Einführung in die Web Security 🇩🇪 Show archive.org snapshot provides essentials for the topic of this card.
Read following chapters:
Read through the most known security issues in web application, often known as "OWASP Top 10":
https://owasp.org/www-project-top-ten/
Show archive.org snapshot
Read the following sections from the Rails security guide Show archive.org snapshot . For each section you should understand the security issue and what tools Rails gives you to address it.
Understand the problem that is addressed by strong parameters Show archive.org snapshot (now part of Rails)
Understand how Rails protect you against injecting unwanted HTML tags.
Read Preventing users from uploading malicious content.
Assume our application has some PDF files with documentation:
app/
config/
db/
documents/
markdown.pdf
search.pdf
registration.pdf
lib/
...
We want to link to a document like this:
= link_to 'Markdown help', '/help?doc=markdown'
So we add a controller that delivers the PDF:
get '/help', to: 'help#download'
class HelpController < ApplicationController
def download
pdf_path = Rails.root + "/documents/" + params[:doc] + ".pdf"
send_file pdf_path
end
end
Is it a good idea to build the controller that way? Can you improve it?
Tip
Get into a habit of reading code through the eyes of an attacker with bad intentions.
rails server -p 4000
to boot it on http://localhost:4000
). Assume this is a second domain under the attacker's control.Brakeman Show archive.org snapshot is a static analysis tool which checks Ruby on Rails applications for security vulnerabilities.
Read our corresponding guide, then run brakeman -I
on your MovieDB.
Understand a few of the warnings and their specific impact on the application you scanned. Could an attacker leverage the issue if we don't address it?
Every dependency that you add to your project can have security vulnerabilities. The dependencies of your apps are Ruby, Rails, all other gems and JavaScript libraries.
Find out what a CVE advisory is. Understand how we're dealing with security issues when new CVEs affect our applications.
How does our product Rails LTS Show archive.org snapshot work? Why do people pay money for it?
bundler-audit
Show archive.org snapshot
checks for vulnerable gem versions in your Gemfile.lock
.
Run bundler-audit on your MovieDB. If it doesn't find any issues, run it on one of the sample apps you checked out earlier.
Understand a few of the warnings and their specific impact on the application you scanned. Could an attacker leverage the issue if we don't address it?
Learn about HTTPS Show archive.org snapshot ("SSL"). HTTPS gives us many useful guarantees. Most of the time we do not need to think about cryptography when we know there is HTTPS. However, HTTPS also has some limitations.
Assume an attacker takes over the router box on your local network. The attacker can see and change any network communication between your PC and the internet.
Unaware of the attacker, you purchase articles in an online shop. Answer the following questions for both cases (1) with HTTP and (2) with HTTPS: