Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing python security

jmortegac
October 07, 2018
Technology
1
340

Testing python security

In this talk, I will highlight the biggest problems we can find in python functions, how to use then in a secure way and tools and services that help you identify vulnerabilities in the python source code.

These could be the main talking points:

*Introduction to secure programming in python.
*Introduce dangerous functions for code inyection and how we can solve this issues from a security point of view.
*Common attack vectors on Python applications like Remote Command Execution and SQL injection.
*Best practices for avoid execution of malicious commands.
*Tools that help us to protect and obfuscate our source code.

jmortegac

October 07, 2018
Tweet

More Decks by jmortegac

See All by jmortegac
Evolution of security strategies in K8s environments
jmortega
0
5
Implementing Observability for Kubernetes
jmortega
0
9
Computación distribuida usando Python
jmortega
0
40
Seguridad_en_arquitecturas_serverless_y_entornos_cloud.pdf
jmortega
0
63
Construyendo arquitecturas zero trust sobre entornos cloud
jmortega
0
33
Tips and tricks for data science projects with Python
jmortega
0
38
Sharing secret keys in Docker containers and K8s
jmortega
0
85
Implementing cert-manager in K8s
jmortega
0
130
Python para equipos de ciberseguridad(pycones)
jmortega
0
88

Other Decks in Technology

See All in Technology
Renovate を使った ライブラリアップデート 仕組み化の取り組み
andpad
0
260
EQを高めて不快な感情に立ち向かえ
yamasatimi
1
390
テスト駆動開発でダイエットに挑戦して失敗した話
terahide
0
380
マネージャーのためのスクラムマスターのパフォーマンスを高めるTips集
kawagoi
0
410
2023.10.03_AIプロダクトがLLMで変わったこと/変わらないこと
nunukim
1
140
[関東Kaggler会 スポンサーセッション] LayerXの事業と機械学習でできること / kanto-kaggler-layerx
shimacos
0
610
【IoT-Tech Meetup #5】IoTとは?WireGuard概要とIoTで通信を守る理由
soracom
PRO
0
440
stripeを組み合わせたサーバレスアーキテクチャとシードのスタートアップ ビジネスをグロースするためにやったこと
yoshiitaka
3
110
増え続ける公開アプリケーションへの悪意あるアクセス_多層防御を取り入れるSRE活動_.pdf
yoshiiryo1
0
400
SREを以てセキュリティエンジニアリングを制す / SRE, Security Engineering, and You
lmt_swallow
4
870
SRE を実践するためのプラットフォームの作り方と技術マネジメント / Building a Platform for SRE
irotoris
1
3.4k
ログから学ぶgo build
nasa_desu
3
430

Featured

See All Featured
Mobile First: as difficult as doing things right
swwweet
214
8.2k
Building Adaptive Systems
keathley
29
1.6k
Six Lessons from altMBA
skipperchong
17
2.6k
A better future with KSS
kneath
230
16k
Agile that works and the tools we love
rasmusluckow
323
20k
Atom: Resistance is Futile
akmur
257
24k
How STYLIGHT went responsive
nonsquared
89
4.4k
A Modern Web Designer's Workflow
chriscoyier
688
190k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
marktimemedia
16
1.4k
Done Done
chrislema
178
15k
WebSockets: Embracing the real-time Web
robhawkes
58
6.5k
Debugging Ruby Performance
tmm1
68
11k

Transcript

  1. Testing python security
    Pycones 2018 1 @jmortegac
    Testing python security
    by
    Jose Manuel Ortega

    View Slide

  2. Testing python security
    Pycones 2018 2 @jmortegac
    Agenda
    1. Secure coding
    2. Dangerous functions
    3. Common attack vectors
    4. Static analisys tools
    5. Other security issues

    View Slide

  3. Testing python security
    Pycones 2018 3 @jmortegac
    Secure coding
    1. Analysis of architectures involved
    2. Review of implementation details
    3. Verification of code logic and syntax
    4. Operational testing (unit testing, white-box)
    5. Functional testing (black-box)

