Seguranca em APP Rails

•

0 j'aime•478 vues

Daniel Lopes

Apresentação feita no Café Ágil 2011 BH sobre segurança em aplicativos web com foco especial em Ruby on Rails.

Technologie

é ...
lv o
O a
App
75%

Host
25%

Instituto Gartner

XSS SQL INJECTION
CSRF Session
Mass Assign
Parâmetros Arquivos
Logs

$class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :styles => { :medium => "300x300#", :thumb => "50x50#" } validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document default_scope :order => "created_at DESC" end$

$class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :path => ":rails_root/uploads/:attachment/:id/:style/:style.:extension", :styles => { :medium => "300x300#", :thumb => "50x50#" } has_attached_file :document, , :whiny => false validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document validates_attachment_content_type :document, :content_type => %w(image/jpeg image/pjpeg image/gif image/png) default_scope :order => "created_at DESC" end$

send_file('/var/www/uploads/' + params[:filename])

../../../etc/passwd

Devise
Devise.setup do |config|
config.mailer_sender = "please-change-me@config-initializers-devise.com"

require 'devise/orm/active_record'

config.encryptor = :bcrypt
config.pepper = "e3b0100c8c0ef8a7f09f104de3d2827f..."

config.timeout_in = 10.minutes

config.lock_strategy = :failed_attempts
config.maximum_attempts = 20
config.unlock_strategy = :both # email and time
config.unlock_in = 1.hour
end

Spam
gem 'reverse_captcha'

class Comment < ActiveRecord::Base
captcha :nickname
end

<%= form_for @comment do |f| %>
...
<%= f.captcha %>
<% end %>

gem 'recaptcha'
gem 'captcha'

$Log Filter require File.expand_path('../boot', __FILE__) require 'rails/all' Bundler.require(:default, Rails.env) if defined?(Bundler) module Producer class Application < Rails::Application config.autoload_paths += %W(#{config.root}/app/sweepers) config.i18n.default_locale = "pt-BR" config.encoding = "utf-8" config.filter_parameters += [:password, :credit_card, :cnpj, :cpf] ... end end$

Parâmetros

@project = Project.find(params[:id])

@project = current_user.projects.find(params[:id])

☐ Mass Assign. ☐ Brute Force
☐ Parâmetros ☐ Spams
☐ SQL Inject. ☐ Log
☐ XSS ☐ Session
☐ CSRF
☐ File System

☑ Mass Assign. ☑ Brute Force

☑ Parâmetros ☑ Spams

☑ SQL Inject. ☑ Log

☑ XSS

☑ CSRF

☑ File System

• SSL

• Criptografia

• Automated Protection

• Pen. Testing

• Mantenha-se Atualizado

Contatos
@danielvlopes
daniel@objetiva.co
www.objetiva.co

Cursos
www.egenial.pro/cursos

Contenu connexe

Tendances

Front End Development Automation with Grunt

Ladies Who Code

Zend Con 2008 Slides

mkherlakian

Introduction to node.js

Md. Sohel Rana

CasperJS

LearningTech

We all know how amazing Webpack is, we have all heard it somewhere that we should start using it right now the problem usually is how to start. The configuration is not really self-explanatory and can sometimes get really confusing so in this talk I will walk us through getting Webpack set up as we can all make sense of the configuration and what little part does and be ready to start our own projects.

