Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing python security

7c4b1ae16723b56facc7a8a8f95aa6ce?s=47 jmortegac
October 07, 2018

Testing python security

In this talk, I will highlight the biggest problems we can find in python functions, how to use then in a secure way and tools and services that help you identify vulnerabilities in the python source code.

These could be the main talking points:

*Introduction to secure programming in python.
*Introduce dangerous functions for code inyection and how we can solve this issues from a security point of view.
*Common attack vectors on Python applications like Remote Command Execution and SQL injection.
*Best practices for avoid execution of malicious commands.
*Tools that help us to protect and obfuscate our source code.

7c4b1ae16723b56facc7a8a8f95aa6ce?s=128

jmortegac

October 07, 2018
Tweet

More Decks by jmortegac

Other Decks in Technology

Transcript

  1. Testing python security Pycones 2018 1 @jmortegac Testing python security

    by Jose Manuel Ortega
  2. Testing python security Pycones 2018 2 @jmortegac Agenda 1. Secure

    coding 2. Dangerous functions 3. Common attack vectors 4. Static analisys tools 5. Other security issues
  3. Testing python security Pycones 2018 3 @jmortegac Secure coding 1.

    Analysis of architectures involved 2. Review of implementation details 3. Verification of code logic and syntax 4. Operational testing (unit testing, white-box) 5. Functional testing (black-box)
  4. Testing python security Pycones 2018 4 @jmortegac Unsafe python components

  5. Testing python security Pycones 2018 5 @jmortegac Dangerous Python Functions

  6. Testing python security Pycones 2018 6 @jmortegac Security issues Here’s

    a list of handful of other potential issues to watch for: • Dangerous python functions like eval() • Serialization and deserialization objects with pickle • SQL and JavaScript snippets • API keys included in source code • HTTP calls to internal or external web services
  7. Testing python security Pycones 2018 7 @jmortegac Improper input/output validation

  8. Testing python security Pycones 2018 8 @jmortegac eval() eval(expression[, globals[,

    locals]])
  9. Testing python security Pycones 2018 9 @jmortegac eval() No globals

  10. Testing python security Pycones 2018 10 @jmortegac eval() eval("__import__('os').system('clear') ",

    {}) eval("__import__('os').system('rm -rf')", {})
  11. Testing python security Pycones 2018 11 @jmortegac eval() Refuse access

    to the builtins
  12. Testing python security Pycones 2018 12 @jmortegac eval()

  13. Testing python security Pycones 2018 13 @jmortegac Serialization and Deserialization

    with Pickle WARNING: pickle or cPickle are NOT designed as safe/secure solution for serialization
  14. Testing python security Pycones 2018 14 @jmortegac Serialization and Deserialization

    with Pickle
  15. Testing python security Pycones 2018 15 @jmortegac Serialization and Deserialization

    with Pickle
  16. Testing python security Pycones 2018 16 @jmortegac Serialization and Deserialization

    with Pickle
  17. Testing python security Pycones 2018 17 @jmortegac Input injection attacks

  18. Testing python security Pycones 2018 18 @jmortegac Command Injection @app.route('/menu',methods

    =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = True) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
  19. Testing python security Pycones 2018 19 @jmortegac Command Injection @app.route('/menu',methods

    =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = True) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
  20. Testing python security Pycones 2018 20 @jmortegac shlex module

  21. Testing python security Pycones 2018 21 @jmortegac PyExecCmd

  22. Testing python security Pycones 2018 22 @jmortegac Common attack vectors

    on web applications OWASP TOP 10: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
  23. Testing python security Pycones 2018 23 @jmortegac SQL Injection @app.route('/filtering')

    def filtering(): param = request.args.get('param', 'not set') Session = sessionmaker(bind = db.engine) session = Session() result = session.query(User).filter(" username ={} ".format(param)) for value in result: print(value.username , value.email) return ' Result is displayed in console.'
  24. Testing python security Pycones 2018 24 @jmortegac Prevent SQL injection

    attacks Prevent SQL injection attacks • NEVER concatenate untrusted inputs in SQL code. • Concatenate constant fragments of SQL (literals) with parameter placeholders. • cur.execute("SELECT * FROM students WHERE name= '%s';" % name) • c.execute("SELECT * from students WHERE name=(?)" , name)
  25. Testing python security Pycones 2018 25 @jmortegac Prevent SQL injection

    attacks
  26. Testing python security Pycones 2018 26 @jmortegac XSS from flask

    import Flask , request , make_response app = Flask(__name__) @app.route ('/XSS_param',methods =['GET ]) def XSS(): param = request.args.get('param','not set') html = open('templates/XSS_param.html ').read() resp = make_response(html.replace('{{ param}}',param)) return resp if __name__ == ' __main__ ': app.run(debug = True)
  27. Testing python security Pycones 2018 27 @jmortegac XSS

  28. Testing python security Pycones 2018 28 @jmortegac XSS

  29. Testing python security Pycones 2018 29 @jmortegac Automated security testing

    Automatic Scanning tools: • SQLMap: Sql injection • XssScrapy: Sql injection and XSS Source Code Analysis tools: • Bandit: Open Source and can be easily integrated with Jenkins CI/CD
  30. Testing python security Pycones 2018 30 @jmortegac SQLMap

  31. Testing python security Pycones 2018 31 @jmortegac Bandit

  32. Testing python security Pycones 2018 32 @jmortegac Bandit

  33. Testing python security Pycones 2018 33 @jmortegac Bandit Test plugins

  34. Testing python security Pycones 2018 34 @jmortegac Bandit Test plugins

  35. Testing python security Pycones 2018 35 @jmortegac Bandit Test plugins

  36. Testing python security Pycones 2018 36 @jmortegac Bandit Test plugins

  37. Testing python security Pycones 2018 37 @jmortegac Bandit Test plugins

  38. Testing python security Pycones 2018 38 @jmortegac Bandit Test plugins

  39. Testing python security Pycones 2018 39 @jmortegac Bandit Test plugins

    SELECT %s FROM derp;” % var “SELECT thing FROM ” + tab “SELECT ” + val + ” FROM ” + tab + … “SELECT {} FROM derp;”.format(var)
  40. Testing python security Pycones 2018 40 @jmortegac Other security issues

    CPython vulnerabilities
  41. Testing python security Pycones 2018 41 @jmortegac Other security issues

    Insecure packages – acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition) – apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms) – bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file) – crypt (uploaded 2017-06-03 08:03:14, impersonates crypto) – django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api) – pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash) – setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools) – telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib) – urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3) – urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)
  42. Testing python security Pycones 2018 42 @jmortegac Other security issues

    Code optimization
  43. Testing python security Pycones 2018 43 @jmortegac Interesting links https://github.com/jmortega/testing_python_security

  44. Testing python security Pycones 2018 44 @jmortegac Interesting links https://security.openstack.org/guidelines/dg_use-subprocess-securely.html

    https://security.openstack.org/guidelines/dg_avoid-shell-true.html https://security.openstack.org/guidelines/dg_parameterize-database-queries.html https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsing-librari es.html
  45. Testing python security Pycones 2018 45 @jmortegac Q&A Q &

    A