method what if I just like changed it does that still work is that going to delete that came method well it turns out in the back and there's code that looked something like this where it looks up the payment method from the ID parameter and deletes it but I still think big when I was making like that's so weird that dismissed elites it that's that's another thing so also so this is exactly what was happening and In other sort of web security world this would be considered insecure direct object reference to direct object reference because the ID is the row in the database and its insecure because we're not checking that the person is deleting that row actually owns that row the other is another term for this for this exact thing right here which is an unskilled to find and I don't think I came up with this term but then I searched and it doesn't seem like anyone else uses it but in reality you know you can scope your finds or you could not stop them or you could on scope than so this is kind of like a fine that wasn't scope properly so way you should do this is to scope it to the current user and then do your fine for the payment method and then deleted OK so for this we carried out 20 100 dollars I'm fairly certain that was our largest but bounty P up-to-date why because someone could delete all of our customers payment cartons and that's how Twitter makes money is from people paying for ads and you can imagine that would be a huge loss for us so they clearly reported to the bug bounty within 20 100 dollars this 9 except United
and I put those the links you know for later if you wanna read the the right it's from the people from these so in this case there's a
guy a United launched the bug bounty program and kind of famous because they're like will reward you in late reward miles an hour just kind companies give you that but then you have the flight itself I at so you see what he was looking and the we will use to users proxying the traffic from the mobile app justice you can what was going on and he noticed there was a request from so
on the screen reader of sorry it's a little bit off a doesn't the details are really matter units making a POST request I cut out some stuff but you know this and In the requesters in key number so united they have a my which cluster something like that you know get of just I don't fly them so that my list summer in he thought 0 that's kind of like my user ID what if I change that might notice of a trend here right so you just like what if I change the sum to someone else's number what would I get back got back a whole bunch of information noses small than you zoom in on including like you know what flight they're on the like the book for their name where they're going by is it lead to flee when the coming is going all light on every leg of the trip there's a whole bunch of more information while he notice in particular there's a record locator and there's a last name any guesses why those might be important thank yes exactly the so what would you do when you check into a flight what you do when you look up a flight and you didn't like created account on airlines website you put in the record located near last name
so the reporter he found this to we can see that you notice that the idea you can go on all you need is that number and last name and there's a list here of like all the things you can do with your reservations change it cancel its you know uh did a receipt month another thing he mission is like you can see the person's emergency contact information so were they put in for the emergency contact and see that flaneuse confirmation number lasting and you can look that up for any Mileage Plus member number so it's pretty bad but there's some drama because you reported to them they and fix it
for a long time and then he threatened to publicly disclose it and then suddenly it was fixed and I know we work out the whole time and by the way of your report was a duplicate so we're not giving you any money which happens a lot but bounty and being on the other side it just happens um but it in getting money for the I guess it it was a pretty obvious and other people bad Domino's
Pizza I don't need a lot of dominoes they I seem to recall the come from came from them having rectangular shaped pizzas which they they to even have those now if we I don't think and that all that you don't remember square pizzas and I do not all for M. so again some of those uh actually in this case is can interesting because he was just use actually looking for something else his curious how they generated apparently sometimes on the mobile app they would give you at a random pond for 10 dollars offer something so we're actually looking for that but we found said is the way the payment system worked was the fall was actually the phone actually handed the handled the payments so you put in your credit card number on it would send it to the payment processor prima processes will take this you Eustache of your credit card interior laptop yeah and then it would send back of OK that was successful in here's sort of the transaction idea the reference number for that credit card transaction and then the app would send it to dominoes with your order and then they would make here order Fourier so he thought I the right and if there is a failure just those and send it to dominance and so the fact I'm uh I I gotta tell you that there is
