Testing python security pyconweb

Transcript

1. Testing python security PyconWeb 2019 1 @jmortegac Testing Python Security

   José Manuel Ortega @jmortegac

2. Testing python security PyconWeb 2019 2 @jmortegac jmortega.github.io

3. Testing python security PyconWeb 2019 3 @jmortegac • Develop Python

   scripts for automating security and pentesting tasks • Discover the Python standard library's main modules used for performing security-related tasks • Automate analytical tasks and the extraction of information from servers • Explore processes for detecting and exploiting vulnerabilities in servers • Use network software for Python programming • Perform server scripting and port scanning with Python • Identify vulnerabilities in web applications with Python • Use Python to extract metadata and forensics

4. Testing python security PyconWeb 2019 4 @jmortegac

5. Testing python security PyconWeb 2019 5 @jmortegac 1. Python dangerous

   functions 2. Common attack vectors 3. Static analisys tools 4. Other security issues

6. Testing python security PyconWeb 2019 6 @jmortegac Unsafe python components

7. Testing python security PyconWeb 2019 7 @jmortegac Dangerous Python Functions

8. Testing python security PyconWeb 2019 8 @jmortegac Security issues Here’s

   a list of handful of other potential issues to watch for: • Dangerous python functions like eval() • Serialization and deserialization objects with pickle • SQL and JavaScript snippets

9. Testing python security PyconWeb 2019 9 @jmortegac Improper input/output validation

10. Testing python security PyconWeb 2019 10 @jmortegac eval() eval(expression[, globals[,

    locals]])

11. Testing python security PyconWeb 2019 11 @jmortegac eval() No globals

12. Testing python security PyconWeb 2019 12 @jmortegac eval() eval("__import__('os').system('clear') ",

    {}) eval("__import__('os').system('rm -rf')", {})

13. Testing python security PyconWeb 2019 13 @jmortegac eval() Refuse access

    to the builtins

14. Testing python security PyconWeb 2019 14 @jmortegac eval() https://docs.python.org/3/library/ast.html#ast.liter al_eval

15. Testing python security PyconWeb 2019 15 @jmortegac Serialization and Deserialization

    with Pickle WARNING: pickle or cPickle are NOT designed as safe/secure solution for serialization

16. Testing python security PyconWeb 2019 16 @jmortegac Serialization and Deserialization

    with Pickle

17. Testing python security PyconWeb 2019 17 @jmortegac Serialization and Deserialization

    with Pickle

18. Testing python security PyconWeb 2019 18 @jmortegac Serialization and Deserialization

    with Pickle

19. Testing python security PyconWeb 2019 19 @jmortegac Serialization and Deserialization

    with Pickle

20. Testing python security PyconWeb 2019 20 @jmortegac Input injection attacks

21. Testing python security PyconWeb 2019 21 @jmortegac Command Injection @app.route('/menu',methods

    =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = True) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)

22. Testing python security PyconWeb 2019 22 @jmortegac Command Injection @app.route('/menu',methods

    =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = False) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)

23. Testing python security PyconWeb 2019 23 @jmortegac Command Injection

24. Testing python security PyconWeb 2019 24 @jmortegac Command Injection >>>

    ping('8.8.8.8; rm -rf /') 64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=6.32 ms rm: cannot remove `/bin/dbus-daemon': Permission denied rm: cannot remove `/bin/dbus-uuidgen': Permission denied rm: cannot remove `/bin/dbus-cleanup-sockets': Permission denied rm: cannot remove `/bin/cgroups-mount': Permission denied rm: cannot remove `/bin/cgroups-umount': Permission denied >>> ping('8.8.8.8; rm -rf /') ping: unknown host 8.8.8.8; rm -rf /

25. Testing python security PyconWeb 2019 25 @jmortegac shlex module

26. Testing python security PyconWeb 2019 26 @jmortegac Common attack vectors

    OWASP TOP 10: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards

27. Testing python security PyconWeb 2019 27 @jmortegac SQL Injection @app.route('/filtering')

    def filtering(): param = request.args.get('param', 'not set') Session = sessionmaker(bind = db.engine) session = Session() result = session.query(User).filter(" username ={} ".format(param)) for value in result: print(value.username , value.email) return ' Result is displayed in console.'

28. Testing python security PyconWeb 2019 28 @jmortegac Prevent SQL injection

    attacks Prevent SQL injection attacks • NEVER concatenate untrusted inputs in SQL code. • Concatenate constant fragments of SQL (literals) with parameter placeholders. • cur.execute("SELECT * FROM students WHERE name= '%s';" % name) • c.execute("SELECT * from students WHERE name=(?)" , name)

29. Testing python security PyconWeb 2019 29 @jmortegac XSS from flask

    import Flask , request , make_response app = Flask(__name__) @app.route ('/XSS_param',methods =['GET ]) def XSS(): param = request.args.get('param','not set') html = open('templates/XSS_param.html ').read() resp = make_response(html.replace('{{ param}}',param)) return resp if __name__ == ' __main__ ': app.run(debug = True)

30. Testing python security PyconWeb 2019 30 @jmortegac XSS Server Side

    Template Injection (SSTI)

31. Testing python security PyconWeb 2019 31 @jmortegac XSS

32. Testing python security PyconWeb 2019 32 @jmortegac XSS

33. Testing python security PyconWeb 2019 33 @jmortegac Automated security testing

    Automatic Scanning tools: • SQLMap: Sql injection • XSScrapy: Sql injection and XSS Source Code Analysis tools: • Bandit: Open Source and can be easily integrated with Jenkins CI/CD

34. Testing python security PyconWeb 2019 34 @jmortegac SQLMap

35. Testing python security PyconWeb 2019 35 @jmortegac SQLMap

36. Testing python security PyconWeb 2019 36 @jmortegac Bandit

37. Testing python security PyconWeb 2019 37 @jmortegac Bandit

38. Testing python security PyconWeb 2019 38 @jmortegac Bandit Test plugins

39. Testing python security PyconWeb 2019 39 @jmortegac Bandit Test plugins

40. Testing python security PyconWeb 2019 40 @jmortegac Bandit Test plugins

41. Testing python security PyconWeb 2019 41 @jmortegac Bandit Test plugins

42. Testing python security PyconWeb 2019 42 @jmortegac Bandit Test plugins

43. Testing python security PyconWeb 2019 43 @jmortegac Bandit Test plugins

    SELECT %s FROM derp;” % var “SELECT thing FROM ” + tab “SELECT ” + val + ” FROM ” + tab + … “SELECT {} FROM derp;”.format(var)

44. Testing python security PyconWeb 2019 44 @jmortegac Tools

45. Testing python security PyconWeb 2019 45 @jmortegac Tools

46. Testing python security PyconWeb 2019 46 @jmortegac Other security issues

    Insecure packages

47. Testing python security PyconWeb 2019 47 @jmortegac Interesting links https://github.com/jmortega/testing_python_security

48. Testing python security PyconWeb 2019 48 @jmortegac Interesting links https://security.openstack.org/#bandit-static-analysis-for-python

    https://security.openstack.org/guidelines/dg_use-subprocess-securely.html https://security.openstack.org/guidelines/dg_avoid-shell-true.html https://security.openstack.org/guidelines/dg_parameterize-database-querie s.html https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsin g-libraries.html

49. Testing python security PyconWeb 2019 49 @jmortegac