DjangoMeetup Buenos Aires - Django Security Quick wins

C0999631eb2c54a20ee559c44f8c7080?s=47 andresriancho
September 09, 2014
180

DjangoMeetup Buenos Aires - Django Security Quick wins

C0999631eb2c54a20ee559c44f8c7080?s=128

andresriancho

September 09, 2014
Tweet

Transcript

  1. Django Security quick wins Andrés Riancho Django Meetup Buenos Aires

  2. Quick wins disclaimer  No es todo lo que puedo

    hacer  En algunos casos, no es lo mejor que puedo hacer  Pero es mejor que nada!
  3. Más allá de settings.py  Hoy  Django settings.py 

    SESSION_COOKIE_SECURE  CSRF_COOKIE_SECURE  ALLOWED_HOSTS  X_FRAME_OPTIONS  SECRET_KEY  django-secure  Algún futuro cercano  django-axes  Cross-Site Scripting  SQL injection
  4. None
  5. SESSION_COOKIE_SECURE  SESSION_COOKIE_SECURE  Default: False  Whether to use

    a secure cookie for the session cookie. If this is set to True, the cookie will be marked as “secure,” which means browsers may ensure that the cookie is only sent under an HTTPS connection.  Solo tiene sentido para sites con HTTPS!
  6. CSRF_COOKIE_SECURE  CSRF_COOKIE_SECURE  Default: False  Whether to use

    a secure cookie for the CSRF cookie. If this is set to True, the cookie will be marked as “secure,” which means browsers may ensure that the cookie is only sent under an HTTPS connection.  Solo tiene sentido para sites con HTTPS!
  7. SESSION_COOKIE_HTTPONLY  SESSION_COOKIE_HTTPONLY  Default: True  Whether to use

    HTTPOnly flag on the session cookie. If this is set to True, client-side JavaScript will not to be able to access the session cookie.  El default es seguro, verificá tu aplicacion. Entendé y documentá porque es necesario tenerlo en False.
  8. ALLOWED_HOSTS  ALLOWED_HOSTS  Default: []  A list of

    strings representing the host/domain names that this Django site can serve. This is a security measure to prevent an attacker from poisoning caches and password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header.  Warning! ‘*’ en tu ALLOWED_HOSTS?
  9. X_FRAME_OPTIONS  X_FRAME_OPTIONS  Default: 'SAMEORIGIN‘  Warning! El default

    en general es lo esperado en cuanto a seguridad, tenes otro valor? Porque?
  10. None
  11. SECRET_KEY  SECRET_KEY  Default: '' (Empty string)  A

    secret key for a particular Django installation. This is used to provide cryptographic signing, and should be set to a unique, unpredictable value.  django-admin.py startproject automatically adds a randomly-generated SECRET_KEY to each new project.
  12. Remote code execution! >> import cPickle Expected use >> cPickle.dumps(

    ('a', 1) ) (S'a'\nI1\ntp1\n." >> cPickle.loads("(S'a'\nI1\ntp1\n.") 'a', 1) The vulnerability is here: >> cPickle.loads("cos\nsystem\n(S'ls'\ntR.'\ntR.") .. foo bar spam eggs >>
  13. SECRET_KEY attack random Github projects ALLOWED_HOSTS

  14. SECRET_KEY is known by devs!

  15. django-secure

  16. Django-secure in 1 slide  HTTP Strict Transport Security 

    SSL Redirect  X-Content-Type-Options: nosnif  X-XSS-Protection: 1; mode=block
  17. None
  18. 18 /me @w3af andres@tagcube.io https://www.tagcube.io/ Contact