a maximal ahead if you need to avert your gaze is fine is not that bad so
this is what would come back from the payment process if if it failed say not authorized then there was a reason was the client and then a status number and we we assume 7 means declined for some reason so he thought when you think what if I changed it yes catching what I just said that the success and as far as I know it did changing thing else just catered success and then all make now on to dominance so counts like
this it failed but industry that to success send it to dominoes and then they are only you know you have this would work of course so check this out and he
sees well uh it's a says they're working on it but you know how mobile apps are own maybe it's just like you I think or something so we call them and did you get in order for me and I get we're working on Oregon you know will get it to you 30 minutes whatever it was and he felt kind of bad about it
and he fell about about it so he did OK for like
when the guy should up users like 0 I think there is a mistake late you know use the money for it and it so he yeah he didn't actually get a free pizza out of that but in this case where it's simply that the server didn't check but the client told it was true all it had the the reference number from the payment processor all had to do was after came across a survey I got this this idea was a successful if they just on the validation no problem and so as seen in the security world really is that you shouldn't trust anyone and I was thinking about that because I thought you know I just tell you don't trust anyone but when you're building an application you actually do you have to trust some of the things that are sent to you right depending on where it comes from so that's the main thing is you need to know think about who you're trusting in what you're trusting and if you should write so unfortunately can just trust no 1
and talk about Ashley Madison of the I I I included very late model word tag line here because I think it's like the total weight logical fallacy take life a short so having affairs like the short so make your life even worse by ruining it so they had a whole bunch of information stolen and I don't know how it was stolen and not talk about how a soul and have but will be part of what was stolen database dumps and the source code the yeah but interestingly not just source code but get read books which is very interesting and uh it will become apparent among why that's interesting so in that about 36 million passwords however they were hatched would be which is maybe not like top of the state of the art but pretty much recommended use be crypt with no decent work factor which they were doing so that was good and at the time and not that long ago but at the time allotted like OK we are certainly trying to crack the be cryptid patches we get the passwords but there's a draw sets and took a different approach um I I warn you
know again even worse than last time there is some PHP code ahead but it's not that bad but it I think you will survive
I I I almost 3 rd and Ruby but is actually kind longer and I 1 to fit on so they found some code and it's calculating this log in key and we actually don't care what that was for all we care about is the blogging he was in the past data in the database associated with the user so they saw this currently see OK I will 295 hash that's a red flag is that the username and it's up the password and and for some reason the lower case in both of those which just makes this whole thing worse but the encrypting at 1st so you know where like now we're dealing with the hash of a b cryptid password so that's not very useful if I'm trying to crack the password so then they looked in the get history and they found that this code used to look like that so used to just hash the lower password directly so that was pretty interesting because they knew the user name and the new log key and they know how it's constructed so now you can calculate I I believe it's billions of in the 5 hashes at a 2nd so this was a good place to start there's another piece of code below um and here L C means like case where other doing and we this was also to calculate a log he's so you know who knows what's going on the code base but in this case uh they had username password e-mail and then this secret key but remember we have all that the database and all the source code so the key is not secret usernames that secret passwords not secret police secret is the password so this was another avenue that they decided they can use to try to crack