Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing python security pyconweb

Testing python security pyconweb

Python is a language that in a easy way allows to scale up from starter projects to complex applications for data processing and serving dynamic web pages. But as you increase complexity in your applications, it can be easy to introduce potential problems and vulnerabilities.

In this talk José Manuel Ortega will talk about the common security problems in Python code, like remote command execution and SQL injections. Of course he'll show to to prevent against these and other types of vulnerabilities.

https://pyconweb.com/talks/26-05-2019/testing-python-security

jmortegac

May 26, 2019
Tweet

More Decks by jmortegac

Other Decks in Programming

Transcript

  1. Testing python security
    PyconWeb 2019 1 @jmortegac
    Testing Python
    Security
    José Manuel Ortega
    @jmortegac

    View Slide

  2. Testing python security
    PyconWeb 2019 2 @jmortegac
    jmortega.github.io

    View Slide

  3. Testing python security
    PyconWeb 2019 3 @jmortegac
    ● Develop Python scripts for automating security and
    pentesting tasks
    ● Discover the Python standard library's main modules
    used for performing security-related tasks
    ● Automate analytical tasks and the extraction of
    information from servers
    ● Explore processes for detecting and exploiting
    vulnerabilities in servers
    ● Use network software for Python programming
    ● Perform server scripting and port scanning with Python
    ● Identify vulnerabilities in web applications with Python
    ● Use Python to extract metadata and forensics

    View Slide

  4. Testing python security
    PyconWeb 2019 4 @jmortegac

    View Slide

  5. Testing python security
    PyconWeb 2019 5 @jmortegac
    1. Python dangerous functions
    2. Common attack vectors
    3. Static analisys tools
    4. Other security issues

    View Slide

  6. Testing python security
    PyconWeb 2019 6 @jmortegac
    Unsafe python components

    View Slide

  7. Testing python security
    PyconWeb 2019 7 @jmortegac
    Dangerous Python Functions

    View Slide

  8. Testing python security
    PyconWeb 2019 8 @jmortegac
    Security issues
    Here’s a list of handful of other potential issues to
    watch for:
    ● Dangerous python functions like eval()
    ● Serialization and deserialization objects with
    pickle
    ● SQL and JavaScript snippets

    View Slide

  9. Testing python security
    PyconWeb 2019 9 @jmortegac
    Improper input/output validation

    View Slide

  10. Testing python security
    PyconWeb 2019 10 @jmortegac
    eval()
    eval(expression[, globals[, locals]])

    View Slide

  11. Testing python security
    PyconWeb 2019 11 @jmortegac
    eval()
    No globals

    View Slide

  12. Testing python security
    PyconWeb 2019 12 @jmortegac
    eval()
    eval("__import__('os').system('clear')
    ", {})
    eval("__import__('os').system('rm -rf')", {})

    View Slide

  13. Testing python security
    PyconWeb 2019 13 @jmortegac
    eval()
    Refuse access to the builtins

    View Slide

  14. Testing python security
    PyconWeb 2019 14 @jmortegac
    eval()
    https://docs.python.org/3/library/ast.html#ast.liter
    al_eval

    View Slide

  15. Testing python security
    PyconWeb 2019 15 @jmortegac
    Serialization and Deserialization with Pickle
    WARNING: pickle or cPickle are NOT designed as
    safe/secure solution for serialization

    View Slide

  16. Testing python security
    PyconWeb 2019 16 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  17. Testing python security
    PyconWeb 2019 17 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  18. Testing python security
    PyconWeb 2019 18 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  19. Testing python security
    PyconWeb 2019 19 @jmortegac
    Serialization and Deserialization with Pickle

    View Slide

  20. Testing python security
    PyconWeb 2019 20 @jmortegac
    Input injection attacks

    View Slide

  21. Testing python security
    PyconWeb 2019 21 @jmortegac
    Command Injection
    @app.route('/menu',methods =['POST'])
    def menu():
    param = request.form [ ' suggestion ']
    command = ' echo ' + param + ' >> ' + ' menu.txt '
    subprocess.call(command,shell = True)
    with open('menu.txt','r') as f:
    menu = f.read()
    return render_template('command_injection.html',
    menu = menu)

    View Slide

  22. Testing python security
    PyconWeb 2019 22 @jmortegac
    Command Injection
    @app.route('/menu',methods =['POST'])
    def menu():
    param = request.form [ ' suggestion ']
    command = ' echo ' + param + ' >> ' + ' menu.txt '
    subprocess.call(command,shell = False)
    with open('menu.txt','r') as f:
    menu = f.read()
    return render_template('command_injection.html',
    menu = menu)

    View Slide

  23. Testing python security
    PyconWeb 2019 23 @jmortegac
    Command Injection

    View Slide

  24. Testing python security
    PyconWeb 2019 24 @jmortegac
    Command Injection
    >>> ping('8.8.8.8; rm -rf /')
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=6.32 ms
    rm: cannot remove `/bin/dbus-daemon': Permission denied
    rm: cannot remove `/bin/dbus-uuidgen': Permission denied
    rm: cannot remove `/bin/dbus-cleanup-sockets': Permission denied
    rm: cannot remove `/bin/cgroups-mount': Permission denied
    rm: cannot remove `/bin/cgroups-umount': Permission denied
    >>> ping('8.8.8.8; rm -rf /')
    ping: unknown host 8.8.8.8; rm -rf /

