Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing Python security PyCon IE

jmortegac
November 10, 2018
Programming
2
290

Testing Python security PyCon IE

Python is a language that in a easy way allows to scale up from starter projects to complex applications for data processing and serving dynamic web pages. But as you increase complexity in your applications, it can be easy to introduce potential problems and vulnerabilities. In this talk, I will highlight the biggest problems we can find in python functions, how to use then in a secure way and tools and services that help you identify vulnerabilities in the python source code. These could be the main talking points:
-Introduction to secure programming in python.
-Introduce dangerous functions for code inyection and how we can solve this issues from a security point of view.
-Common attack vectors on Python applications like Remote Command Execution and SQL injection
-Best practices for avoid execution of malicious commands
-Tools that help us to protect and obfuscate our source code

jmortegac

November 10, 2018
Tweet

More Decks by jmortegac

See All by jmortegac
Evolution of security strategies in K8s environments
jmortega
0
5
Implementing Observability for Kubernetes
jmortega
0
9
Computación distribuida usando Python
jmortega
0
36
Seguridad_en_arquitecturas_serverless_y_entornos_cloud.pdf
jmortega
0
60
Construyendo arquitecturas zero trust sobre entornos cloud
jmortega
0
33
Tips and tricks for data science projects with Python
jmortega
0
36
Sharing secret keys in Docker containers and K8s
jmortega
0
84
Implementing cert-manager in K8s
jmortega
0
120
Python para equipos de ciberseguridad(pycones)
jmortega
0
88

Other Decks in Programming

See All in Programming
[iOS Dev UK 23] Making developer tools with Swift
polpielladev
0
180
アジャイルのライトウィングとレフトウィングはひとりで両方できなくてもいいんじゃない? - “ひとりでできるもん”から“みんなでできるもん”への道のり
psj59129
0
170
about_rails_girls_document_translation
maimux2x
0
4.9k
Jetpack Compose の Side-effect を使いこなす / DroidKaigi 2023
star_zero
1
520
_アニメーション抜き__MVIに基づくStateMachineアーキテクチャ_KMPとJetpack_ComposeとSwiftUIを組み合わせる.pdf
gmvalentino8
4
530
Gradle Convention Plugins
jmatsu
0
460
純SPAでNext.jsに対抗する 〜ページによってmetaタグを切り替える編〜
kiyoshiro
0
190
Build Backwards-Compatible REST APIs with Rolling Versions
subomi
0
130
OSSにPull Requestを送ってみて
osatoh
1
300
初めましてLaravel、君のことを教えてくれ! 〜春に就職したばかりの新卒エンジニアが調べた内部仕様と、そのプロセス〜
amixedcolor
0
160
近代フロントエンドの歴史とKuma UIの登場意義
poteboy
3
3.8k
Precondition with schema directives
quramy
0
240

Featured

See All Featured
Creatively Recalculating Your Daily Design Routine
revolveconf
208
11k
Atom: Resistance is Futile
akmur
257
24k
jQuery: Nuts, Bolts and Bling
dougneiner
57
6.8k
[Brighton Ruby 2023] The Magic of Rails
eileencodes
3
260
Producing Creativity
orderedlist
PRO
336
38k
Build your cross-platform service in a week with App Engine
jlugia
223
17k
VelocityConf: Rendering Performance Case Studies
addyosmani
318
23k
Bootstrapping a Software Product
garrettdimon
PRO
299
110k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
0
2.3k
Agile that works and the tools we love
rasmusluckow
323
20k
Building a Scalable Design System with Sketch
lauravandoore
453
31k
ParisWeb 2013: Learning to Love: Crash Course in Emotional UX Design
dotmariusz
101
6.4k

Transcript

  1. Testing python security
    PyconIE 2018 1 @jmortegac
    Testing Python Security
    José Manuel Ortega
    @jmortegac

    View Slide

  2. Testing python security
    PyconIE 2018 2 @jmortegac
    ● Develop Python scripts for automating security and
    pentesting tasks
    ● Discover the Python standard library's main modules
    used for performing security-related tasks
    ● Automate analytical tasks and the extraction of
    information from servers
    ● Explore processes for detecting and exploiting
    vulnerabilities in servers
    ● Use network software for Python programming
    ● Perform server scripting and port scanning with Python
    ● Identify vulnerabilities in web applications with Python
    ● Use Python to extract metadata and forensics

    View Slide

  3. Testing python security
    PyconIE 2018 3 @jmortegac
    jmortega.github.io

    View Slide

  4. Testing python security
    PyconIE 2018 4 @jmortegac
    1. Secure coding
    2. Dangerous functions
    3. Common attack vectors
    4. Static analisys tools
    5. Other security issues

    View Slide

  5. Testing python security
    PyconIE 2018 5 @jmortegac
    Secure coding
    1. Analysis of architectures involved
    2. Review of implementation details
    3. Verification of code logic and syntax
    4. Operational testing (unit testing, white-box)
    5. Functional testing (black-box)

