Course COV | Notion

Synopsis

So this is the synopsis of the entire course where we will be seeing what will be covered and take a look at each topic in short so that you know what you are going to learn. Let's get started.

Introduction
1. What is Ruby? What is Rails? - Understand what exactly is the ruby language and how powerful it is compared to other languages. And what is rails and
2. Why Ruby on Rails? - why majority of the developer base is shifting to ruby on rails applications. What are the advantages of using ruby on rails as our preferred mode of running web appications and what are it's disadvantages?
3. About this course - A short video on how the videos in this course are structured and some other information pertaining to this course.
Injections in Rails
1. SQL Injection
2. Cross site Scripting
3. Header Injection
4. Command, CSS and AJAX Injection
For all of these injections, we will see what they are, how to find these injections followed by a live demo of SQL, XSS, POC of header injection and demo of command injection. Then, we will look at how to avoid these injections in rails and also in general, how to protect applications againt the above types of injections.
CSRF & Clickjacking in Rails - 60. Rem → 115 min.
1. What is CSRF - We will see what is CSRF which stands for Cross Site Request Forgery, an example of a CSRF attack and a live demo of CSRF
2. CSRF in rails - how is CSRF protection enabled in rails in a deep dive and understand how rails implements it's own CSRF protection mechanism
3. Countermeasures - How is CSRF Delivered, What are CSRF tokens, Same site cookies and rails 4 updates.
4. What is Clickjacking - here, we will see what is clickjacking and a live demo of how clickjacking works
5. Clickjacking in rails & Countermeasures - we will see how exactly we can prevent clickjacking in rails followed by several countermeasures which can be deployed to secure against clickjacking attacks
Default Headers + CSP - 15. Rem → 100
1. What are headers? - what are headers exactly and the different types of headers such as general headers, request, response, entity etc.
2. Default headers rails generates - we will see about the default headers that rails generates and a list of common headers and what they mean so that you are well versed in headers
3. CSPs - we will see what are content security policies, how to enable them and show an example of how to set your CSPs right in rails.
Rate limiting using rack attack - 60. Rem → 40.
1. What is rate limiting - What does rate limiting mean, what is rate limiting used for and what does it protect us from and how exactly does it protect us, some real life examples of rate limiting concepts and the different types of rate limiting
2. Rate limiting tactics and strategies - tactics to deploy efficient rate limiters in your applications and how to ensure we do not fall into common pitfalls such as users finding themselves locked out of accounts etc. We will also look at API rate limiting and cookie based rate limiting.
3. Safelisting and blacklisting - We will be putting on our nerd glasses and taking a look into the gem called rack attack which is the gem we will be using to implement rate limiting. We will see the safelist and blacklist options and a live demo of each with some use cases to blacklist localhost, safelist localhost and learn precedence concepts too.
4. Tracking and throttling - Here we will be learning the tracking and throttling options of rack attack followed by a demo of each option to track and throttle requests that are in routes.rb and those that aren't in routes.rb
5. Advanced Concepts of Rate limiting using rack attack - Here, we will cover certain advanced concepts in rate limiting using rack attack such as sending mail notifications, limiting mail notifications using redis, custom throttle responses and controlling rate limiter variables using environment variables along with the respective demos.
6. Combining it all together - Here we will combine all that we have learned in rate limiting and build our own functional rate limiter and see a demo of it along with graphing and dashboard analytics using kibana
Filters & Testing applications using Brakeman - 40
1. File uploads - Basics - What re file uploads and how to handle file uploads logically via filtering file names, synchronous file uploads vs asynchronous file uploads, file download handling using send_file method and approaches to storing file names securely
2. Scanning files for viruses using clamav - here we will be going over a script which uses the open source antivirus clamav to scan a folder full of files and check if there are viruses and if there are, it can send an email. This can be used to scan user uploads first and then let the user upload it.
3. Image filter - blocking images - We will see how to build an image filter which will filter the images that are uploaded to the application from the user side such as profile pictures and about the security vulnerabilities it mitigates such as LFI, RFI, code execution via file upload, file size validation and dimensional validation.
4. Image filter - blocking based on content type - Image filter but how to filter based on the content type so that we allow only certain image file types and block others such as svgs.
5. Image filter - fixing metadata leak - Image filter but how to remove the metadata from images before uploading them to our server and ensure no sensitive information is leaked
6. Why and how to test using brakeman - We will look at what is SAST, brakeman and why we should be testing applications before deploying them and what benefits it brings us.
7. Analyzing results of brakeman report - Here, we will analyze a sample brakeman report and see how we can go about analyzing brakeman reports and a procedure to follow when starting brakeman analysis of any application built using rails.
Wind up - 5
1. What's covered so far. What you should learn next - we will see what we have covered so far as a summary and what you should be focusing on next in your journey to infosec. I will show some useful guiding tips on where to go next and some commonly made mistakes too and how you can avoid them.
2. Goodbye! - Formal goodbyes! and contact sharing 💫