Security in Django

Transcript

1. Security in Django

2. Who am I ? Django core developer Member of Django's

   security & ops team Part time student, part time worker apollo13 on IRC & Github NOT A SECURITY EXPERT!

3. We will not talk about … Security would be easier

   without humans in the picture! https://xkcd.com/538/

4. … or … any other of the attacks against SSL/TLS

   out there (or server misconfigs for that matter) Oh: Update to the latest Python point release But please read and apply: https://cipherli.st/ https://www.ssllabs.com/ssltest/

5. First stop https://djangoproject.com/security Only contact: [email protected] fix, prenotify and release

   Please give us time and work with us!

6. Bug bounties https://hackerone.com/ Google's Security Patch Reward program

7. OWASP (or: How are we doing) Taken from: OWASP Top

   10 2013, CC-BY-SA 3.0 (https://www.owasp.org)

8. Security in Django • SQL/SMTP/OS injections • Authentication and Session

   management • Cross site scripting (XSS) • Cross site request forgery (CSRF) • Unvalidated redirects and forwards • Security checklist • TODOs

9. Before we start DO NOT TRUST USER INPUT (EVER) pigtailpalsblog.com

10. SQL injections Database adapters cursor.execute(), .extra(), .raw() & RawSQL() Exploit

    via: sql = 'select * from auth_user where username=%s' cursor.execute(sql % (username,)) Be safe (same for .extra(), .raw() & RawSQL()): cursor.execute(sql, (username,))

11. OS/LDAP/SMTP/etc. injections Use Django components instead of rolling your own

    (storage/email) Read 3rd party docs (LDAP/os.Popen) Generally: String interpolation is bad

12. Repeating myself DO NOT TRUST USER INPUT (EVER) Everything the

    browser sends is user input, including EVERY header and filenames/contenttypes in uploads.

13. Auth and session management What happens during login? (or: why

    shouldn't I implement it on my own) Authenticate the user Set session_auth_hash Flush/rotate session key Rotate CSRF token Check redirects Set session cookie & redirect

14. In detail • Authentication: Compare (safely) against stored password and

    update if needed • session_auth_hash: Sign out all other sessions after password change • Change session and CSRF tokens on login to prevent fixation • Check next target to ensure that the user stays on the same site

15. Password storage/validation Multiple Algorithms ootb (bcrypt/PBKDF2/…) Iterations increased every release

    Upgrade to new algos always possible constant_time_compare Password validators since 1.9 Check length/numeric/common… Enabled only for new projects!

16. Password reset User requests a password reset link Emailed to

    the user Link can be used once (!) to reset the password /reset/MQ/46h-6965b6f67bcf041e513a/ User Timestamp HMAC of User.pk, password, last login & timestamp

17. Signing in your code django.core.signing.* dumps('HI', 'password', 'my_ns') => 'IkhJIg:1ZstkN:IflKlCmedvbp6-y8NYHdF5yBsi8'

    Includes the data! Adds an optional timestamp (Salted) HMAC over everything

18. XSS Cross-site scripting Reflected or persistent https://site.com/?search=<b>banana</b> => You searched

    for: banana Often easy and can be very dangerous www.minionland.com

19. XSS protection Auto escaping HTML only, not context aware Replaces

    < > ' “ & with entities Always use quotes around attributes Javascript requires different escaping var mystr = '{{ value|escapejs }}'; Only for use in strings!

20. XSS Examples Attack: data = "</script><script>alert('xss');//" Worst case (in a

    script tag): var json = {{ data|dumps|safe }}; A little bit better and visibly broken: var json = {{ data|dumps }}; (Browser dev tools!)

21. XSS Examples 2 Using Django: var json = JSON.parse('{{ data|escapejs

    }}'); Or simpler: var json = {{ data|json }}; from django-argonauts Do not use inside attributes!

22. XSS protection 2 Defense in Depth X-XSS-Protection: 1; mode=block No

    inline JS, no event handlers Content-Security-Policy (not yet in Django) No User supplied CSS! Check your (filter) libraries & code, many people just do mark_safe(json.dumps())

23. CSRF Cross-site request forgery <img src='mybank.com/t/? amount=1000&to=apollo13'/> Still no kittens

    and money gone

24. CSRF protection Enabled by default Does not cover GET/HEAD/OPTIONS/TRACE Server

    generates random value Put it into form (header for ajax) and cookie Compare values on the server again

25. CSRF protection 2 Why does it work and why can

    we trust the browser here. (Since you said do not trust headers) Form on evil.com: <form method='post' action='somesite.com'> <input name='csrfmiddlewaretoken' value='?' /> How to get the CSRF token?

26. CSRF protection 3 Our implementation is “secure” (Even if auditors

    tend to disagree) Changing token via Firebug is NOT a security issue

27. Unvalidated redirects/forwards Attacker redirects to: /auth/login/?next=http://evil.com After login you are

    on evil.com! django.utils.http.is_safe_url More comments than code → hard to get right

28. Security checklist ./manage.py check --deploy System check identified 9 issues

    (0 silenced). DEBUG = False, SECRET_KEY is secret Enable SECURE_* settings *_COOKIE_(SECURE|HTTPONLY) = True X_FRAME_OPTIONS = 'DENY'

29. TODO in Django Implement rate limiting (for login etc) 2FA

    (TOTP & U2F as reference implementations) CSRF improvements (#16859) JSON filter for templates

30. Even more TODOs Enhance SecurityMiddleware (github.com/twitter/secureheaders) Implement Content-Security-Policy (admin &

    #15727 ) Limit POST/GET data length & number (#21231)

31. Questions? & Thank you!