    View Slide

  6. Testing python security
    PyconIE 2018 6 @jmortegac
    Unsafe python components

    View Slide

  7. Testing python security
    PyconIE 2018 7 @jmortegac
    Dangerous Python Functions

    View Slide

  8. Testing python security
    PyconIE 2018 8 @jmortegac
    Security issues
    Here’s a list of handful of other potential issues to
    watch for:
    ● Dangerous python functions like eval()
    ● Serialization and deserialization objects with
    pickle
    ● SQL and JavaScript snippets
    ● API keys included in source code
    ● HTTP calls to internal or external web services

    View Slide

  9. Testing python security
    PyconIE 2018 9 @jmortegac
    Improper input/output validation

    View Slide

  10. Testing python security
    PyconIE 2018 10 @jmortegac
    eval()
    eval(expression[, globals[, locals]])

    View Slide

  11. Testing python security
    PyconIE 2018 11 @jmortegac
    eval()
    No globals

    View Slide

  12. Testing python security
    PyconIE 2018 12 @jmortegac
    eval()
    eval("__import__('os').system('clear')
    ", {})
    eval("__import__('os').system('rm -rf')", {})

    View Slide

  13. Testing python security
    PyconIE 2018 13 @jmortegac
    eval()
    Refuse access to the builtins

    View Slide

  14. Testing python security
    PyconIE 2018 14 @jmortegac
    eval()

    View Slide

  15. Testing python security
    PyconIE 2018 15 @jmortegac
    Serialization and Deserialization with Pickle
    WARNING: pickle or cPickle are NOT designed as
    safe/secure solution for serialization

    View Slide

  16. Testing python security
    PyconIE 2018 16 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  17. Testing python security
    PyconIE 2018 17 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  18. Testing python security
    PyconIE 2018 18 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  19. Testing python security
    PyconIE 2018 19 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  20. Testing python security
    PyconIE 2018 20 @jmortegac
    Security issues
    Overflow errors
    ● The buffer overflow
    ● The integer or arithmetic overflow
    >> print xrange(2**63)
    Traceback (most recent call last):
    File "", line 1, in
    OverflowError: Python int too large to convert to C long
    >>> print range(2**63)
    Traceback (most recent call last):
    File "", line 1, in
    OverflowError: range() result has too many items

    View Slide

  21. Testing python security
    PyconIE 2018 21 @jmortegac
    Input injection attacks

    View Slide

  22. Testing python security
    PyconIE 2018 22 @jmortegac
    Command Injection
    @app.route('/menu',methods =['POST'])
    def menu():
    param = request.form [ ' suggestion ']
    command = ' echo ' + param + ' >> ' + ' menu.txt '
    subprocess.call(command,shell = True)
    with open('menu.txt','r') as f:
    menu = f.read()
    return render_template('command_injection.html',
    menu = menu)

    View Slide

  23. Testing python security
    PyconIE 2018 23 @jmortegac
    Command Injection
    @app.route('/menu',methods =['POST'])
    def menu():
    param = request.form [ ' suggestion ']
    command = ' echo ' + param + ' >> ' + ' menu.txt '
    subprocess.call(command,shell = False)
    with open('menu.txt','r') as f:
    menu = f.read()
    return render_template('command_injection.html',
    menu = menu)

    View Slide

  24. Testing python security
    PyconIE 2018 24 @jmortegac
    Command Injection

    View Slide

  25. Testing python security
    PyconIE 2018 25 @jmortegac
    shlex module

    View Slide

  26. Testing python security
    PyconIE 2018 26 @jmortegac
    PyExecCmd

    View Slide

  27. Testing python security
    PyconIE 2018 27 @jmortegac
    Common attack vectors on web applications
    OWASP TOP 10:
    A1 Injection
    A2 Broken Authentication and Session Management
    A3 Cross-Site Scripting (XSS)
    A4 Insecure Direct Object References
    A5 Security Misconfiguration
    A6 Sensitive Data Exposure
    A7 Missing Function Level Access Control
    A8 Cross-Site Request Forgery (CSRF)
    A9 Using Components with Known Vulnerabilities
    A10 Unvalidated Redirects and Forwards

    View Slide

  28. Testing python security
    PyconIE 2018 28 @jmortegac
    SQL Injection
    @app.route('/filtering')
    def filtering():
    param = request.args.get('param', 'not set')
    Session = sessionmaker(bind = db.engine)
    session = Session()
    result = session.query(User).filter(" username ={}
    ".format(param))
    for value in result:
    print(value.username , value.email)
    return ' Result is displayed in console.'