these hashes the and so they start doing this about 2 and a half million passwords were cracked they say exactly how long but they said it in a few hours they had this and remember they're all these other people were trying to crack the B trips be cryptids passwords which would pray take years and years and years so in a few hours they had 2 and a half million passwords but in a few days that I didn't follow up with all that but like the 2nd post they did this said they had no almost 12 million passwords that they're cracked but to be fair and I don't have a link to that post but pry find it on the muscles passwords were pretty awful passwords of so so this is this is I think this is an interesting story because they were doing the right thing they were using be kept for the storing the pact sort but then on the side they were doing something with a much weaker hashing function and that would mean a such as a researcher is not happiest 2 of the older crack the ones that were using much stronger hash and i if you pay attention yes they were lowercasing the password but most so the passwords were a lower case how hum but will as the researchers were cracking them if they found the hash that works and they would just try a few iterations of different capitalization and they can pretty much get fairly quickly and then they compared those to make sure they compare those with the they could calculate the MI crypts hash and so they could be again these are actually the passwords so don't use we
caching algorithms but I know this is this example with the picture is not actually hashing how could come but it is the idea right you trying to hide something and you kind of feel like you hit it but you didn't really so just avoid using in the 5 avoid using shot 1 use shot 256 out for this kind of thing will not for passwords went for things other than passwords to a
Facebook but the Sun will be really quick but so you wanna
reset the you forgot your password on facebook so you gone and they say OK were innocent you a 6 digit code you type in the code will reset your password actually don't know what happens after that but you know will get you into your account I'm so 6 digits how many possibilities is that yes very quick 1 million so that's actually a reasonable number to late just try all of them so researcher you know for just like you know if a bug bounty and probably other security researchers of the lake forgot password flow is often a weak point in websites because you're basically saying I don't know the true credentials that I should be using to get into your site so I don't give me some other way to get an nor times there's flaws in that so is looking at this and he did it and I don't know how many times that it but you know it was rate-limited so the call OK I'm that's expected but then he went over to another site that you happen to know about which was
Facebook's beta site well it just happens turned out that they did not have rate limiting on that site so essentially for any account that he knew the username e-mail or phone number he could get into the account because he just requests the code does matter what the code you know wherever that when it doesn't really matter and then you just sit there trying at most a million times in the absolute worst case which you could do relatively quickly especially compared to you know train a brute force a password the us so in this case is just
train missing rate limit should marry women there wasn't 1 and interestingly this is probably the simplest of all these examples and yet she got the
most money because the impact is what you can get into anyone's Facebook account of so the at this in you know how to
pronounce this thanked so I say images and I don't know I so images you know you like upload photos or whatever and you know people look at them comment and of voter whatever and and say very casually but I spend a lot of time on this site anyhow and they have this
functionality where you can give them the URL to a video and then they convert it to a Judith thank i i close they be honest like I'm a real InterVA I don't talk to a lot of people so most words I only pronounce my head and then I have to get up and they talk about something and I suggest from sorry so in a case and you pointed at a video like YouTube or something and it will convert it to a gift and and then and then you can like showed on the site right so researcher was looking at this you
