DjangoMeetup Buenos Aires - Django Security Quick wins II

DjangoMeetup Buenos Aires - Django Security Quick wins II

C0999631eb2c54a20ee559c44f8c7080?s=128

andresriancho

October 24, 2014
Tweet

Transcript

  1. Django Security quick wins Andrés Riancho Django Meetup Buenos Aires

  2. Quick wins disclaimer  No es todo lo que puedo

    hacer  En algunos casos, no es lo mejor que puedo hacer  Pero es mejor que nada!
  3. Más allá del settings.py  From the OWASP Top10 

    Cross-Site Scripting  SQL injection  Other  CORS  Autenticación segura con AngularJS  User uploaded content
  4. Django: Secure by default

  5. Developer: Insecure by default

  6. SQL Injection 101 – PHP Example <? $q = 'SELECT

    * FROM blog where id=' . $_GET['id']; $result = mysql_query($q); show_blog_entry($result); ?>  En que linea esta la vulnerabilidad?  Porque es vulnerable?  Que puede hacer un atacante con esta vulnerabilidad?
  7. No raw queries, no SQL injection blog = BlogEntry.objects.filter(id=request.GET.get('id')) show_blog(blog)

     Vulnerable?  Porque?
  8. Django SQL injections! def my_custom_sql(): from django.db import connection, transaction

    cursor = connection.cursor() cursor.execute("SELECT foo FROM bar WHERE baz = '" + self.baz + "'") row = cursor.fetchone() >>> for p in Person.objects.raw('SELECT * FROM myapp_person'): ... print p John Smith Jane Jones Entry.objects.extra(select={'is_recent': "pub_date > '2006-01-01'"})
  9. Grep now!

  10. Cross-Site Scripting 101 – Ejemplo PHP Hola <? echo $_GET[‘nombre'];

    ?>, bienvenido!  En que linea esta la vulnerabilidad?  Porque es vulnerable?  Que puede hacer un atacante con esta vulnerabilidad?
  11. Ahora en Django def a_view(request, *args, **kwargs): return render_to_response(‘template.html’, {‘name’:

    request.GET.get(‘name’)})  Vulnerable?  Porque? Hola {{ name }}, bienvenido!
  12. Forzando XSS en Django It is also important to be

    particularly careful when using is_safe with custom template tags, the safe template tag, mark_safe, and when autoescape is turned off. Hola {{ name|safe }}, bienvenido! {% autoescape off %} {{ body }} {% endautoescape %}
  13. Grep now!

  14. CORS vs. SOP  CORS: Cross-Origin Resource Sharing  SOP:

    Same Origin Policy
  15. CORS: Behind the scenes

  16. None
  17. Most likely insecure if… • Access-Control-Allow-Origin: • * • Echo

    Origin from request
  18. django-cors-headers CORS_ORIGIN_ALLOW_ALL = False CORS_ORIGIN_WHITELIST = ('google.com', 'hostname.example.com') CORS_ALLOW_METHODS =

    ('GET', 'POST', 'PUT', 'PATCH', 'DELETE', 'OPTIONS') CORS_ALLOW_HEADERS = ('x-requested-with', 'content-type', 'accept', 'origin', 'authorization', 'x-csrftoken' ) CORS_PREFLIGHT_MAX_AGE = 86400 CORS_ALLOW_CREDENTIALS = False
  19. None
  20. 20 /me @w3af andres@tagcube.io https://www.tagcube.io/ Contact