Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Finding Vulnerabilities with Bandit

Kevin London
September 24, 2015
Programming
0
750

Finding Vulnerabilities with Bandit

Security is tough. It’s so easy to forget something or get a couple of things wrong. The stakes have also never been higher - announcements about a company getting hacked come out weekly. So what can we do?

One part of the solution is tooling. OpenStack’s security team created Bandit to help them solve the problem of doing security reviews on 18+ projects. It’s an open source tool that we can use to scan our code and find out if we’re calling insecure or deprecated functions.

In these slides, I cover some of my findings from running Bandit on 16 popular open-source Python projects as well as some of the potential security flaws that Bandit can identify.

I originally gave this talk at a SoCal Python meetup.

Kevin London

September 24, 2015
Tweet

More Decks by Kevin London

See All by Kevin London
Two Trains and Other Refactoring Analogies
kevinlondon
0
530
Introduction to Code Reviews
kevinlondon
1
1k

Other Decks in Programming

See All in Programming
카카오페이는 어떻게 수천만 결제를 처리할까? 우아한 결제 분산락 노하우
kakao
PRO
0
110
[PyCon Korea 2024 Keynote] 커뮤니티와 파이썬, 그리고 우리
beomi
0
120
とにかくAWS GameDay!AWSは世界の共通言語! / Anyway, AWS GameDay! AWS is the world's lingua franca!
seike460
PRO
1
820
Tuning GraphQL on Rails
pyama86
2
1.2k
ふかぼれ!CSSセレクターモジュール / Fukabore! CSS Selectors Module
petamoriken
0
150
CPython 인터프리터 구조 파헤치기 - PyCon Korea 24
kennethanceyer
0
250
Why Jakarta EE Matters to Spring - and Vice Versa
ivargrimstad
0
830
TypeScriptでライブラリとの依存を限定的にする方法
tutinoko
2
490
役立つログに取り組もう
irof
28
9.5k
ピラミッド、アイスクリームコーン、SMURF: 自動テストの最適バランスを求めて / Pyramid Ice-Cream-Cone and SMURF
twada
PRO
10
1.2k
ECS Service Connectのこれまでのアップデートと今後のRoadmapを見てみる
tkikuc
2
240
EventSourcingの理想と現実
wenas
6
2.3k

Featured

See All Featured
The MySQL Ecosystem @ GitHub 2015
samlambert
250
12k
Put a Button on it: Removing Barriers to Going Fast.
kastner
59
3.5k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
27
4.2k
Save Time (by Creating Custom Rails Generators)
garrettdimon
PRO
27
830
Measuring & Analyzing Core Web Vitals
bluesmoon
3
80
Large-scale JavaScript Application Architecture
addyosmani
510
110k
The Power of CSS Pseudo Elements
geoffreycrofte
73
5.3k
Mobile First: as difficult as doing things right
swwweet
222
8.9k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
rmw
31
2.7k
YesSQL, Process and Tooling at Scale
rocio
168
14k
Building Adaptive Systems
keathley
38
2.3k
Easily Structure & Communicate Ideas using Wireframe
afnizarnur
191
16k

Transcript

  1. Finding Vulnerabilities with Bandit Kevin London www.kevinlondon.com @kevin_london

  2. None

  3. Two kinds of big companies:

  4. Two kinds of big companies: 1. Those that have been

    hacked

  5. Two kinds of big companies: 1. Those that have been

    hacked 2. Those who don’t know they have been hacked

  6. Companies hacked in 2015 (so far)

  7. 22 million people
 5 million fingerprints

  8. 30 million men 10 thousand women

  9. 300K tax accounts

  10. 300K tax accounts

  11. 1.4 million Jeeps

  12. 80 million people

  13. None

  14. Security is hard.

  15. “That will never happen to me.”

  16. Let’s talk about Bandit.

  17. None

  18. Bandit is an open-source security linter.

  19. Created by

  20. How to install:

  21. How to run:

  22. I did an experiment.

  23. None

  24. Experiment Notes

  25. Experiment Notes I scanned 16 open-source Python projects with Bandit.

  26. Experiment Notes 11 had potential security issues.

  27. Experiment Notes 9 fixes / pull requests 6 issues raised

  28. Experiment Notes Identifying details have been removed to protect the

    innocent.

