Testing python security pyconweb

Testing python security pyconweb

Python is a language that in a easy way allows to scale up from starter projects to complex applications for data processing and serving dynamic web pages. But as you increase complexity in your applications, it can be easy to introduce potential problems and vulnerabilities.

In this talk José Manuel Ortega will talk about the common security problems in Python code, like remote command execution and SQL injections. Of course he'll show to to prevent against these and other types of vulnerabilities.

https://pyconweb.com/talks/26-05-2019/testing-python-security

7c4b1ae16723b56facc7a8a8f95aa6ce?s=128

jmortegac

May 26, 2019
Tweet

Transcript

  1. Testing python security PyconWeb 2019 1 @jmortegac Testing Python Security

    José Manuel Ortega @jmortegac
  2. Testing python security PyconWeb 2019 2 @jmortegac jmortega.github.io

  3. Testing python security PyconWeb 2019 3 @jmortegac • Develop Python

    scripts for automating security and pentesting tasks • Discover the Python standard library's main modules used for performing security-related tasks • Automate analytical tasks and the extraction of information from servers • Explore processes for detecting and exploiting vulnerabilities in servers • Use network software for Python programming • Perform server scripting and port scanning with Python • Identify vulnerabilities in web applications with Python • Use Python to extract metadata and forensics
  4. Testing python security PyconWeb 2019 4 @jmortegac

  5. Testing python security PyconWeb 2019 5 @jmortegac 1. Python dangerous

    functions 2. Common attack vectors 3. Static analisys tools 4. Other security issues
  6. Testing python security PyconWeb 2019 6 @jmortegac Unsafe python components

  7. Testing python security PyconWeb 2019 7 @jmortegac Dangerous Python Functions

  8. Testing python security PyconWeb 2019 8 @jmortegac Security issues Here’s

    a list of handful of other potential issues to watch for: • Dangerous python functions like eval() • Serialization and deserialization objects with pickle • SQL and JavaScript snippets
  9. Testing python security PyconWeb 2019 9 @jmortegac Improper input/output validation

  10. Testing python security PyconWeb 2019 10 @jmortegac eval() eval(expression[, globals[,

    locals]])
  11. Testing python security PyconWeb 2019 11 @jmortegac eval() No globals

  12. Testing python security PyconWeb 2019 12 @jmortegac eval() eval("__import__('os').system('clear') ",

    {}) eval("__import__('os').system('rm -rf')", {})
  13. Testing python security PyconWeb 2019 13 @jmortegac eval() Refuse access

    to the builtins
  14. Testing python security PyconWeb 2019 14 @jmortegac eval() https://docs.python.org/3/library/ast.html#ast.liter al_eval

  15. Testing python security PyconWeb 2019 15 @jmortegac Serialization and Deserialization

    with Pickle WARNING: pickle or cPickle are NOT designed as safe/secure solution for serialization
  16. Testing python security PyconWeb 2019 16 @jmortegac Serialization and Deserialization

    with Pickle
  17. Testing python security PyconWeb 2019 17 @jmortegac Serialization and Deserialization

    with Pickle
  18. Testing python security PyconWeb 2019 18 @jmortegac Serialization and Deserialization

    with Pickle
  19. Testing python security PyconWeb 2019 19 @jmortegac Serialization and Deserialization

    with Pickle
  20. Testing python security PyconWeb 2019 20 @jmortegac Input injection attacks

  21. Testing python security PyconWeb 2019 21 @jmortegac Command Injection @app.route('/menu',methods

    =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = True) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
  22. Testing python security PyconWeb 2019 22 @jmortegac Command Injection @app.route('/menu',methods

    =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = False) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
  23. Testing python security PyconWeb 2019 23 @jmortegac Command Injection

