Oh, I Found a Security Issue (DjangoCPH 2018)

Transcript

1. Oh, I Found a
   Security Issue
   #DjangoCPH 2018 • @m_holtermann
   

   View Slide

2. I’m Markus Holtermann
   @m_holtermann • github.com/MarkusH • markusholtermann.eu
   @laterpay • laterpay.net
   • Django Core Developer
   • Software Engineer at
   

   View Slide

3. Date: Tue, 4 Apr 2017 08:31:25 -0700 (PDT)
   From: Tim Graham <*****@gmail.com>
   To: django-announce
   Subject: [django-announce] Django security releases issued: 1.10.7,
   1.9.13, and 1.8.18
   Today the Django team issued 1.10.7, 1.9.13, and 1.8.18 as part of our
   security process. These releases address two security issues, and we
   encourage all users to upgrade as soon as possible:
   https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
   As a reminder, we ask that potential security issues be reported via
   private email to [email protected] and not via Django's Trac
   instance or the django-developers list. Please see
   https://www.djangoproject.com/security for further information.
   

   View Slide

4. Django’s Security
   Policy
   https://docs.djangoproject.com/en/dev/internals/security/
   

   View Slide

5. Django’s Security
   Report & Release
   Process
   

   View Slide

6. Report to
   [email protected]
   

   View Slide

7. Assessing the reported issue
   

   View Slide

8. Fixing the issue
   

   View Slide

9. Confirming the fix
   

   View Slide

10. Pre-notification
    

    View Slide

11. Release
    

    View Slide

12. Announcement
    

    View Slide

13. Bounty
    

    View Slide

14. How to apply this?
    

    View Slide

15. ● Setup reporting channel
    

    View Slide

16. ● Setup reporting channel
    ● Monitor reporting channel
    

    View Slide

17. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue
    

    View Slide

18. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue
    ● Release & Announce
    

    View Slide

19. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue
    ● Release & Announce
    ● Learn from it
    

    View Slide

20. Django’s History
    https://docs.djangoproject.com/en/dev/releases/security/
    

    View Slide

21. Reassuringly secure.
    Django takes security seriously and
    helps developers avoid many
    common security mistakes.
    

    View Slide

22. Number of CVEs per year
    

    View Slide

23. CVEs per classification
    

    View Slide

24. XSS
    Cross Site Scripting
    var json = {{ data|json.dumps|safe }};
    

    View Slide

25. <br/>var json = JSON.parse(“{{ data | escapejs }}”);<br/>
    https://code.djangoproject.com/ticket/17419
    Avoiding XSS
    

    View Slide

26. 
    In your .js file (with jQuery)
    $(‘#json2’).data(‘foo’)
    https://code.djangoproject.com/ticket/17419
    Avoiding XSS
    

    View Slide

27. CSRF
    Cross Site Request Forgery
    
    

    View Slide

28. DoS
    Denial of Service
    

    View Slide

29. Unvalidated Redirects
    http://yoursite.eu/login?next=mysite.eu
    

    View Slide

30. Header Poisoning
    POST /password_reset/ HTTP/1.1
    Host: somethingevil.com
    Content-Type: …urlencoded
    email=your_email&action=reset
    

    View Slide

31. RCE
    Remote Code Execution
    pickle.loads("cposix\nsystem\np0\n(S'ls'…")
    exec/eval
    

    View Slide

32. Authentication/Authorization
    Failure
    @login_required()
    def delete_user(request, uid):
    User.objects.filter(id=uid).delete()
    return redirect(‘index’)
    

    View Slide

33. Directory Traversal
    os.path.join(MEDIA_ROOT, “../../settings.py”)
    

    View Slide

34. Information Leakage
    

    View Slide

35. OWASP Top 10
    https://www.owasp.org/
    

    View Slide

36. Thank you!
    Also thanks to @fapolloner
    who helped me prep this talk
    @m_holtermann
    

    View Slide

37. [email protected]
    [email protected]
    [email protected]
    [email protected]
    

    View Slide