The hitchhiker's guide to the Webpack - Sara Vieira - Codemotion Amsterdam 2017

Codemotion

Refactoring.the.ruby.way

Shouichi KAMIYA

How to Speed Up Your Joomla! Site

Daniel Kanchev

Hash Signaling Made Easy

davidgouldin

Compass VS Less

Sarah Hick

Web Development: The Next Five Years

sneeu

WordPress Performance & Scalability

Joseph Scott

Introduction to performance tuning perl web applications

Perrin Harkins

Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…

Atwix

EasyEngine - Command-Line tool to manage WordPress Sites on Nginx

rtCamp

WordPress Need For Speed

pdeschen

Rapid API development on MongoDB

Daniel Hjelm

Once upon a time, there were css, js and server-side rendering

Andrea Giannantonio

Drupal can be a resource-intensive system. Any moderately complicated site will generate a lot of database queries and use a fair amount of memory to build pages to serve to visitors. With some judicious tuning, however, Drupal can perform really well, and at scale. In this webinar, Drew Webber, Principal Support Engineer at Acquia, will discuss some common pitfalls encountered by sites that struggle in the face of increased traffic. Attendees will walk away with a deeper understanding of: -The most common problems encountered when it comes to Drupal site performance -Ways of identifying performance bottlenecks on your Drupal site -How to avoid these common pitfalls and remedy these issues (often without writing a single line of code!) -What not to do when building and running your site

Common Pitfalls for your Drupal Site, and How to Avoid Them

Acquia

WebSockets and Java

Bozhidar Bozhanov

Presentation given at WordCamp Europe 2017 in Paris 2017-06-16. Xdebug is a tool for developers to gain insight into how PHP is executed. Using it for profiling is a very effective, fast and precise method to find bottlenecks in your WordPress site. In this talk I explain how to use it with Webgrind, how to find potential optimization targets, show examples of real cases when Xdebug helped fix a performance problem and also explain what Xdebug is not suitable for and what can be used instead. If you are not a developer, you’ll learn what Xdebug is capable of and when to ask a developer to use it.

Improving WordPress Performance with Xdebug and PHP Profiling

Otto Kekäläinen

Tendances (20)

Front End Development Automation with Grunt

Zend Con 2008 Slides

Introduction to node.js

CasperJS

The hitchhiker's guide to the Webpack - Sara Vieira - Codemotion Amsterdam 2017

Refactoring.the.ruby.way

How to Speed Up Your Joomla! Site

Hash Signaling Made Easy

Compass VS Less

Web Development: The Next Five Years

WordPress Performance & Scalability

Introduction to performance tuning perl web applications

Host and Boast: Best Practices for Magento Hosting | Imagine 2013 Technolog…

EasyEngine - Command-Line tool to manage WordPress Sites on Nginx

WordPress Need For Speed

Rapid API development on MongoDB

Once upon a time, there were css, js and server-side rendering

Common Pitfalls for your Drupal Site, and How to Avoid Them

WebSockets and Java

Improving WordPress Performance with Xdebug and PHP Profiling

En vedette

Ecossistema Ruby e Rails (Serpro BH)

Daniel Lopes

BDD e TDD (Café Ágil)

Daniel Lopes

Minicurso Ruby e Rails (RailsMG UNA)

Daniel Lopes

Filosofia Ruby e Rails (UFOP e Inforuso 2010)

Daniel Lopes

Frontline - Rails3.1

Daniel Lopes

Steak (Oxente Rails)

Daniel Lopes

Adobe Air e HTML (FlexForKids)

Daniel Lopes

Steak (Ruby on Rio)

Daniel Lopes

En vedette (8)

Ecossistema Ruby e Rails (Serpro BH)

BDD e TDD (Café Ágil)

Minicurso Ruby e Rails (RailsMG UNA)

Filosofia Ruby e Rails (UFOP e Inforuso 2010)

Frontline - Rails3.1

Steak (Oxente Rails)

Adobe Air e HTML (FlexForKids)

Steak (Ruby on Rio)

Similaire à Seguranca em APP Rails

Rails Security

Wen-Tien Chang

Slides from our talk "Service discovery and configuration provisioning" presented by Mariusz Gil at PHP Benelux 2016 Apache Zookeeper or Consul are almost completely unknown in the PHP world, although its use solves a lot of typical problems. In a nutshell, they are a central services of provisioning configuration information, distributed synchronization and coordination of servers/processes. It simplifies the processes of application configuration management, so it is possible to change its settings and operation in real time (eg. feature flagging). During the presentation the typical cases of use of Zookeeper/Consul in PHP applications will be presented, both strictly web and workers running from the CLI.

