here are some highlights of my contributions, kind of digest.
I did some basic stuff — every newcomer starts with it :P
tried to convince people to fix CSRF, showcasing shitloads of CSRF-vulnerable sites
content type verification for JSON input
then spent a while on Rails security:
shameful but effective whitelist by default for mass assignment
getting rid of CSRF-vulnerable 'match' from routes.rb
added default_headers (X-Frame-Options etc) to make Rails apps secure from clickjacking by default
escape_html_entities for JSON.dump
sending nil using XML/JSON params parsers
some whining and XSS showcases on ^$ regexps (no success here)
my presentation with common cases in Moscow
and just plain posts on the future of Rails security 1,2.
played with OAuth:
hijacking account, another hijacking, some other vulns and final post — OAuth1, OAuth2, OAuth...?
disclosure of URL and HASH (quite slow but race-condition standard is a vulnerability anyway)
theoretical posts on how to make Web perfect
rethinking cookies: Origin Only
Pagebox - XSS sandbox
Last year was not so bad, next should be more productive.
I am going to focus on defensive security (pagebox), Ruby security gems (for rack based apps), authorization techniques (OAuth is getting more popular != better) and financial security.
Also there is not much to do with Rails - it's well secured now! Thus I am choosing a new framework, likely, nodejs or lift.
Post a Comment