  24. Testing python security PyconWeb 2019 24 @jmortegac Command Injection >>>

    ping('8.8.8.8; rm -rf /') 64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=6.32 ms rm: cannot remove `/bin/dbus-daemon': Permission denied rm: cannot remove `/bin/dbus-uuidgen': Permission denied rm: cannot remove `/bin/dbus-cleanup-sockets': Permission denied rm: cannot remove `/bin/cgroups-mount': Permission denied rm: cannot remove `/bin/cgroups-umount': Permission denied >>> ping('8.8.8.8; rm -rf /') ping: unknown host 8.8.8.8; rm -rf /
  25. Testing python security PyconWeb 2019 25 @jmortegac shlex module

  26. Testing python security PyconWeb 2019 26 @jmortegac Common attack vectors

    OWASP TOP 10: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
  27. Testing python security PyconWeb 2019 27 @jmortegac SQL Injection @app.route('/filtering')

    def filtering(): param = request.args.get('param', 'not set') Session = sessionmaker(bind = db.engine) session = Session() result = session.query(User).filter(" username ={} ".format(param)) for value in result: print(value.username , value.email) return ' Result is displayed in console.'
  28. Testing python security PyconWeb 2019 28 @jmortegac Prevent SQL injection

    attacks Prevent SQL injection attacks • NEVER concatenate untrusted inputs in SQL code. • Concatenate constant fragments of SQL (literals) with parameter placeholders. • cur.execute("SELECT * FROM students WHERE name= '%s';" % name) • c.execute("SELECT * from students WHERE name=(?)" , name)
  29. Testing python security PyconWeb 2019 29 @jmortegac XSS from flask

    import Flask , request , make_response app = Flask(__name__) @app.route ('/XSS_param',methods =['GET ]) def XSS(): param = request.args.get('param','not set') html = open('templates/XSS_param.html ').read() resp = make_response(html.replace('{{ param}}',param)) return resp if __name__ == ' __main__ ': app.run(debug = True)
  30. Testing python security PyconWeb 2019 30 @jmortegac XSS Server Side

    Template Injection (SSTI)
  31. Testing python security PyconWeb 2019 31 @jmortegac XSS

  32. Testing python security PyconWeb 2019 32 @jmortegac XSS

  33. Testing python security PyconWeb 2019 33 @jmortegac Automated security testing

    Automatic Scanning tools: • SQLMap: Sql injection • XSScrapy: Sql injection and XSS Source Code Analysis tools: • Bandit: Open Source and can be easily integrated with Jenkins CI/CD
  34. Testing python security PyconWeb 2019 34 @jmortegac SQLMap

  35. Testing python security PyconWeb 2019 35 @jmortegac SQLMap

  36. Testing python security PyconWeb 2019 36 @jmortegac Bandit

  37. Testing python security PyconWeb 2019 37 @jmortegac Bandit

  38. Testing python security PyconWeb 2019 38 @jmortegac Bandit Test plugins

  39. Testing python security PyconWeb 2019 39 @jmortegac Bandit Test plugins

  40. Testing python security PyconWeb 2019 40 @jmortegac Bandit Test plugins

  41. Testing python security PyconWeb 2019 41 @jmortegac Bandit Test plugins

  42. Testing python security PyconWeb 2019 42 @jmortegac Bandit Test plugins

  43. Testing python security PyconWeb 2019 43 @jmortegac Bandit Test plugins

    SELECT %s FROM derp;” % var “SELECT thing FROM ” + tab “SELECT ” + val + ” FROM ” + tab + … “SELECT {} FROM derp;”.format(var)
  44. Testing python security PyconWeb 2019 44 @jmortegac Tools

  45. Testing python security PyconWeb 2019 45 @jmortegac Tools

  46. Testing python security PyconWeb 2019 46 @jmortegac Other security issues

    Insecure packages
  47. Testing python security PyconWeb 2019 47 @jmortegac Interesting links https://github.com/jmortega/testing_python_security

  48. Testing python security PyconWeb 2019 48 @jmortegac Interesting links https://security.openstack.org/#bandit-static-analysis-for-python

    https://security.openstack.org/guidelines/dg_use-subprocess-securely.html https://security.openstack.org/guidelines/dg_avoid-shell-true.html https://security.openstack.org/guidelines/dg_parameterize-database-querie s.html https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsin g-libraries.html
  49. Testing python security PyconWeb 2019 49 @jmortegac