Service discovery and configuration provisioning

Source Ministry

Rails 3: Dashing to the Finish

Yehuda Katz

HA websites are where the rubber meets the road - at 200km/h. Traditional separation of dev and ops just doesn't cut it. Everything is related to everything. Code relies on performant and resilient infrastructure, but highly performant infrastructure will only get a poorly written application so far. Worse still, root cause analysis in HA sites will more often than not identify problems that don't clearly belong to either devs or ops. The two options are collaborate or die. This talk will introduce 3 core principles for improving collaboration between operations and development teams: consistency, repeatability, and visibility. These principles will be investigated with real world case studies and associated technologies audience members can start using now. In particular, there will be a focus on: - fast provisioning of test environments with configuration management - reliable and repeatable automated deployments - application and infrastructure visibility with statistics collection, logging, and visualisation

Burn down the silos! Helping dev and ops gel on high availability websites

Lindsay Holmwood

Rails 3 overview

Yehuda Katz

Ajax Performance Tuning and Best Practices Perhaps the most primary motivation to develop Ajax application is to have better user experience hence how to achieve the optimized response time becomes an important aspect in Ajax performance optimization. In this session, we will focus on discussing the improvement of the network transfer time and the JavaScript processing time as the server response is already generally well understood. We will use an Ajax framework case study to show how an Ajax optimization process can be used to optimize the performance. During the optimization process, we will demonstrate how to measure the performance, how to determine the bottlenecks and how to resolve the problems by applying various best practice. Various tools like NetBeans, Firebug, and YSlow will be illustrated to show when to use what and how to use them. The list of Ajax Performance tuning tips on combining CSS and JavaScript resources, setting the correct headers, using minifed JavaScript, GZip contents, and Strategically placing of CSS links and JavaScript tags will be discussed in the session. Intermediate level Ajax and Enterprise developers can really benefit from this session. After the session, the audience will be able to: -apply Ajax Performance Optimization process -choose the right tool and use them -lleverage various best practice and performance tuning tips -improve their Ajax application response time ultimately Perhaps the most primary motivation to develop Ajax application is to have better user experience hence how to achieve the optimized response time becomes an important aspect in Ajax performance optimization. In this session, we will focus on discussing the improvement of the network transfer time and the JavaScript processing time as the server response is already generally well understood. We will use an Ajax framework case study to show how an Ajax optimization process can be used to optimize the performance. During the optimization process, we will demonstrate how to measure the performance, how to determine the bottlenecks and how to resolve the problems by applying various best practice. Various tools like NetBeans, Firebug, and YSlow will be illustrated to show when to use what and how to use them. The list of Ajax Performance tuning tips on combining CSS and JavaScript resources, setting the correct headers, using minifed JavaScript, GZip contents, and Strategically placing of CSS links and JavaScript tags will be discussed in the session. Intermediate level Ajax and Enterprise developers can really benefit from this session. After the session, the audience will be able to: -apply Ajax Performance Optimization process -choose the right tool and use them -lleverage various best practice and performance tuning tips -improve their Ajax application response time ultimately

