Sichere Web-Applikationen am Beispiel von Django

Transcript

1. Sichere Web-Applikationen am Beispiel von Django Markus Zapke-Gründemann LinuxTag 2014

2. Markus Zapke-Gründemann Softwareentwickler seit 2001 Python, Django und Mercurial Inhaber

   von transcode Vorstand des Deutschen Django-Vereins keimlink.de // @keimlink

3. Einführung

4. Django Python Web-Application Framework Open Source (BSD-Lizenz) Rapid Development Model

   Template View (MTV) Object Relational Mapper (ORM) www.djangoproject.com

5. OWASP Open Web Application Security Project Non-Profit-Organisation Alle Materialien unter

   freier Lizenz www.owasp.org

6. OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

7. OWASP Top 10

8. OWASP Top 10 1. Injection

9. OWASP Top 10 1. Injection 2. Broken Authentication and Session

   Management

10. OWASP Top 10 1. Injection 2. Broken Authentication and Session

    Management 3. Cross-Site Scripting (XSS)

11. OWASP Top 10 1. Injection 2. Broken Authentication and Session

    Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References

12. OWASP Top 10 1. Injection 2. Broken Authentication and Session

    Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration


13. OWASP Top 10 1. Injection 2. Broken Authentication and Session

    Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure

14. OWASP Top 10 1. Injection 2. Broken Authentication and Session

    Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control

15. OWASP Top 10 1. Injection 2. Broken Authentication and Session

    Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF)

16. OWASP Top 10 1. Injection 2. Broken Authentication and Session

    Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities

17. OWASP Top 10 1. Injection 2. Broken Authentication and Session

    Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10.Unvalidated Redirects and Forwards

18. SQL Injection >>> cmd = "UPDATE animals SET name='%s' WHERE

    id='%s'" % (name, id) >>> cursor.execute(cmd)

19. SQL Injection Exploits of a Mom by Randall Munroe (cc-by-nc)

20. SQL Injection Exploits of a Mom by Randall Munroe (cc-by-nc)

    Datenbank-Eingaben bereinigen!

21. SQL Injection >>> from animals.models import Animal >>> Animal.objects.filter(id=id).update(name=name)

22. Broken Authentication and Session Management http://example.com/sale/saleitems;sessionid= 2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii

23. Cross-Site Scripting (XSS) <h3>Preparation</h3> {{ recipe.preparation }} ! <script>alert('The best

    recipe in the world!')</script> Heat the water in the pot to 100 °C. ! <p>&lt;script&gt;alert(&#39;The best recipe in the <world!&#39;)&lt;/script&gt;</p> <p>Heat the water in the pot to 100 °C.</p>

24. Cross-Site Scripting (XSS) <h3>Preparation</h3> {{ recipe.preparation|safe }} ! <script>alert('The best

    recipe in the world!')</script> Heat the water in the pot to 100 °C. ! <p><script>alert('The best recipe in the world!')</ script></p> <p>Heat the water in the pot to 100 °C.</p>

25. Security Misconfiguration DEBUG = True

26. Sensitive Data Exposure >>> from django.contrib.auth.models import User >>> User.objects.get(pk=1).password

    u'pbkdf2_sha256$10000$sDN75YuuoUWi$Ua/ H364jPAPTPBiAyJ1fc0uB4ClzQD5yGFisYrxCo40='

27. Cross-Site Request Forgery (CSRF) http://example.com/app/transferFunds? amount=1500 &destinationAccount=4673243243

28. Cross-Site Request Forgery (CSRF) <form method="post" accept-charset="utf-8"> {{ form.as_p }}

    {% csrf_token %} <input type="submit" value="Submit"/> </form>

29. Cross-Site Request Forgery (CSRF) <form method="post" accept-charset="utf-8"> ... <input type='hidden'

    name='csrfmiddlewaretoken' value='gB3bL3MU2fr8BCQXXrNV6pfS7GJYBdU0' /> <p><input type="submit" value="Submit" / ></p> </form>

30. Clickjacking X-Frame-Options Header aktivieren: MIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ...

    )

31. Information Leakage

32. Werkzeuge OWASP Cheat Sheet Series HackBar Tamper Data sqlmap Scapy

    dsniff

33. Django Apps django-secure django-configurations

34. Code sicher(er) machen Code Review Security Scanner Security Audit

35. Danke! ! www.transcode.de @keimlink