Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oh, I Found a Security Issue (DjangoCPH 2018)

Oh, I Found a Security Issue (DjangoCPH 2018)

An extended version of my PyCon CA 2017 talk, mixed with a shortened version of my DjangoCon AU 2017 talk.

Markus H

March 17, 2018
Tweet

More Decks by Markus H

Other Decks in Programming

Transcript

  1. Oh, I Found a
    Security Issue
    #DjangoCPH 2018 • @m_holtermann

    View Slide

  2. I’m Markus Holtermann
    @m_holtermann • github.com/MarkusH • markusholtermann.eu
    @laterpay • laterpay.net
    • Django Core Developer
    • Software Engineer at

    View Slide

  3. Date: Tue, 4 Apr 2017 08:31:25 -0700 (PDT)
    From: Tim Graham <*****@gmail.com>
    To: django-announce
    Subject: [django-announce] Django security releases issued: 1.10.7,
    1.9.13, and 1.8.18
    Today the Django team issued 1.10.7, 1.9.13, and 1.8.18 as part of our
    security process. These releases address two security issues, and we
    encourage all users to upgrade as soon as possible:
    https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
    As a reminder, we ask that potential security issues be reported via
    private email to [email protected] and not via Django's Trac
    instance or the django-developers list. Please see
    https://www.djangoproject.com/security for further information.

    View Slide

  4. Django’s Security
    Policy
    https://docs.djangoproject.com/en/dev/internals/security/

    View Slide

  5. Django’s Security
    Report & Release
    Process

    View Slide

  6. View Slide

  7. Assessing the reported issue

    View Slide

  8. Fixing the issue

    View Slide

  9. Confirming the fix

    View Slide

  10. Pre-notification

    View Slide

  11. Release

    View Slide

  12. Announcement

    View Slide

  13. Bounty

    View Slide

  14. How to apply this?

    View Slide

  15. ● Setup reporting channel

    View Slide

  16. ● Setup reporting channel
    ● Monitor reporting channel

    View Slide

  17. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue

    View Slide

  18. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue
    ● Release & Announce

    View Slide

  19. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue
    ● Release & Announce
    ● Learn from it

    View Slide

  20. Django’s History
    https://docs.djangoproject.com/en/dev/releases/security/

    View Slide

  21. Reassuringly secure.
    Django takes security seriously and
    helps developers avoid many
    common security mistakes.

    View Slide

  22. Number of CVEs per year

    View Slide

  23. CVEs per classification

    View Slide

  24. XSS
    Cross Site Scripting
    var json = {{ data|json.dumps|safe }};

    View Slide

  25. <br/>var json = JSON.parse(“{{ data | escapejs }}”);<br/>
    https://code.djangoproject.com/ticket/17419
    Avoiding XSS

    View Slide


  26. In your .js file (with jQuery)
    $(‘#json2’).data(‘foo’)
    https://code.djangoproject.com/ticket/17419
    Avoiding XSS

    View Slide

  27. CSRF
    Cross Site Request Forgery

    View Slide

  28. DoS
    Denial of Service

    View Slide

  29. Unvalidated Redirects
    http://yoursite.eu/login?next=mysite.eu

    View Slide

  30. Header Poisoning
    POST /password_reset/ HTTP/1.1
    Host: somethingevil.com
    Content-Type: …urlencoded
    email=your_email&action=reset

    View Slide

  31. RCE
    Remote Code Execution
    pickle.loads("cposix\nsystem\np0\n(S'ls'…")
    exec/eval

    View Slide

  32. Authentication/Authorization
    Failure
    @login_required()
    def delete_user(request, uid):
    User.objects.filter(id=uid).delete()
    return redirect(‘index’)

    View Slide

  33. Directory Traversal
    os.path.join(MEDIA_ROOT, “../../settings.py”)

    View Slide

  34. Information Leakage

    View Slide

  35. OWASP Top 10
    https://www.owasp.org/

    View Slide

  36. Thank you!
    Also thanks to @fapolloner
    who helped me prep this talk
    @m_holtermann

    View Slide

  37. View Slide