Ajax Performance Tuning and Best Practices

Doris Chen

Capture, record, clip, embed and play, search: video from newbie to ninja

Vito Flavio Lorusso

Summit2014 topic 0066 - 10 enhancements that require 10 lines of code

Angel Borroy López

AmazonS3 & Rails

_martinS_

CCI2018 - Automatizzare la creazione di risorse con ARM template e PowerShell

walk2talk srl

UKOUG 2011 - Drag, Drop and other Stuff. Using your Database as a File Server

Marco Gralike

Moving a Windows environment to the cloud - DevOps Galway Meetup

Giulio Vian

BP-6 Repository Customization Best Practices

Alfresco Software

The security of an application is a continuous struggle between solid proactive controls and quality in SDLC versus human weakness and resource restrictions. As the pentester's experience confirms, unfortunatelly even in high-risk (e.g. banking) applications, developed by recognized vendors, the latter often wins - and we end up with critical vulnerabilities. One of the primary reasons is lack of mechanisms enforcing secure code by default, as opposed to manual adding security per each function. Whenever the secure configuration is not default, there will almost inevitably be bugs, especially in complex systems. I will pinpoint what should be taken into consideration in the architecture and design process of the application. I will show solutions that impose security in ways difficult to circumvent unintentionally by creative developers. I will also share with the audience the pentester's (=attacker's) perspective, and a few clever tricks that made the pentest (=attack) painful, or just rendered the scenarios irrelevant.

Applications secure by default

Slawomir Jasek

Applications secure by default

SecuRing

The top 10 security issues in web applications

Devnology

Resource Registries: Plone Conference 2014

Rob Gietema

Php frameworks

Anil Kumar Panigrahi

HTML5 New and Improved

Timothy Fisher

[Coscup 2012] JavascriptMVC

Alive Kuo

Similaire à Seguranca em APP Rails (20)

Rails Security

Service discovery and configuration provisioning

Rails 3: Dashing to the Finish

Burn down the silos! Helping dev and ops gel on high availability websites

Rails 3 overview

Ajax Performance Tuning and Best Practices

Capture, record, clip, embed and play, search: video from newbie to ninja

Summit2014 topic 0066 - 10 enhancements that require 10 lines of code

AmazonS3 & Rails

CCI2018 - Automatizzare la creazione di risorse con ARM template e PowerShell

UKOUG 2011 - Drag, Drop and other Stuff. Using your Database as a File Server

Moving a Windows environment to the cloud - DevOps Galway Meetup

BP-6 Repository Customization Best Practices

Applications secure by default

The top 10 security issues in web applications

Resource Registries: Plone Conference 2014

Php frameworks

HTML5 New and Improved

[Coscup 2012] JavascriptMVC

Dernier

The presentation explores the development and application of artificial intelligence (AI) from its inception to its current status in the modern world. The term "artificial intelligence" was first coined by John McCarthy in 1956 to describe efforts to develop computer programs capable of performing tasks that typically require human intelligence. This concept was first introduced at a conference held at Dartmouth College, where programs demonstrated capabilities such as playing chess, proving theorems, and interpreting texts. In the early stages, Alan Turing contributed to the field by defining intelligence as the ability of a being to respond to certain questions intelligently, proposing what is now known as the Turing Test to evaluate the presence of intelligent behavior in machines. As the decades progressed, AI evolved significantly. The 1980s focused on machine learning, teaching computers to learn from data, leading to the development of models that could improve their performance based on their experiences. The 1990s and 2000s saw further advances in algorithms and computational power, which allowed for more sophisticated data analysis techniques, including data mining. By the 2010s, the proliferation of big data and the refinement of deep learning techniques enabled AI to become mainstream. Notable milestones included the success of Google's AlphaGo and advancements in autonomous vehicles by companies like Tesla and Waymo. A major theme of the presentation is the application of generative AI, which has been used for tasks such as natural language text generation, translation, and question answering. Generative AI uses large datasets to train models that can then produce new, coherent pieces of text or other media. The presentation also discusses the ethical implications and the need for regulation in AI, highlighting issues such as privacy, bias, and the potential for misuse. These concerns have prompted calls for comprehensive regulations to ensure the safe and equitable use of AI technologies. Artificial intelligence has also played a significant role in healthcare, particularly highlighted during the COVID-19 pandemic, where it was used in drug discovery, vaccine development, and analyzing the spread of the virus. The capabilities of AI in healthcare are vast, ranging from medical diagnostics to personalized medicine, demonstrating the technology's potential to revolutionize fields beyond just technical or consumer applications. In conclusion, AI continues to be a rapidly evolving field with significant implications for various aspects of society. The development from theoretical concepts to real-world applications illustrates both the potential benefits and the challenges that come with integrating advanced technologies into everyday life. The ongoing discussion about AI ethics and regulation underscores the importance of managing these technologies responsibly to maximize their their benefits while minimizing potential harms.