  29. Issues found:

  30. Assertions

  31. 70 @percent.setter 71 def percent(self, value): 72 assert value >=

    0 73 assert value <= 100 Assertions

  32. >> Issue: Use of assert detected. The enclosed code will

    be removed when compiling to optimised byte code. 70 @percent.setter 71 def percent(self, value): 72 assert value >= 0 73 assert value <= 100 Assertions

  33. Opening URLs

  34. 165 try: 166 conn = urllib2.urlopen(request) Opening URLs

  35. >> Issue: Audit url open for permitted schemes. Allowing use

    of file:/ or custom schemes is often unexpected. 165 try: 166 conn = urllib2.urlopen(request) Opening URLs

  36. Requests

  37. 206 resp = requests.get(uri, verify=False) Requests

  38. >> Issue: Requests call with verify=False disabling SSL certificate checks,

    security issue. 206 resp = requests.get(uri, verify=False) Requests

  39. Shell Commands

  40. 87 # Create ECC privatekey 88 proc = subprocess.Popen( 89

    “openssl -genkey -out %s" % key_path, 90 shell=True, 91 ) Shell Commands

  41. >> Issue: subprocess call with shell=True identified, security issue. 87

    # Create ECC privatekey 88 proc = subprocess.Popen( 89 “openssl -genkey -out %s" % key_path, 90 shell=True, 91 ) Shell Commands

  42. Temporary Files

  43. 291 listpath = tempfile.mktemp(“.tmp") Temporary Files

  44. >> Issue: Use of insecure and deprecated function (mktemp). 291

    listpath = tempfile.mktemp(“.tmp") Temporary Files

  45. Loading XML

  46. 47 root = ElementTree.fromstring(content) Loading XML

  47. >> Issue: Using ElementTree.fromstring to parse untrusted XML data is

    known to be vulnerable to XML attacks. Replace with its defusedxml equivalent function. 47 root = ElementTree.fromstring(content) Loading XML

  48. <?xml version="1.0"?> <!DOCTYPE lolz [ <!ENTITY lol "lol"> <!ELEMENT lolz

    (#PCDATA)> <!ENTITY lol1 "&lol;&lol;&lol;&lol;&lol;&lol;"> <!ENTITY lol2 "&lol1;&lol1;&lol1;&lol1;&lol1;"> <!ENTITY lol3 "&lol2;&lol2;&lol2;&lol2;&lol2;"> <!ENTITY lol4 "&lol3;&lol3;&lol3;&lol3;&lol3;"> <lolz>&lol4;</lolz> Loading XML Billion Laughs Attack

  49. Deserializing

  50. 446 yamlFile = open(yamlPath) 447 regexes = yaml.load(yamlFile) Deserializing

  51. >> Issue: Use of unsafe yaml load. Allows instantiation of

    arbitrary objects. Consider yaml.safe_load(). 446 yamlFile = open(yamlPath) 447 regexes = yaml.load(yamlFile) Deserializing

  52. Deserializing

  53. Deserializing 42 def loads(self, value): 43 return pickle.loads(value)

  54. Deserializing >> Issue: Pickle library appears to be in use,

    possible security issue. 42 def loads(self, value): 43 return pickle.loads(value)
  55. None
  56. None

  57. Deserializing

  58. Deserializing 89 def unpack_db_value(self, val): 92 return marshal.loads(val)

  59. Deserializing >> Issue: Deserialization with the marshal module is possibly

    dangerous. 89 def unpack_db_value(self, val): 92 return marshal.loads(val)

  60. Everyone makes mistakes.

  61. Security Recommendations

  62. Keep it simple.

  63. Don’t give up.

  64. Look for security flaws during code reviews.

  65. Use Bandit to check your third-party libraries.

  66. Use Bandit to participate in open-source.

  67. Use Bandit in your CI pipeline.

  68. Use Bandit to improve your projects.

  69. Bandit https://github.com/openstack/bandit Kevin London www.kevinlondon.com @kevin_london Slides http://bit.ly/python-bandit