notice how it works uh you know it's some in point and it passes in a URL and then it goes in fact is that your of course I mean it's pretty simple functionality something like this so you give images you all and then it hits it like that we or something and uh this is called server-side request forgery because you're basically asking server like images servers to go and make a request to another server essentially on your behalf and you can use this for things like you know denial of service attack I X or you know any kind of attack where you can like to hide behind someone else or maybe they have way way more bandwidth than you do or maybe they have a trust relationship between the servers that you don't have but but that's not exactly what this is about so researcher I was like what if I change that what if instead of HTTP I use S FTP and other set up a server not that we but also have some server where I can see the request that comes into my server and just see what happens so I set up a using netcat latest listen on the sport see what comes in things that came and was a I'm coming to do my you know as a T P here whatever the 1st thing that comes in as I go I am a lid Pearl and this is my version of that's pretty useful information and so what he did
was he basically you started trying all these different protocols and essentially imager would just whatever you gave it would just go and do and I didn't go through the whole like example code is it's like from severe point is not that interesting but if you go read the post which again I links and you know of course the slides will be available he set up a server that it would hit with and I think it had it with SF SST-PT but then he re redirected them to a for URL and trick them into sending an SMTP request to another server so he was actually using them to send mail through at I think is nailed are you know so it is like kind of a Over complicated example of what you could do with it of the main thing is you can make these requests and essentially use them as a proxy I got
2 thousand dollars for that I and I don't think I put this slide but basically late
if you're not expecting to make these kinds of requests you should be checking that you're not making sense of requests the so you get 2 thousand
dollars for that are a last example I realize this is also faced with them not taking on them but so this came out a little bit ago uh there was a lot of drama around it and I can talk about the drama or the causes or who may or may not have been at fault distance talk about what he did because it is just such a really interesting example of going from having some little bit of information research was areas where I have to tell him if you happened at this is a very interesting change so His above bounty guy
his you know security researcher someone tells them hate you know I saw on Instagram they seem to have some kind of admin panel that's on the internet that's all I really know about it but maybe you can check it out so he starts he goes he starts looking around like what is this you know whatever he ends up on get home and he notices that this admin panel is actually open source and you may notice something which is this is solely a Rails that right where rails comfort and bring it back and I started with the rails happening with rails that so this is a rails at so pokes around and there are well known issues with the Rails apps right and he finds that and this right so you're well aware so he finds a secret tokens and honestly late is it bad that this is here yes but if you're a rule the private points take away here is that if you're using an open-source Rails application somewhere in your infrastructure you should go and change the thank but so he sees this is a well that's fatigue and on and also this is using this is running rails 3 to 14 which is I believe from 2013 so pretty old and he does more research shows really matter of because we know in this room that's real 3 the session cookie is signed the but it's code that is literally been marshaled to a string but signed and usually the sign priors can what keeps us safe but he has the signing key and when you under martial code it's possible to execute code were right if you been around for a couple years you prior remember 2013 so you so session cookie signs marshaled code and if you have the signing the you essentially have remote code execution now if you read his blog posts actually a little confused because the exploiti used was for rails 3 to 11 and of 3 to 10 which associate fixed and 3 to 11 but then use it on 3 to 14 so I have no idea what that means but I'm just letting you know but but in some case however he did it and he was able
to create a forged session server accepted it because he signed it with the correct he they changed it from the open source repo and he got a remote shell on the box so this point play honestly he was done and again I'm not talking about the drama but this is where it its so he has remote shell that's awesome and did what can we do
and so he decides wall
there's a database for the web server on just connect to it through my shelf and see what's there and what is their password today that's awesome however there be corrected OK but now there is a like in in the 5 had bypass this time but instead what happens is he's like well whatever it like I'll try cracking them anyway long-shot little destroy wall he think