Artificial Intelligence: Facts and Myths

Joaquim Jorge

Building Digital Trust in a Digital Economy Veronica Tan, Director - Cyber Security Agency of Singapore Apidays Singapore 2024: Connecting Customers, Business and Technology (April 17 & 18, 2024) ------ Check out our conferences at https://www.apidays.global/ Do you want to sponsor or talk at one of our conferences? https://apidays.typeform.com/to/ILJeAaV8 Learn more on APIscene, the global media made by the community for the community: https://www.apiscene.io Explore the API ecosystem with the API Landscape: https://apilandscape.apiscene.io/

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

apidays

🐬 The future of MySQL is Postgres 🐘

RTylerCroy

MySQL Webinar, presented on the 25th of April, 2024. Summary: MySQL solutions enable the deployment of diverse Database Architectures tailored to specific needs, including High Availability, Disaster Recovery, and Read Scale-Out. With MySQL Shell's AdminAPI, administrators can seamlessly set up, manage, and monitor these solutions, ensuring efficiency and ease of use in their administration. MySQL Router, on the other hand, provides transparent routing from the application traffic to the backend servers in the architectures, requiring minimal configuration. Completely built in-house and supported by Oracle, these solutions have been adopted by enterprises of all sizes for their business-critical applications. In this presentation, we'll delve into various database architecture solutions to help you choose the right one based on your business requirements. Focusing on technical details and the latest features to maximize the potential of these solutions.

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Miguel Araújo

This presentations targets students or working professionals. You may know Google for search, YouTube, Android, Chrome, and Gmail, but did you know Google has many developer tools, platforms & APIs? This comprehensive yet still high-level overview outlines the most impactful tools for where to run your code, store & analyze your data. It will also inspire you as to what's possible. This talk is 50 minutes in length.

Powerful Google developer tools for immediate impact! (2023-24 C)

wesley chun

How to Troubleshoot Apps for the Modern Connected Worker

ThousandEyes

Abhishek Deb(1), Mr Abdul Kalam(2) M. Des (UX) , School of Design, DIT University , Dehradun. This paper explores the future potential of AI-enabled smartphone processors, aiming to investigate the advancements, capabilities, and implications of integrating artificial intelligence (AI) into smartphone technology. The research study goals consist of evaluating the development of AI in mobile phone processors, analyzing the existing state as well as abilities of AI-enabled cpus determining future patterns as well as chances together with reviewing obstacles as well as factors to consider for more growth.

Exploring the Future Potential of AI-Enabled Smartphone Processors

debabhi2

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

Edi Saputra

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Product Anonymous

Three things you will take away from the session: • How to run an effective tenant-to-tenant migration • Best practices for before, during, and after migration • Tips for using migration as a springboard to prepare for Copilot in Microsoft 365 Main ideas: Migration Overview: The presentation covers the current reality of cross-tenant migrations, the triggers, phases, best practices, and benefits of a successful tenant migration Considerations: When considering a migration, it is important to consider the migration scope, performance, customization, flexibility, user-friendly interface, automation, monitoring, support, training, scalability, data integrity, data security, cost, and licensing structure Next Wave: The next wave of change includes the launch of Copilot, which requires businesses to be prepared for upcoming changes related to Copilot and the cloud, and to consolidate data and tighten governance ShareGate: ShareGate can help with pre-migration analysis, configurable migration tool, and automated, end-user driven collaborative governance

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

sammart93

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

The Digital Insurer

This presentation explores the impact of HTML injection attacks on web applications, detailing how attackers exploit vulnerabilities to inject malicious code into web pages. Learn about the potential consequences of such attacks and discover effective mitigation strategies to protect your web applications from HTML injection vulnerabilities. for more information visit https://bostoninstituteofanalytics.org/category/cyber-security-ethical-hacking/