    View Slide

  29. Testing python security
    PyconIE 2018 29 @jmortegac
    Prevent SQL injection attacks
    Prevent SQL injection attacks
    ● NEVER concatenate untrusted inputs in SQL
    code.
    ● Concatenate constant fragments of SQL
    (literals) with parameter placeholders.
    ● cur.execute("SELECT * FROM students
    WHERE name= '%s';" % name)
    ● c.execute("SELECT * from students WHERE
    name=(?)" , name)

    View Slide

  30. Testing python security
    PyconIE 2018 30 @jmortegac
    Prevent SQL injection attacks

    View Slide

  31. Testing python security
    PyconIE 2018 31 @jmortegac
    XSS
    from flask import Flask , request , make_response
    app = Flask(__name__)
    @app.route ('/XSS_param',methods =['GET ])
    def XSS():
    param = request.args.get('param','not set')
    html = open('templates/XSS_param.html ').read()
    resp = make_response(html.replace('{{ param}}',param))
    return resp
    if __name__ == ' __main__ ':
    app.run(debug = True)

    View Slide

  32. Testing python security
    PyconIE 2018 32 @jmortegac
    XSS
    Server Side Template Injection (SSTI)

    View Slide

  33. Testing python security
    PyconIE 2018 33 @jmortegac
    XSS

    View Slide

  34. Testing python security
    PyconIE 2018 34 @jmortegac
    XSS

    View Slide

  35. Testing python security
    PyconIE 2018 35 @jmortegac
    Automated security testing
    Automatic Scanning tools:
    ● SQLMap: Sql injection
    ● XSScrapy: Sql injection and XSS
    Source Code Analysis tools:
    ● Bandit: Open Source and can be
    easily integrated with Jenkins CI/CD

    View Slide

  36. Testing python security
    PyconIE 2018 36 @jmortegac
    XSScrapy
    https://github.com/DanMcInerney/xsscrapy

    View Slide

  37. Testing python security
    PyconIE 2018 37 @jmortegac
    SQLMap

    View Slide

  38. Testing python security
    PyconIE 2018 38 @jmortegac
    SQLMap

    View Slide

  39. Testing python security
    PyconIE 2018 39 @jmortegac
    Bandit

    View Slide

  40. Testing python security
    PyconIE 2018 40 @jmortegac
    Bandit

    View Slide

  41. Testing python security
    PyconIE 2018 41 @jmortegac
    Bandit Test plugins

    View Slide

  42. Testing python security
    PyconIE 2018 42 @jmortegac
    Bandit Test plugins

    View Slide

  43. Testing python security
    PyconIE 2018 43 @jmortegac
    Bandit Test plugins

    View Slide

  44. Testing python security
    PyconIE 2018 44 @jmortegac
    Bandit Test plugins

    View Slide

  45. Testing python security
    PyconIE 2018 45 @jmortegac
    Bandit Test plugins

    View Slide

  46. Testing python security
    PyconIE 2018 46 @jmortegac
    Bandit Test plugins

    View Slide

  47. Testing python security
    PyconIE 2018 47 @jmortegac
    Bandit Test plugins
    SELECT %s FROM derp;” % var
    “SELECT thing FROM ” + tab
    “SELECT ” + val + ” FROM ” + tab + …
    “SELECT {} FROM derp;”.format(var)

    View Slide

  48. Testing python security
    PyconIE 2018 48 @jmortegac
    Syntribos
    Buffer Overflow
    Command Injection
    CORS Wildcard
    Integer Overflow
    LDAP Injection
    SQL Injection
    String Validation
    XML External Entity
    Cross Site Scripting (XSS)
    Regex Denial of Service (ReDoS)

    View Slide

  49. Testing python security
    PyconIE 2018 49 @jmortegac
    Other security issues
    CPython vulnerabilities

    View Slide

  50. Testing python security
    PyconIE 2018 50 @jmortegac
    Other security issues
    Insecure packages
    – acqusition (uploaded 2017-06-03 01:58:01, impersonates
    acquisition)
    – apidev-coop (uploaded 2017-06-03 05:16:08, impersonates
    apidev-coop_cms)
    – bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file)
    – crypt (uploaded 2017-06-03 08:03:14, impersonates crypto)
    – django-server (uploaded 2017-06-02 08:22:23, impersonates
    django-server-guardian-api)
    – pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash)
    – setup-tools (uploaded 2017-06-02 08:54:44, impersonates
    setuptools)
    – telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib)
    – urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3)
    – urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)

    View Slide

  51. Testing python security
    PyconIE 2018 51 @jmortegac
    Other security issues

    View Slide

  52. Testing python security
    PyconIE 2018 52 @jmortegac
    Interesting links
    https://github.com/jmortega/testing_python_security

    View Slide

  53. Testing python security
    PyconIE 2018 53 @jmortegac
    Interesting links
    https://security.openstack.org/#bandit-static-analysis-for-python
    https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
    https://security.openstack.org/guidelines/dg_avoid-shell-true.html
    https://security.openstack.org/guidelines/dg_parameterize-database-querie
    s.html
    https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
    https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsin
    g-libraries.html

    View Slide

  54. Testing python security
    PyconIE 2018 54 @jmortegac
    Q&A
    Q & A

    View Slide