jackpot so 0 6 of the passage were just change me surprise someone set up an account for someone and they never change the pastoral 3 of them were the same as the user name 2 of them were just password and 1 was Instagram I'm n which makes me believe prior when he set up his tracking tool he ceded it with some of this information right that's bad
arm you logged in just to show that he could the news like this is actually that interesting as a Web app had a designerly well maybe I collect set off some kinda duty alerts that you know not that interesting attacker so then he starts poking around any
notices on that box there cues for AWS and then it so he goes to that box and on that box there more keys to other S 3 buckets and he starts looking around and again not talking about the drama that you can see where drum would come from he said scenic wow there's like tons of stuff How take anything you can kind of imagine I can probably access and this is all from using an open-source rails out that had the secret token In the such scale the and yet
secret in the source code really old version of rails there really weak passwords which in use for anything except for logging and but weak passwords and then the keys were sitting on the servers which like how you solve that like is it I think that's like the worst there the least bad thing on this list really so he
got he should get 20 500 dollars of and I don't know if it was worth of the drama that you went through the again you can read that on the internet right so just surpass summarized
here and others late and so it's kind off to the side but I'm things you should do OK so verify that the current user can do the thing that they're asking to do that they can access the data the asking to ask success and I wanna point out that but this is not just like from the Web browser necessarily if you're in like a service-oriented architecture you guys think about that too is again think about trusting think about who they're trusting never trust the client so think about this trust relationships but always try to use strong hashing algorithms that and I know like there's there's strong temptation renewable this doesn't really matter right and it's easy for this like I'm not really hashing the password or something along those lines it you can use shot 256 is like super fast and strong so just use that for important actions like logging in the confirming codes from any kind of action that is easy the you know someone brew for something or even if it just causes you financial loss put a rate limit on it I don't put your secrets in your source code it it's it's kind of a hot pink is you're like wall but my source codes right here and then label where do I put my secrets and so on the thing is if you have someone steal your source code which happens because it happened Ashley Madison you don't want to have your sequence right there in the car and certainly don't put them on get have which I will it happens like all the time so if you just don't have them in your source code it's just not a problem and finally you know this is I know it seems like such such generic security adviser always use strong passwords but they go in your work and they're going to set up the salmon panel in like you know here's a password or whatever words that have internal ends up on the internet you don't want to be the person who's using the password password it it you're not going to feel good when your security scheme comes years as and by the way so it is logged into the account and your password was passed uh is not a good time but that people always
ask about resources I know people asking might the prior actually knows better but what if you're really telling you whether vulnerabilities check out the lost top 10 it is a good list it's very good reference if you're looking for like what should I do as opposed to what should I not do there's a nude OS top 10 of proactive security controls which sounds very formal but actually the documentation is it's very good to go through and it tells you things like think about the trust and you know protect stuff stonecrops stuff is just like a good checklist to go through if you're looking for a icons on trying stuff out of blast you actually from a busy but rails there's no OSS project so it's like a purposely vulnerable Rails application but it also gives you a sense of maybe you should try this or that and if you really want to know walk you through things that's a good resource I'm in also in busy and has these sect casts which you do have to sign up for but they're free they're pretty good resource for rail security and security in general both on sort of defending against things and also trying to hack into stuff right the case of made the slides