HTML Injection Attacks: Impact and Mitigation Strategies

Boston Institute of Analytics

With more memory available, system performance of three Dell devices increased, which can translate to a better user experience Conclusion When your system has plenty of RAM to meet your needs, you can efficiently access the applications and data you need to finish projects and to-do lists without sacrificing time and focus. Our test results show that with more memory available, three Dell PCs delivered better performance and took less time to complete the Procyon Office Productivity benchmark. These advantages translate to users being able to complete workflows more quickly and multitask more easily. Whether you need the mobility of the Latitude 5440, the creative capabilities of the Precision 3470, or the high performance of the OptiPlex Tower Plus 7010, configuring your system with more RAM can help keep processes running smoothly, enabling you to do more without compromising performance.

Boost PC performance: How more available memory can improve productivity

Principled Technologies

A Principled Technologies deployment guide Conclusion Deploying VMware Cloud Foundation 5.1 on next gen Dell PowerEdge servers brings together critical virtualization capabilities and high-performing hardware infrastructure. Relying on our hands-on experience, this deployment guide offers a comprehensive roadmap that can guide your organization through the seamless integration of advanced VMware cloud solutions with the performance and reliability of Dell PowerEdge servers. In addition to the deployment efficiency, the Cloud Foundation 5.1 and PowerEdge solution delivered strong performance while running a MySQL database workload. By leveraging VMware Cloud Foundation 5.1 and PowerEdge servers, you could help your organization embrace cloud computing with confidence, potentially unlocking a new level of agility, scalability, and efficiency in your data center operations.

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

Principled Technologies

💉💊+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHABI}}+971581248768 +971581248768 Mtp-Kit (500MG) Prices » Dubai [(+971581248768**)] Abortion Pills For Sale In Dubai, UAE, Mifepristone and Misoprostol Tablets Available In Dubai, UAE CONTACT DR.Maya Whatsapp +971581248768 We Have Abortion Pills / Cytotec Tablets /Mifegest Kit Available in Dubai, Sharjah, Abudhabi, Ajman, Alain, Fujairah, Ras Al Khaimah, Umm Al Quwain, UAE, Buy cytotec in Dubai +971581248768''''Abortion Pills near me DUBAI | ABU DHABI|UAE. Price of Misoprostol, Cytotec” +971581248768' Dr.DEEM ''BUY ABORTION PILLS MIFEGEST KIT, MISOPROTONE, CYTOTEC PILLS IN DUBAI, ABU DHABI,UAE'' Contact me now via What's App…… abortion Pills Cytotec also available Oman Qatar Doha Saudi Arabia Bahrain Above all, Cytotec Abortion Pills are Available In Dubai / UAE, you will be very happy to do abortion in Dubai we are providing cytotec 200mg abortion pill in Dubai, UAE. Medication abortion offers an alternative to Surgical Abortion for women in the early weeks of pregnancy. We only offer abortion pills from 1 week-6 Months. We then advise you to use surgery if its beyond 6 months. Our Abu Dhabi, Ajman, Al Ain, Dubai, Fujairah, Ras Al Khaimah (RAK), Sharjah, Umm Al Quwain (UAQ) United Arab Emirates Abortion Clinic provides the safest and most advanced techniques for providing non-surgical, medical and surgical abortion methods for early through late second trimester, including the Abortion By Pill Procedure (RU 486, Mifeprex, Mifepristone, early options French Abortion Pill), Tamoxifen, Methotrexate and Cytotec (Misoprostol). The Abu Dhabi, United Arab Emirates Abortion Clinic performs Same Day Abortion Procedure using medications that are taken on the first day of the office visit and will cause the abortion to occur generally within 4 to 6 hours (as early as 30 minutes) for patients who are 3 to 12 weeks pregnant. When Mifepristone and Misoprostol are used, 50% of patients complete in 4 to 6 hours; 75% to 80% in 12 hours; and 90% in 24 hours. We use a regimen that allows for completion without the need for surgery 99% of the time. All advanced second trimester and late term pregnancies at our Tampa clinic (17 to 24 weeks or greater) can be completed within 24 hours or less 99% of the time without the need surgery. The procedure is completed with minimal to no complications. Our Women's Health Center located in Abu Dhabi, United Arab Emirates, uses the latest medications for medical abortions (RU-486, Mifeprex, Mifegyne, Mifepristone, early options French abortion pill), Methotrexate and Cytotec (Misoprostol). The safety standards of our Abu Dhabi, United Arab Emirates Abortion Doctors remain unparalleled. They consistently maintain the lowest complication rates throughout the nation. Our Physicians and staff are always available to answer questions and care for women in one of the most difficult times in their lives. The decision to have an abortion at the Abortion Cl