    View Slide

  4. Testing python security
    Pycones 2018 4 @jmortegac
    Unsafe python components

    View Slide

  5. Testing python security
    Pycones 2018 5 @jmortegac
    Dangerous Python Functions

    View Slide

  6. Testing python security
    Pycones 2018 6 @jmortegac
    Security issues
    Here’s a list of handful of other potential issues to
    watch for:
    ● Dangerous python functions like eval()
    ● Serialization and deserialization objects with
    pickle
    ● SQL and JavaScript snippets
    ● API keys included in source code
    ● HTTP calls to internal or external web services

    View Slide

  7. Testing python security
    Pycones 2018 7 @jmortegac
    Improper input/output validation

    View Slide

  8. Testing python security
    Pycones 2018 8 @jmortegac
    eval()
    eval(expression[, globals[, locals]])

    View Slide

  9. Testing python security
    Pycones 2018 9 @jmortegac
    eval()
    No globals

    View Slide

  10. Testing python security
    Pycones 2018 10 @jmortegac
    eval()
    eval("__import__('os').system('clear')
    ", {})
    eval("__import__('os').system('rm -rf')", {})

    View Slide

  11. Testing python security
    Pycones 2018 11 @jmortegac
    eval()
    Refuse access to the builtins

    View Slide

  12. Testing python security
    Pycones 2018 12 @jmortegac
    eval()

    View Slide

  13. Testing python security
    Pycones 2018 13 @jmortegac
    Serialization and Deserialization with Pickle
    WARNING: pickle or cPickle are NOT designed as
    safe/secure solution for serialization

    View Slide

  14. Testing python security
    Pycones 2018 14 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  15. Testing python security
    Pycones 2018 15 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  16. Testing python security
    Pycones 2018 16 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  17. Testing python security
    Pycones 2018 17 @jmortegac
    Input injection attacks

    View Slide

  18. Testing python security
    Pycones 2018 18 @jmortegac
    Command Injection
    @app.route('/menu',methods =['POST'])
    def menu():
    param = request.form [ ' suggestion ']
    command = ' echo ' + param + ' >> ' + ' menu.txt '
    subprocess.call(command,shell = True)
    with open('menu.txt','r') as f:
    menu = f.read()
    return render_template('command_injection.html',
    menu = menu)

    View Slide

  19. Testing python security
    Pycones 2018 19 @jmortegac
    Command Injection
    @app.route('/menu',methods =['POST'])
    def menu():
    param = request.form [ ' suggestion ']
    command = ' echo ' + param + ' >> ' + ' menu.txt '
    subprocess.call(command,shell = True)
    with open('menu.txt','r') as f:
    menu = f.read()
    return render_template('command_injection.html',
    menu = menu)

    View Slide

  20. Testing python security
    Pycones 2018 20 @jmortegac
    shlex module

    View Slide

  21. Testing python security
    Pycones 2018 21 @jmortegac
    PyExecCmd

    View Slide

  22. Testing python security
    Pycones 2018 22 @jmortegac
    Common attack vectors on web applications
    OWASP TOP 10:
    A1 Injection
    A2 Broken Authentication and Session Management
    A3 Cross-Site Scripting (XSS)
    A4 Insecure Direct Object References
    A5 Security Misconfiguration
    A6 Sensitive Data Exposure
    A7 Missing Function Level Access Control
    A8 Cross-Site Request Forgery (CSRF)
    A9 Using Components with Known Vulnerabilities
    A10 Unvalidated Redirects and Forwards

    View Slide

  23. Testing python security
    Pycones 2018 23 @jmortegac
    SQL Injection
    @app.route('/filtering')
    def filtering():
    param = request.args.get('param', 'not set')
    Session = sessionmaker(bind = db.engine)
    session = Session()
    result = session.query(User).filter(" username ={}
    ".format(param))
    for value in result:
    print(value.username , value.email)
    return ' Result is displayed in console.'

