Testing python security pyconweb

Testing python security
PyconWeb 2019 1 @jmortegac
Testing Python
Security
José Manuel Ortega
@jmortegac

View Slide

jmortega.github.io

View Slide

● Develop Python scripts for automating security and
pentesting tasks
● Discover the Python standard library's main modules
used for performing security-related tasks
● Automate analytical tasks and the extraction of
information from servers
● Explore processes for detecting and exploiting
vulnerabilities in servers
● Use network software for Python programming
● Perform server scripting and port scanning with Python
● Identify vulnerabilities in web applications with Python
● Use Python to extract metadata and forensics

View Slide


View Slide

1. Python dangerous functions
2. Common attack vectors
3. Static analisys tools
4. Other security issues

View Slide

Unsafe python components

View Slide

Dangerous Python Functions

View Slide

Security issues
Here’s a list of handful of other potential issues to
watch for:
● Dangerous python functions like eval()
● Serialization and deserialization objects with
pickle
● SQL and JavaScript snippets

View Slide

Improper input/output validation

View Slide

eval()
eval(expression[, globals[, locals]])

View Slide

eval()
No globals

View Slide

eval()
eval("__import__('os').system('clear')
", {})
eval("__import__('os').system('rm -rf')", {})

View Slide

eval()
Refuse access to the builtins

View Slide

eval()
https://docs.python.org/3/library/ast.html#ast.liter
al_eval

View Slide

Serialization and Deserialization with Pickle
WARNING: pickle or cPickle are NOT designed as
safe/secure solution for serialization

View Slide


View Slide

Input injection attacks

View Slide

Command Injection
@app.route('/menu',methods =['POST'])
def menu():
param = request.form [ ' suggestion ']
command = ' echo ' + param + ' >> ' + ' menu.txt '
subprocess.call(command,shell = True)
with open('menu.txt','r') as f:
menu = f.read()
return render_template('command_injection.html',
menu = menu)

View Slide

Command Injection
@app.route('/menu',methods =['POST'])
def menu():
param = request.form [ ' suggestion ']
command = ' echo ' + param + ' >> ' + ' menu.txt '
subprocess.call(command,shell = False)
with open('menu.txt','r') as f:
menu = f.read()
return render_template('command_injection.html',
menu = menu)

View Slide

Command Injection

View Slide

Command Injection
>>> ping('8.8.8.8; rm -rf /')
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=6.32 ms
rm: cannot remove `/bin/dbus-daemon': Permission denied
rm: cannot remove `/bin/dbus-uuidgen': Permission denied
rm: cannot remove `/bin/dbus-cleanup-sockets': Permission denied
rm: cannot remove `/bin/cgroups-mount': Permission denied
rm: cannot remove `/bin/cgroups-umount': Permission denied
>>> ping('8.8.8.8; rm -rf /')
ping: unknown host 8.8.8.8; rm -rf /

View Slide

shlex module

View Slide

Common attack vectors
OWASP TOP 10:
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards

View Slide

SQL Injection
@app.route('/filtering')
def filtering():
param = request.args.get('param', 'not set')
Session = sessionmaker(bind = db.engine)
session = Session()
result = session.query(User).filter(" username ={}
".format(param))
for value in result:
print(value.username , value.email)
return ' Result is displayed in console.'

View Slide

Prevent SQL injection attacks
Prevent SQL injection attacks
● NEVER concatenate untrusted inputs in SQL
code.
● Concatenate constant fragments of SQL
(literals) with parameter placeholders.
● cur.execute("SELECT * FROM students
WHERE name= '%s';" % name)
● c.execute("SELECT * from students WHERE
name=(?)" , name)

View Slide

XSS
from flask import Flask , request , make_response
app = Flask(__name__)
@app.route ('/XSS_param',methods =['GET ])
def XSS():
param = request.args.get('param','not set')
html = open('templates/XSS_param.html ').read()
resp = make_response(html.replace('{{ param}}',param))
return resp
if __name__ == ' __main__ ':
app.run(debug = True)

View Slide

XSS
Server Side Template Injection (SSTI)

View Slide

XSS

View Slide

Automated security testing
Automatic Scanning tools:
● SQLMap: Sql injection
● XSScrapy: Sql injection and XSS
Source Code Analysis tools:
● Bandit: Open Source and can be
easily integrated with Jenkins CI/CD

View Slide

SQLMap

View Slide

Bandit

View Slide

Bandit Test plugins

View Slide

Bandit Test plugins
SELECT %s FROM derp;” % var
“SELECT thing FROM ” + tab
“SELECT ” + val + ” FROM ” + tab + …
“SELECT {} FROM derp;”.format(var)

View Slide

Tools

View Slide

Other security issues
Insecure packages

View Slide

Interesting links
https://github.com/jmortega/testing_python_security

View Slide

Interesting links
https://security.openstack.org/#bandit-static-analysis-for-python
https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
https://security.openstack.org/guidelines/dg_avoid-shell-true.html
https://security.openstack.org/guidelines/dg_parameterize-database-querie
s.html
https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsin
g-libraries.html

View Slide


View Slide

Testing python security pyconweb

Testing python security pyconweb

jmortegac

More Decks by jmortegac

Other Decks in Programming

Featured

Transcript