so like I believe almost everyone at this conference is packing stickers to give away so if you like 1 of these 3 I have them with me on after the next talk really have a security birds of a feather I don't know where the Dizzy 1 where those or state of the luncheon OK so all the OK great so it's in lunchrooms on a right after the next talk so if you wanna come talk to us about more this stuff and if you live in the San Francisco Bay area will not you live every few company lives there feel free to contact me if you want me to come and talk at your company I'm happy to do that and this is where you can find me on the Internet thank you future yes so the question is are they want those but payloads and low in this this I think I can talk forever about but values and because it is a hard thing uh lake water things worth our and I mean yeah maybe you think it's low maybe really think it's high you have to also consider like what's the budget for bogged down in course this because a ton of money so that and yet I mean the guy uh the other guy that did the Instagram thing this whole thing was like they should they be like a million dollars for this so yes it's a it's tough honestly because I've been a part of a couple but programs on the receiving side and is very hard to think through right what's what's this worth how much do we pay how does it compare to other things that we've seen and I mean the thing is like is like while this could destroy a business like tin take can you really get a finance department like we like to pay them like half a million dollars like no one's in a governor even if a wiped out of this yeah so the question is where do you put your secrets because someone has to actually use them at some point of I mean there are products that will do it for you essentially you want to store them somewhere and make sure that only the servers that actually need certain keys get those keys the but that's basically the the best you can do the and then you know you protect that store of keys you know and the next thing you know is if you automate all that then you can rotate them really easily which is nice and but basically this you know you got from somewhere and then make sure the encrypted there and make sure they only go to the boxes that need them and that access to that you know if you don't want someone using the the rail city that might mention to read those files if you can help can yeah so the question is even when you're doing it that way it how do you securely transfer them between servers I mean ASA late at some point you reach a point where like OK it's safe enough you know because really the main thing is than sitting on servers relation P or being too widely available you don't want everyone in your company you have access to the main keys but of course when you when you are transferring them I mean you just use SCP or something and you can have she's on you'd have QS and you'd be using SSH keys on servers or I mean if you want you can cook them and some them over ssh and different them on the box mean he held but then you have looked like you said the next level like well but then we have to share the key to decrypt it and that they said there are like kind commercial solutions there are also open-source solutions actually I you can look into but yeah this is my sisters the hard problem and I think you have to get to where were like this is not our weakest point anymore that that there's a question over here I thought you know but it it will make you which few thank all my all my
Soundverarbeitung
Subtraktion
Web Site
Computersicherheit
Güte der Anpassung
Versionsverwaltung
Ausnahmebehandlung
Mailing-Liste
Element <Mathematik>
Biprodukt
Bitrate
Kombinatorische Gruppentheorie
Quick-Sort
Computeranimation
Internetworking
Rechenschieber
Benutzerbeteiligung
Twitter <Softwareplattform>
Softwareschwachstelle
Reelle Zahl
Hypermedia
Mereologie
TOE
E-Mail
Hydrostatik
Computersicherheit
Open Source
Versionsverwaltung
OSS <Rechnernetz>
Kartesische Koordinaten
Twitter <Softwareplattform>
Frequenz
Analysis
Computeranimation
Rechenschieber
Interaktives Fernsehen
Computersicherheit
Kontrollstruktur
Projektive Ebene
Computerunterstützte Übersetzung
Metropolitan area network
Computersicherheit
Kryptologie
Default
Computersicherheit
Default
Computeranimation
Twitter <Softwareplattform>
Gemeinsamer Speicher
Injektivität
Computeranimation
Objekt <Kategorie>
App <Programm>
Parametersystem
Einfügungsdämpfung
Web Site
Gerichtete Menge
Computersicherheit
Datenhaltung
Validität
Zahlenbereich
Automatische Differentiation
Term
Quick-Sort
Computeranimation
Gesetz <Physik>
Programmfehler
Konfiguration <Informatik>
Chipkarte
Objekt <Kategorie>
Benutzerbeteiligung
Datensatz
Twitter <Softwareplattform>
Rechter Winkel
Mereologie
App <Programm>
Proxy Server
Verkehrsinformation
Softwareschwachstelle
Optimierung
Binder <Informatik>
Computeranimation
Programmfehler
Inklusion <Mathematik>
Humanoider Roboter
Bit
Gewichtete Summe
Zahlenbereich
Mailing-Liste
Computeranimation
Datensichtgerät
Datensatz
Einheit <Mathematik>
Twitter <Softwareplattform>
Code
Zahlenbereich
Information
URL
Versionsverwaltung
Schlüsselverwaltung
Transaktionsverwaltung
Verkehrsinformation
Touchscreen
App <Programm>
Prozess <Physik>
Zahlenbereich
Physikalisches System
Quick-Sort
Computeranimation
Chipkarte
Transaktionsverwaltung
