Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Testing python security pyconweb

Testing python security pyconweb

Python is a language that in a easy way allows to scale up from starter projects to complex applications for data processing and serving dynamic web pages. But as you increase complexity in your applications, it can be easy to introduce potential problems and vulnerabilities.

In this talk José Manuel Ortega will talk about the common security problems in Python code, like remote command execution and SQL injections. Of course he'll show to to prevent against these and other types of vulnerabilities.

https://pyconweb.com/talks/26-05-2019/testing-python-security

jmortegac

May 26, 2019
Tweet

More Decks by jmortegac

Other Decks in Programming

Transcript

  1. Testing python security PyconWeb 2019 3 @jmortegac • Develop Python

    scripts for automating security and pentesting tasks • Discover the Python standard library's main modules used for performing security-related tasks • Automate analytical tasks and the extraction of information from servers • Explore processes for detecting and exploiting vulnerabilities in servers • Use network software for Python programming • Perform server scripting and port scanning with Python • Identify vulnerabilities in web applications with Python • Use Python to extract metadata and forensics
  2. Testing python security PyconWeb 2019 5 @jmortegac 1. Python dangerous

    functions 2. Common attack vectors 3. Static analisys tools 4. Other security issues
  3. Testing python security PyconWeb 2019 8 @jmortegac Security issues Here’s

    a list of handful of other potential issues to watch for: • Dangerous python functions like eval() • Serialization and deserialization objects with pickle • SQL and JavaScript snippets
  4. Testing python security PyconWeb 2019 15 @jmortegac Serialization and Deserialization

    with Pickle WARNING: pickle or cPickle are NOT designed as safe/secure solution for serialization
  5. Testing python security PyconWeb 2019 21 @jmortegac Command Injection @app.route('/menu',methods

    =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = True) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
  6. Testing python security PyconWeb 2019 22 @jmortegac Command Injection @app.route('/menu',methods

    =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = False) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
  7. Testing python security PyconWeb 2019 24 @jmortegac Command Injection >>>

    ping('8.8.8.8; rm -rf /') 64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=6.32 ms rm: cannot remove `/bin/dbus-daemon': Permission denied rm: cannot remove `/bin/dbus-uuidgen': Permission denied rm: cannot remove `/bin/dbus-cleanup-sockets': Permission denied rm: cannot remove `/bin/cgroups-mount': Permission denied rm: cannot remove `/bin/cgroups-umount': Permission denied >>> ping('8.8.8.8; rm -rf /') ping: unknown host 8.8.8.8; rm -rf /
  8. Testing python security PyconWeb 2019 26 @jmortegac Common attack vectors

    OWASP TOP 10: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
  9. Testing python security PyconWeb 2019 27 @jmortegac SQL Injection @app.route('/filtering')

    def filtering(): param = request.args.get('param', 'not set') Session = sessionmaker(bind = db.engine) session = Session() result = session.query(User).filter(" username ={} ".format(param)) for value in result: print(value.username , value.email) return ' Result is displayed in console.'
  10. Testing python security PyconWeb 2019 28 @jmortegac Prevent SQL injection

    attacks Prevent SQL injection attacks • NEVER concatenate untrusted inputs in SQL code. • Concatenate constant fragments of SQL (literals) with parameter placeholders. • cur.execute("SELECT * FROM students WHERE name= '%s';" % name) • c.execute("SELECT * from students WHERE name=(?)" , name)
  11. Testing python security PyconWeb 2019 29 @jmortegac XSS from flask

    import Flask , request , make_response app = Flask(__name__) @app.route ('/XSS_param',methods =['GET ]) def XSS(): param = request.args.get('param','not set') html = open('templates/XSS_param.html ').read() resp = make_response(html.replace('{{ param}}',param)) return resp if __name__ == ' __main__ ': app.run(debug = True)
  12. Testing python security PyconWeb 2019 33 @jmortegac Automated security testing

    Automatic Scanning tools: • SQLMap: Sql injection • XSScrapy: Sql injection and XSS Source Code Analysis tools: • Bandit: Open Source and can be easily integrated with Jenkins CI/CD
  13. Testing python security PyconWeb 2019 43 @jmortegac Bandit Test plugins

    SELECT %s FROM derp;” % var “SELECT thing FROM ” + tab “SELECT ” + val + ” FROM ” + tab + … “SELECT {} FROM derp;”.format(var)
  14. Testing python security PyconWeb 2019 48 @jmortegac Interesting links https://security.openstack.org/#bandit-static-analysis-for-python

    https://security.openstack.org/guidelines/dg_use-subprocess-securely.html https://security.openstack.org/guidelines/dg_avoid-shell-true.html https://security.openstack.org/guidelines/dg_parameterize-database-querie s.html https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsin g-libraries.html