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@

Discord is a free app offering voice, video, and text chat functionalities, primarily catering to the gaming community. It serves as a hub for users to create and join servers tailored to their interests. Discord’s ecosystem comprises servers, each functioning as a distinct online community with its own channels dedicated to specific topics or activities. Users can engage in text-based discussions, voice calls, or video chats within these channels. Understanding Discord Servers Discord servers are virtual spaces where users congregate to interact, share content, and build communities. Servers may revolve around gaming, hobbies, interests, or fandoms, providing a platform for like-minded individuals to connect. Communication Features Discord offers a range of communication tools, including text channels for messaging, voice channels for real-time audio conversations, and video channels for face-to-face interactions. These features facilitate seamless communication and collaboration. What Does NSFW Mean? The acronym NSFW stands for “Not Safe For Work,” indicating content that may be inappropriate for professional or public settings. NSFW Content NSFW content encompasses material that is sexually explicit, violent, or otherwise graphic in nature. It often includes nudity, profanity, or depictions of sensitive topics.

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

UK Journal

Data Cloud, More than a CDP by Matt Robison

Anna Loughnan Colquhoun

Increase engagement and revenue with Muvi Live Paywall! In this presentation, we will explore the five key benefits of using Muvi Live Paywall to monetize your live streams. You'll learn how Muvi Live Paywall can help you: Monetize your live content easily: Set up pay-per-view access to your live streams and start generating revenue from your content. Increase audience engagement: Provide exclusive, premium content behind the paywall to keep your viewers engaged. Gain valuable viewer insights: Track viewer data and analytics to better understand your audience and tailor your content accordingly. Reduce content piracy: Muvi Live Paywall's security features help protect your content from unauthorized distribution. Streamline your workflow: The all-in-one platform simplifies the process of managing and monetizing your live streams. With Muvi Live Paywall, you can take control of your live stream monetization and create a sustainable business model for your content. Learn more about Muvi Live Paywall and start generating revenue from your live streams today!

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Roshan Dwivedi

Join our latest Connector Corner webinar to discover how UiPath Integration Service revolutionizes API-centric automation in a 'Quote to Cash' process—and how that automation empowers businesses to accelerate revenue generation. A comprehensive demo will explore connecting systems, GenAI, and people, through powerful pre-built connectors designed to speed process cycle times. Speakers: James Dickson, Senior Software Engineer Charlie Greenberg, Host, Product Marketing Manager

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

DianaGray10

Partners Life - Insurer Innovation Award 2024

The Digital Insurer

Dernier (20)

Artificial Intelligence: Facts and Myths

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...

🐬 The future of MySQL is Postgres 🐘

Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...

Powerful Google developer tools for immediate impact! (2023-24 C)

How to Troubleshoot Apps for the Modern Connected Worker

Exploring the Future Potential of AI-Enabled Smartphone Processors

Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving

ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke

Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff

Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024

HTML Injection Attacks: Impact and Mitigation Strategies

Boost PC performance: How more available memory can improve productivity

Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf

Data Cloud, More than a CDP by Matt Robison

Top 5 Benefits OF Using Muvi Live Paywall For Live Streams

Connector Corner: Accelerate revenue generation using UiPath API-centric busi...