Notebook-Computer
Coprozessor
Ordnung <Mathematik>
Ordnung <Mathematik>
Verkehrsinformation
Innerer Punkt
Arithmetisches Mittel
Client
Prozess <Physik>
ATM
Zahlenbereich
Computeranimation
Endogene Variable
Sinusfunktion
App <Programm>
Ordnung <Mathematik>
Ordnung <Mathematik>
Computeranimation
Client
Computersicherheit
Server
Validität
Zahlenbereich
Kartesische Koordinaten
Coprozessor
Sondierung
Computeranimation
Videospiel
Subtraktion
Total <Mathematik>
Gewicht <Mathematik>
Primideal
Datenhaltung
Kryptologie
Quellcode
Mathematische Logik
Code
Teilbarkeit
Computeranimation
Patch <Software>
Informationsmodellierung
Menge
Code
Mereologie
Videospiel
Passwort
Wort <Informatik>
Speicherabzug
Passwort
Information
Gerade
Lesen <Datenverarbeitung>
Aggregatzustand
Algorithmus
Lineares Funktional
Subtraktion
Hash-Algorithmus
Datenhaltung
Iteration
Quellcode
Binder <Informatik>
Code
Quick-Sort
Computeranimation
Eins
Algorithmus
Rechter Winkel
Fahne <Mathematik>
Hash-Algorithmus
Passwort
Passwort
Schlüsselverwaltung
E-Mail
Facebook
Web Site
Punkt
Computersicherheit
Systemaufruf
Zahlenbereich
E-Mail
Datenfluss
Code
Computeranimation
Programmfehler
Softwareschwachstelle
Code
Digitalisierer
Datentyp
Computersicherheit
Passwort
Facebook
Web Site
Wellenpaket
Betafunktion
Zahlenbereich
Bitrate
Marketinginformationssystem
Code
Computeranimation
Inverser Limes
Forcing
Betafunktion
Inverser Limes
Passwort
Bitrate
E-Mail
Web Site
Abstimmung <Frequenz>
Facebook
Digitale Photographie
Marketinginformationssystem
Hacker
Bildgebendes Verfahren
Computeranimation
DoS-Attacke
Lineares Funktional
Web Site
Motion Capturing
Punkt
Filetransferprotokoll
Versionsverwaltung
Computeranimation
Videokonferenz
Zeichenkette
Videokonferenz
COM
Client
Server
Wort <Informatik>
Information
URL
YouTube
Bildgebendes Verfahren
Schreib-Lese-Kopf
Rechenschieber
Proxy Server
Filetransferprotokoll
Punkt
Protokoll <Datenverarbeitungssystem>
Ablöseblase
Server
Binder <Informatik>
Bildgebendes Verfahren
Code
Computeranimation
Filetransferprotokoll
Bit
Flächeninhalt
Physikalischer Effekt
Mathematisierung
Abstand
Information
Computeranimation
Punkt
Nabel <Mathematik>
Quader
Web log
Computersicherheit
Open Source
Cookie <Internet>
Systemverwaltung
Token-Ring
Kartesische Koordinaten
Schlussregel
Code
Computeranimation
Internetworking
RPC
Rechter Winkel
Vorzeichen <Mathematik>
Code
Server
Cookie <Internet>
Repository <Informatik>
Schlüsselverwaltung
Zeichenkette
Proxy Server
OISC
Benutzerbeteiligung
Datenhaltung
Server
Passwort
Passwort
Computeranimation
Rechter Winkel
Web-Applikation
Gewichtete Summe
Passwort
Passwort
Information
Computeranimation
Gruppenoperation
Zentrische Streckung
Server
Quader
Schlüsselverwaltung
Versionsverwaltung
Mailing-Liste
Ausnahmebehandlung
Quellcode
Computeranimation
Quellcode
Server
Passwort
Passwort
Schlüsselverwaltung
Einfügungsdämpfung
Folge <Mathematik>
Browser
Gruppenoperation
Programmverifikation
Computeranimation
Internetworking
Erneuerungstheorie
Quellcode
Client
OISC
Algorithmus
Inverser Limes
Passwort
Passwort
Strom <Mathematik>
Gerade
Serviceorientierte Architektur
Algorithmus
Computersicherheit
Güte der Anpassung
Nummerung
Quellcode
Bitrate
Inverser Limes
Gruppenoperation
Generizität
Rechter Winkel
Codierung
Client
Wort <Informatik>
Bitrate
Punkt
Quader
Wasserdampftafel
Kartesische Koordinaten
Computeranimation
Internetworking
Eins
Übergang
Widget
Computersicherheit
Flächeninhalt
Speicher <Informatik>
Optimierung
Computersicherheit
Güte der Anpassung
Relativitätstheorie
Indexberechnung
Mailing-Liste
Bildschirmsymbol
Elektronische Publikation
Biprodukt
Checkliste
Quick-Sort
Rechenschieber
Arithmetisches Mittel
Softwareschwachstelle
Rechter Winkel
Mereologie
Gamecontroller
Server
Projektive Ebene
Schlüsselverwaltung
Aggregatzustand

Metadaten

Formale Metadaten

Titel ...But Doesn't Rails Take Care of Security for Me?
Serientitel RailsConf 2016
Teil 09
Anzahl der Teile 89
Autor Collins, Justin
Lizenz CC-Namensnennung - Weitergabe unter gleichen Bedingungen 3.0 Unported:
Sie dürfen das Werk bzw. den Inhalt zu jedem legalen und nicht-kommerziellen Zweck nutzen, verändern und in unveränderter oder veränderter Form vervielfältigen, verbreiten und öffentlich zugänglich machen, sofern Sie den Namen des Autors/Rechteinhabers in der von ihm festgelegten Weise nennen und das Werk bzw. diesen Inhalt auch in veränderter Form nur unter den Bedingungen dieser Lizenz weitergeben.
DOI 10.5446/31587
Herausgeber Confreaks, LLC
Erscheinungsjahr 2016
Sprache Englisch

Inhaltliche Metadaten

Fachgebiet Informatik
Abstract Rails comes with protection against SQL injection, cross site scripting, and cross site request forgery. It provides strong parameters and encrypted session cookies out of the box. What else is there to worry about? Unfortunately, security does not stop at the well-known vulnerabilities and even the most secure web framework cannot save you from everything. Let's take a deep dive into real world examples of security gone wrong!

Ähnliche Filme

Loading...