$30 off During Our Annual Pro Sale. View Details »

DjangoMeetup Buenos Aires - Django Security Quick wins II

DjangoMeetup Buenos Aires - Django Security Quick wins II

andresriancho

October 24, 2014
Tweet

More Decks by andresriancho

Other Decks in Programming

Transcript

  1. Django Security quick wins Andrés Riancho Django Meetup Buenos Aires

  2. Quick wins disclaimer  No es todo lo que puedo

    hacer  En algunos casos, no es lo mejor que puedo hacer  Pero es mejor que nada!
  3. Más allá del settings.py  From the OWASP Top10 

    Cross-Site Scripting  SQL injection  Other  CORS  Autenticación segura con AngularJS  User uploaded content
  4. Django: Secure by default

  5. Developer: Insecure by default

  6. SQL Injection 101 – PHP Example <? $q = 'SELECT

    * FROM blog where id=' . $_GET['id']; $result = mysql_query($q); show_blog_entry($result); ?>  En que linea esta la vulnerabilidad?  Porque es vulnerable?  Que puede hacer un atacante con esta vulnerabilidad?
  7. No raw queries, no SQL injection blog = BlogEntry.objects.filter(id=request.GET.get('id')) show_blog(blog)

     Vulnerable?  Porque?
  8. Django SQL injections! def my_custom_sql(): from django.db import connection, transaction

    cursor = connection.cursor() cursor.execute("SELECT foo FROM bar WHERE baz = '" + self.baz + "'") row = cursor.fetchone() >>> for p in Person.objects.raw('SELECT * FROM myapp_person'): ... print p John Smith Jane Jones Entry.objects.extra(select={'is_recent': "pub_date > '2006-01-01'"})
  9. Grep now!

  10. Cross-Site Scripting 101 – Ejemplo PHP Hola <? echo $_GET[‘nombre'];

    ?>, bienvenido!  En que linea esta la vulnerabilidad?  Porque es vulnerable?  Que puede hacer un atacante con esta vulnerabilidad?
  11. Ahora en Django def a_view(request, *args, **kwargs): return render_to_response(‘template.html’, {‘name’:

    request.GET.get(‘name’)})  Vulnerable?  Porque? Hola {{ name }}, bienvenido!
  12. Forzando XSS en Django It is also important to be

    particularly careful when using is_safe with custom template tags, the safe template tag, mark_safe, and when autoescape is turned off. Hola {{ name|safe }}, bienvenido! {% autoescape off %} {{ body }} {% endautoescape %}
  13. Grep now!

  14. CORS vs. SOP  CORS: Cross-Origin Resource Sharing  SOP:

    Same Origin Policy
  15. CORS: Behind the scenes

  16. None
  17. Most likely insecure if… • Access-Control-Allow-Origin: • * • Echo

    Origin from request
  18. django-cors-headers CORS_ORIGIN_ALLOW_ALL = False CORS_ORIGIN_WHITELIST = ('google.com', 'hostname.example.com') CORS_ALLOW_METHODS =

    ('GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS') CORS_ALLOW_HEADERS = ('x-requested-with', 'content-type', 'accept', 'origin', 'authorization', 'x-csrftoken' ) CORS_PREFLIGHT_MAX_AGE = 86400 CORS_ALLOW_CREDENTIALS = False
  19. None
  20. 20 /me @w3af andres@tagcube.io https://www.tagcube.io/ Contact