Partners Life - Insurer Innovation Award 2024

Seguranca em APP Rails

1. Daniel Lopes @danielvlopes

2. SEGURANÇA & RAILS

3. http://objetiva.co/

5. voltando . . .

6. Segurança

9. é ... lv o O a App 75% Host 25% Instituto Gartner

10. WEB APP

11.

12.

13. XSS SQL INJECTION CSRF Session Mass Assign Parâmetros Arquivos Logs

14. Cobaia

15.

16. Mass Assignment

17. LIVE CODING

18. SQL INJECTION

19. LIVE CODING

20. XSS Cross Site Scripting

21. LIVE CODING

22. CSRF Cross s. ref. forgery

23. LIVE CODING

24. Files (download / upload)

25. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :styles => { :medium => "300x300#", :thumb => "50x50#" } validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document default_scope :order => "created_at DESC" end

26. class Asset < ActiveRecord::Base validates_presence_of :title has_attached_file :document, :path => ":rails_root/uploads/:attachment/:id/:style/:style.:extension", :styles => { :medium => "300x300#", :thumb => "50x50#" } has_attached_file :document, , :whiny => false validates_attachment_size :document, :less_than => 5.megabyte validates_attachment_presence :document validates_attachment_content_type :document, :content_type => %w(image/jpeg image/pjpeg image/gif image/png) default_scope :order => "created_at DESC" end

27. send_file('/var/www/uploads/' + params[:filename]) ../../../etc/passwd

28. BRUTE FORCE

29. Devise Devise.setup do |config| config.mailer_sender = "please-change-me@config-initializers-devise.com" require 'devise/orm/active_record' config.encryptor = :bcrypt config.pepper = "e3b0100c8c0ef8a7f09f104de3d2827f..." config.timeout_in = 10.minutes config.lock_strategy = :failed_attempts config.maximum_attempts = 20 config.unlock_strategy = :both # email and time config.unlock_in = 1.hour end

30. Spams Log Filtering Parâmetros

31. Spam gem 'reverse_captcha' class Comment < ActiveRecord::Base captcha :nickname end <%= form_for @comment do |f| %> ... <%= f.captcha %> <% end %> gem 'recaptcha' gem 'captcha'

32. Log Filter require File.expand_path('../boot', __FILE__) require 'rails/all' Bundler.require(:default, Rails.env) if defined?(Bundler) module Producer class Application < Rails::Application config.autoload_paths += %W(#{config.root}/app/sweepers) config.i18n.default_locale = "pt-BR" config.encoding = "utf-8" config.filter_parameters += [:password, :credit_card, :cnpj, :cpf] ... end end

33. Parâmetros @project = Project.find(params[:id]) @project = current_user.projects.find(params[:id])

34. ☐ Mass Assign. ☐ Brute Force ☐ Parâmetros ☐ Spams ☐ SQL Inject. ☐ Log ☐ XSS ☐ Session ☐ CSRF ☐ File System

35. ☑ Mass Assign. ☑ Brute Force ☑ Parâmetros ☑ Spams ☑ SQL Inject. ☑ Log ☑ XSS ☑ CSRF ☑ File System

36.

37. • SSL • Criptografia • Automated Protection • Pen. Testing • Mantenha-se Atualizado

38. Contatos @danielvlopes daniel@objetiva.co www.objetiva.co Cursos www.egenial.pro/cursos

39. slides: http://objetiva.co/publications

Seguranca em APP Rails

Recommandé

Recommandé

Contenu connexe

Tendances

Tendances (20)

En vedette

En vedette (8)

Similaire à Seguranca em APP Rails

Similaire à Seguranca em APP Rails (20)

Dernier

Dernier (20)

Seguranca em APP Rails