    View Slide

  24. Testing python security
    Pycones 2018 24 @jmortegac
    Prevent SQL injection attacks
    Prevent SQL injection attacks
    ● NEVER concatenate untrusted inputs in SQL
    code.
    ● Concatenate constant fragments of SQL
    (literals) with parameter placeholders.
    ● cur.execute("SELECT * FROM students
    WHERE name= '%s';" % name)
    ● c.execute("SELECT * from students WHERE
    name=(?)" , name)

    View Slide

  25. Testing python security
    Pycones 2018 25 @jmortegac
    Prevent SQL injection attacks

    View Slide

  26. Testing python security
    Pycones 2018 26 @jmortegac
    XSS
    from flask import Flask , request , make_response
    app = Flask(__name__)
    @app.route ('/XSS_param',methods =['GET ])
    def XSS():
    param = request.args.get('param','not set')
    html = open('templates/XSS_param.html ').read()
    resp = make_response(html.replace('{{ param}}',param))
    return resp
    if __name__ == ' __main__ ':
    app.run(debug = True)

    View Slide

  27. Testing python security
    Pycones 2018 27 @jmortegac
    XSS

    View Slide

  28. Testing python security
    Pycones 2018 28 @jmortegac
    XSS

    View Slide

  29. Testing python security
    Pycones 2018 29 @jmortegac
    Automated security testing
    Automatic Scanning tools:
    ● SQLMap: Sql injection
    ● XssScrapy: Sql injection and XSS
    Source Code Analysis tools:
    ● Bandit: Open Source and can be
    easily integrated with Jenkins CI/CD

    View Slide

  30. Testing python security
    Pycones 2018 30 @jmortegac
    SQLMap

    View Slide

  31. Testing python security
    Pycones 2018 31 @jmortegac
    Bandit

    View Slide

  32. Testing python security
    Pycones 2018 32 @jmortegac
    Bandit

    View Slide

  33. Testing python security
    Pycones 2018 33 @jmortegac
    Bandit Test plugins

    View Slide

  34. Testing python security
    Pycones 2018 34 @jmortegac
    Bandit Test plugins

    View Slide

  35. Testing python security
    Pycones 2018 35 @jmortegac
    Bandit Test plugins

    View Slide

  36. Testing python security
    Pycones 2018 36 @jmortegac
    Bandit Test plugins

    View Slide

  37. Testing python security
    Pycones 2018 37 @jmortegac
    Bandit Test plugins

    View Slide

  38. Testing python security
    Pycones 2018 38 @jmortegac
    Bandit Test plugins

    View Slide

  39. Testing python security
    Pycones 2018 39 @jmortegac
    Bandit Test plugins
    SELECT %s FROM derp;” % var
    “SELECT thing FROM ” + tab
    “SELECT ” + val + ” FROM ” + tab + …
    “SELECT {} FROM derp;”.format(var)

    View Slide

  40. Testing python security
    Pycones 2018 40 @jmortegac
    Other security issues
    CPython vulnerabilities

    View Slide

  41. Testing python security
    Pycones 2018 41 @jmortegac
    Other security issues
    Insecure packages
    – acqusition (uploaded 2017-06-03 01:58:01, impersonates
    acquisition)
    – apidev-coop (uploaded 2017-06-03 05:16:08, impersonates
    apidev-coop_cms)
    – bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
    – crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
    – django-server (uploaded 2017-06-02 08:22:23, impersonates
    django-server-guardian-api)
    – pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
    – setup-tools (uploaded 2017-06-02 08:54:44, impersonates
    setuptools)
    – telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
    – urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
    – urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)

    View Slide

  42. Testing python security
    Pycones 2018 42 @jmortegac
    Other security issues
    Code optimization

    View Slide

  43. Testing python security
    Pycones 2018 43 @jmortegac
    Interesting links
    https://github.com/jmortega/testing_python_security

    View Slide

  44. Testing python security
    Pycones 2018 44 @jmortegac
    Interesting links
    https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
    https://security.openstack.org/guidelines/dg_avoid-shell-true.html
    https://security.openstack.org/guidelines/dg_parameterize-database-queries.html
    https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
    https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-librari
    es.html

    View Slide

  45. Testing python security
    Pycones 2018 45 @jmortegac
    Q&A
    Q & A

    View Slide