Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oh, I Found a Security Issue (DjangoCPH 2018)

Oh, I Found a Security Issue (DjangoCPH 2018)

An extended version of my PyCon CA 2017 talk, mixed with a shortened version of my DjangoCon AU 2017 talk.

Markus H

March 17, 2018

More Decks by Markus H

Other Decks in Programming


  1. Oh, I Found a Security Issue #DjangoCPH 2018 • @m_holtermann

  2. I’m Markus Holtermann @m_holtermann • github.com/MarkusH • markusholtermann.eu @laterpay •

    laterpay.net • Django Core Developer • Software Engineer at
  3. Date: Tue, 4 Apr 2017 08:31:25 -0700 (PDT) From: Tim

    Graham <*****@gmail.com> To: django-announce <django-announce@googlegroups.com> Subject: [django-announce] Django security releases issued: 1.10.7, 1.9.13, and 1.8.18 Today the Django team issued 1.10.7, 1.9.13, and 1.8.18 as part of our security process. These releases address two security issues, and we encourage all users to upgrade as soon as possible: https://www.djangoproject.com/weblog/2017/apr/04/security-releases/ As a reminder, we ask that potential security issues be reported via private email to security@djangoproject.com and not via Django's Trac instance or the django-developers list. Please see https://www.djangoproject.com/security for further information.
  4. Django’s Security Policy https://docs.djangoproject.com/en/dev/internals/security/

  5. Django’s Security Report & Release Process

  6. Report to security@djangoproject.com

  7. Assessing the reported issue

  8. Fixing the issue

  9. Confirming the fix

  10. Pre-notification

  11. Release

  12. Announcement

  13. Bounty

  14. How to apply this?

  15. • Setup reporting channel

  16. • Setup reporting channel • Monitor reporting channel

  17. • Setup reporting channel • Monitor reporting channel • Fix

    the issue
  18. • Setup reporting channel • Monitor reporting channel • Fix

    the issue • Release & Announce
  19. • Setup reporting channel • Monitor reporting channel • Fix

    the issue • Release & Announce • Learn from it
  20. Django’s History https://docs.djangoproject.com/en/dev/releases/security/

  21. Reassuringly secure. Django takes security seriously and helps developers avoid

    many common security mistakes.
  22. Number of CVEs per year

  23. CVEs per classification

  24. XSS Cross Site Scripting var json = {{ data|json.dumps|safe }};

  25. <script> var json = JSON.parse(“{{ data | escapejs }}”); </script>

    https://code.djangoproject.com/ticket/17419 Avoiding XSS
  26. <div data-foo=”{{ data }}” id=”json2”></div> In your .js file (with

    jQuery) $(‘#json2’).data(‘foo’) https://code.djangoproject.com/ticket/17419 Avoiding XSS
  27. CSRF Cross Site Request Forgery <img src=”http://mybank.at/?transfer=3.14€”/>

  28. DoS Denial of Service

  29. Unvalidated Redirects http://yoursite.eu/login?next=mysite.eu

  30. Header Poisoning POST /password_reset/ HTTP/1.1 Host: somethingevil.com Content-Type: …urlencoded email=your_email&action=reset

  31. RCE Remote Code Execution pickle.loads("cposix\nsystem\np0\n(S'ls'…") exec/eval

  32. Authentication/Authorization Failure @login_required() def delete_user(request, uid): User.objects.filter(id=uid).delete() return redirect(‘index’)

  33. Directory Traversal os.path.join(MEDIA_ROOT, “../../settings.py”)

  34. Information Leakage

  35. OWASP Top 10 https://www.owasp.org/

  36. Thank you! Also thanks to @fapolloner who helped me prep

    this talk @m_holtermann
  37. django-announce@googlegroups.com django-developers@googlegroups.com django-users@googlegroups.com oss-security@lists.openwall.com