Upgrade to Pro — share decks privately, control downloads, hide ads and more …

DjangoMeetup Buenos Aires - Django Security Qui...

andresriancho
September 09, 2014
200

DjangoMeetup Buenos Aires - Django Security Quick wins

andresriancho

September 09, 2014
Tweet

Transcript

  1. Quick wins disclaimer  No es todo lo que puedo

    hacer  En algunos casos, no es lo mejor que puedo hacer  Pero es mejor que nada!
  2. Más allá de settings.py  Hoy  Django settings.py 

    SESSION_COOKIE_SECURE  CSRF_COOKIE_SECURE  ALLOWED_HOSTS  X_FRAME_OPTIONS  SECRET_KEY  django-secure  Algún futuro cercano  django-axes  Cross-Site Scripting  SQL injection
  3. SESSION_COOKIE_SECURE  SESSION_COOKIE_SECURE  Default: False  Whether to use

    a secure cookie for the session cookie. If this is set to True, the cookie will be marked as “secure,” which means browsers may ensure that the cookie is only sent under an HTTPS connection.  Solo tiene sentido para sites con HTTPS!
  4. CSRF_COOKIE_SECURE  CSRF_COOKIE_SECURE  Default: False  Whether to use

    a secure cookie for the CSRF cookie. If this is set to True, the cookie will be marked as “secure,” which means browsers may ensure that the cookie is only sent under an HTTPS connection.  Solo tiene sentido para sites con HTTPS!
  5. SESSION_COOKIE_HTTPONLY  SESSION_COOKIE_HTTPONLY  Default: True  Whether to use

    HTTPOnly flag on the session cookie. If this is set to True, client-side JavaScript will not to be able to access the session cookie.  El default es seguro, verificá tu aplicacion. Entendé y documentá porque es necesario tenerlo en False.
  6. ALLOWED_HOSTS  ALLOWED_HOSTS  Default: []  A list of

    strings representing the host/domain names that this Django site can serve. This is a security measure to prevent an attacker from poisoning caches and password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header.  Warning! ‘*’ en tu ALLOWED_HOSTS?
  7. X_FRAME_OPTIONS  X_FRAME_OPTIONS  Default: 'SAMEORIGIN‘  Warning! El default

    en general es lo esperado en cuanto a seguridad, tenes otro valor? Porque?
  8. SECRET_KEY  SECRET_KEY  Default: '' (Empty string)  A

    secret key for a particular Django installation. This is used to provide cryptographic signing, and should be set to a unique, unpredictable value.  django-admin.py startproject automatically adds a randomly-generated SECRET_KEY to each new project.
  9. Remote code execution! >> import cPickle Expected use >> cPickle.dumps(

    ('a', 1) ) (S'a'\nI1\ntp1\n." >> cPickle.loads("(S'a'\nI1\ntp1\n.") 'a', 1) The vulnerability is here: >> cPickle.loads("cos\nsystem\n(S'ls'\ntR.'\ntR.") .. foo bar spam eggs >>
  10. Django-secure in 1 slide  HTTP Strict Transport Security 

    SSL Redirect  X-Content-Type-Options: nosnif  X-XSS-Protection: 1; mode=block