Oh, I Found a Security Issue (DjangoCPH 2018)

Transcript

1. Oh, I Found a Security Issue #DjangoCPH 2018 • @m_holtermann

2. I’m Markus Holtermann @m_holtermann • github.com/MarkusH • markusholtermann.eu @laterpay •

   laterpay.net • Django Core Developer • Software Engineer at

3. Date: Tue, 4 Apr 2017 08:31:25 -0700 (PDT) From: Tim

   Graham <*****@gmail.com> To: django-announce <[email protected]> Subject: [django-announce] Django security releases issued: 1.10.7, 1.9.13, and 1.8.18 Today the Django team issued 1.10.7, 1.9.13, and 1.8.18 as part of our security process. These releases address two security issues, and we encourage all users to upgrade as soon as possible: https://www.djangoproject.com/weblog/2017/apr/04/security-releases/ As a reminder, we ask that potential security issues be reported via private email to [email protected] and not via Django's Trac instance or the django-developers list. Please see https://www.djangoproject.com/security for further information.

4. Django’s Security Policy https://docs.djangoproject.com/en/dev/internals/security/

5. Django’s Security Report & Release Process

6. Report to [email protected]

7. Assessing the reported issue

8. Fixing the issue

9. Confirming the fix

10. Pre-notification

11. Release

12. Announcement

13. Bounty

14. How to apply this?

15. • Setup reporting channel

16. • Setup reporting channel • Monitor reporting channel

17. • Setup reporting channel • Monitor reporting channel • Fix

    the issue

18. • Setup reporting channel • Monitor reporting channel • Fix

    the issue • Release & Announce

19. • Setup reporting channel • Monitor reporting channel • Fix

    the issue • Release & Announce • Learn from it

20. Django’s History https://docs.djangoproject.com/en/dev/releases/security/

21. Reassuringly secure. Django takes security seriously and helps developers avoid

    many common security mistakes.

22. Number of CVEs per year

23. CVEs per classification

24. XSS Cross Site Scripting var json = {{ data|json.dumps|safe }};

25. <script> var json = JSON.parse(“{{ data | escapejs }}”); </script>

    https://code.djangoproject.com/ticket/17419 Avoiding XSS

26. <div data-foo=”{{ data }}” id=”json2”></div> In your .js file (with

    jQuery) $(‘#json2’).data(‘foo’) https://code.djangoproject.com/ticket/17419 Avoiding XSS

27. CSRF Cross Site Request Forgery <img src=”http://mybank.at/?transfer=3.14€”/>

28. DoS Denial of Service

29. Unvalidated Redirects http://yoursite.eu/login?next=mysite.eu

30. Header Poisoning POST /password_reset/ HTTP/1.1 Host: somethingevil.com Content-Type: …urlencoded email=your_email&action=reset

31. RCE Remote Code Execution pickle.loads("cposix\nsystem\np0\n(S'ls'…") exec/eval

32. Authentication/Authorization Failure @login_required() def delete_user(request, uid): User.objects.filter(id=uid).delete() return redirect(‘index’)

33. Directory Traversal os.path.join(MEDIA_ROOT, “../../settings.py”)

34. Information Leakage

35. OWASP Top 10 https://www.owasp.org/

36. Thank you! Also thanks to @fapolloner who helped me prep

    this talk @m_holtermann

37. [email protected] [email protected] [email protected] [email protected]