    View Slide

  25. Testing python security
    PyconWeb 2019 25 @jmortegac
    shlex module

    View Slide

  26. Testing python security
    PyconWeb 2019 26 @jmortegac
    Common attack vectors
    OWASP TOP 10:
    A1 Injection
    A2 Broken Authentication and Session Management
    A3 Cross-Site Scripting (XSS)
    A4 Insecure Direct Object References
    A5 Security Misconfiguration
    A6 Sensitive Data Exposure
    A7 Missing Function Level Access Control
    A8 Cross-Site Request Forgery (CSRF)
    A9 Using Components with Known Vulnerabilities
    A10 Unvalidated Redirects and Forwards

    View Slide

  27. Testing python security
    PyconWeb 2019 27 @jmortegac
    SQL Injection
    @app.route('/filtering')
    def filtering():
    param = request.args.get('param', 'not set')
    Session = sessionmaker(bind = db.engine)
    session = Session()
    result = session.query(User).filter(" username ={}
    ".format(param))
    for value in result:
    print(value.username , value.email)
    return ' Result is displayed in console.'

    View Slide

  28. Testing python security
    PyconWeb 2019 28 @jmortegac
    Prevent SQL injection attacks
    Prevent SQL injection attacks
    ● NEVER concatenate untrusted inputs in SQL
    code.
    ● Concatenate constant fragments of SQL
    (literals) with parameter placeholders.
    ● cur.execute("SELECT * FROM students
    WHERE name= '%s';" % name)
    ● c.execute("SELECT * from students WHERE
    name=(?)" , name)

    View Slide

  29. Testing python security
    PyconWeb 2019 29 @jmortegac
    XSS
    from flask import Flask , request , make_response
    app = Flask(__name__)
    @app.route ('/XSS_param',methods =['GET ])
    def XSS():
    param = request.args.get('param','not set')
    html = open('templates/XSS_param.html ').read()
    resp = make_response(html.replace('{{ param}}',param))
    return resp
    if __name__ == ' __main__ ':
    app.run(debug = True)

    View Slide

  30. Testing python security
    PyconWeb 2019 30 @jmortegac
    XSS
    Server Side Template Injection (SSTI)

    View Slide

  31. Testing python security
    PyconWeb 2019 31 @jmortegac
    XSS

    View Slide

  32. Testing python security
    PyconWeb 2019 32 @jmortegac
    XSS

    View Slide

  33. Testing python security
    PyconWeb 2019 33 @jmortegac
    Automated security testing
    Automatic Scanning tools:
    ● SQLMap: Sql injection
    ● XSScrapy: Sql injection and XSS
    Source Code Analysis tools:
    ● Bandit: Open Source and can be
    easily integrated with Jenkins CI/CD

    View Slide

  34. Testing python security
    PyconWeb 2019 34 @jmortegac
    SQLMap

    View Slide

  35. Testing python security
    PyconWeb 2019 35 @jmortegac
    SQLMap

    View Slide

  36. Testing python security
    PyconWeb 2019 36 @jmortegac
    Bandit

    View Slide

  37. Testing python security
    PyconWeb 2019 37 @jmortegac
    Bandit

    View Slide

  38. Testing python security
    PyconWeb 2019 38 @jmortegac
    Bandit Test plugins

    View Slide

  39. Testing python security
    PyconWeb 2019 39 @jmortegac
    Bandit Test plugins

    View Slide

  40. Testing python security
    PyconWeb 2019 40 @jmortegac
    Bandit Test plugins

    View Slide

  41. Testing python security
    PyconWeb 2019 41 @jmortegac
    Bandit Test plugins

    View Slide

  42. Testing python security
    PyconWeb 2019 42 @jmortegac
    Bandit Test plugins

    View Slide

  43. Testing python security
    PyconWeb 2019 43 @jmortegac
    Bandit Test plugins
    SELECT %s FROM derp;” % var
    “SELECT thing FROM ” + tab
    “SELECT ” + val + ” FROM ” + tab + …
    “SELECT {} FROM derp;”.format(var)

    View Slide

  44. Testing python security
    PyconWeb 2019 44 @jmortegac
    Tools

    View Slide

  45. Testing python security
    PyconWeb 2019 45 @jmortegac
    Tools

    View Slide

  46. Testing python security
    PyconWeb 2019 46 @jmortegac
    Other security issues
    Insecure packages

    View Slide

  47. Testing python security
    PyconWeb 2019 47 @jmortegac
    Interesting links
    https://github.com/jmortega/testing_python_security

    View Slide

  48. Testing python security
    PyconWeb 2019 48 @jmortegac
    Interesting links
    https://security.openstack.org/#bandit-static-analysis-for-python
    https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
    https://security.openstack.org/guidelines/dg_avoid-shell-true.html
    https://security.openstack.org/guidelines/dg_parameterize-database-querie
    s.html
    https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
    https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsin
    g-libraries.html

    View Slide

  49. Testing python security
    PyconWeb 2019 49 @jmortegac

    View Slide