DjangoMeetup Buenos Aires - Django Security Quick wins II

Transcript

1. Django
   Security
   quick wins
   Andrés Riancho
   Django Meetup Buenos Aires
   

   View Slide

2. Quick wins disclaimer
    No es todo lo que puedo hacer
    En algunos casos, no es lo mejor que puedo
   hacer
    Pero es mejor que nada!
   

   View Slide

3. Más allá del settings.py
    From the OWASP Top10
    Cross-Site Scripting
    SQL injection
    Other
    CORS
    Autenticación segura con AngularJS
    User uploaded content
   

   View Slide

4. Django: Secure by default
   

   View Slide

5. Developer: Insecure by default
   

   View Slide

6. SQL Injection 101 – PHP Example
   
   $q = 'SELECT * FROM blog where id=' . $_GET['id'];
   $result = mysql_query($q);
   show_blog_entry($result);
   ?>
    En que linea esta la vulnerabilidad?
    Porque es vulnerable?
    Que puede hacer un atacante con esta
   vulnerabilidad?
   

   View Slide

7. No raw queries, no SQL injection
   blog = BlogEntry.objects.filter(id=request.GET.get('id'))
   show_blog(blog)
    Vulnerable?
    Porque?
   

   View Slide

8. Django SQL injections!
   def my_custom_sql():
   from django.db import connection, transaction
   cursor = connection.cursor()
   cursor.execute("SELECT foo FROM bar WHERE baz = '" +
   self.baz + "'")
   row = cursor.fetchone()
   >>> for p in Person.objects.raw('SELECT * FROM myapp_person'):
   ... print p
   John Smith
   Jane Jones
   Entry.objects.extra(select={'is_recent': "pub_date > '2006-01-01'"})
   

   View Slide

9. Grep now!
   

   View Slide

10. Cross-Site Scripting 101 – Ejemplo PHP
    Hola
    echo $_GET[‘nombre'];
    ?>, bienvenido!
     En que linea esta la vulnerabilidad?
     Porque es vulnerable?
     Que puede hacer un atacante con esta
    vulnerabilidad?
    

    View Slide

11. Ahora en Django
    def a_view(request, *args, **kwargs):
    return render_to_response(‘template.html’,
    {‘name’: request.GET.get(‘name’)})
     Vulnerable?
     Porque?
    Hola {{ name }}, bienvenido!
    

    View Slide

12. Forzando XSS en Django
    It is also important to be particularly careful when using is_safe with
    custom template tags, the safe template tag, mark_safe, and when
    autoescape is turned off.
    Hola {{ name|safe }}, bienvenido!
    {% autoescape off %}
    {{ body }}
    {% endautoescape %}
    

    View Slide

13. Grep now!
    

    View Slide

14. CORS vs. SOP
     CORS: Cross-Origin Resource Sharing
     SOP: Same Origin Policy
    

    View Slide

15. CORS: Behind the scenes
    

    View Slide

16. View Slide

17. Most likely insecure if…
    • Access-Control-Allow-Origin:
    • *
    • Echo Origin from request
    

    View Slide

18. django-cors-headers
    CORS_ORIGIN_ALLOW_ALL = False
    CORS_ORIGIN_WHITELIST = ('google.com', 'hostname.example.com')
    CORS_ALLOW_METHODS = ('GET', 'POST', 'PUT',
    'PATCH', 'DELETE', 'OPTIONS')
    CORS_ALLOW_HEADERS = ('x-requested-with', 'content-type',
    'accept', 'origin', 'authorization',
    'x-csrftoken' )
    CORS_PREFLIGHT_MAX_AGE = 86400
    CORS_ALLOW_CREDENTIALS = False
    

    View Slide

19. View Slide

20. 20
    /me
    @w3af
    [email protected]
    https://www.tagcube.io/
    Contact
    

    View Slide