Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Oh, I Found a Security Issue (PyCaribbean 2018)

Markus H
February 17, 2018

Oh, I Found a Security Issue (PyCaribbean 2018)

An extended version of my PyCon CA 2017 talk, mixed with a shortened version of my DjangoCon AU 2017 talk.

Markus H

February 17, 2018
Tweet

More Decks by Markus H

Other Decks in Programming

Transcript

  1. Oh, I Found a
    Security Issue
    PyCaribbean 2018 • @m_holtermann

    View full-size slide

  2. I’m Markus Holtermann
    @m_holtermann • github.com/MarkusH • markusholtermann.eu
    @laterpay • laterpay.net
    • Django Core Developer
    • Software Engineer at

    View full-size slide

  3. Date: Tue, 4 Apr 2017 08:31:25 -0700 (PDT)
    From: Tim Graham <*****@gmail.com>
    To: django-announce
    Subject: [django-announce] Django security releases issued: 1.10.7,
    1.9.13, and 1.8.18
    Today the Django team issued 1.10.7, 1.9.13, and 1.8.18 as part of our
    security process. These releases address two security issues, and we
    encourage all users to upgrade as soon as possible:
    https://www.djangoproject.com/weblog/2017/apr/04/security-releases/
    As a reminder, we ask that potential security issues be reported via
    private email to [email protected] and not via Django's Trac
    instance or the django-developers list. Please see
    https://www.djangoproject.com/security for further information.

    View full-size slide

  4. Django’s Security
    Policy
    https://docs.djangoproject.com/en/dev/internals/security/

    View full-size slide

  5. Django’s Security
    Report & Release
    Process

    View full-size slide

  6. Assessing the reported issue

    View full-size slide

  7. Fixing the issue

    View full-size slide

  8. Confirming the fix

    View full-size slide

  9. Pre-notification

    View full-size slide

  10. Announcement

    View full-size slide

  11. How to apply this?

    View full-size slide

  12. ● Setup reporting channel

    View full-size slide

  13. ● Setup reporting channel
    ● Monitor reporting channel

    View full-size slide

  14. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue

    View full-size slide

  15. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue
    ● Release & Announce

    View full-size slide

  16. ● Setup reporting channel
    ● Monitor reporting channel
    ● Fix the issue
    ● Release & Announce
    ● Learn from it

    View full-size slide

  17. Django’s History
    https://docs.djangoproject.com/en/dev/releases/security/

    View full-size slide

  18. Reassuringly secure.
    Django takes security seriously and
    helps developers avoid many
    common security mistakes.

    View full-size slide

  19. Number of CVEs per year

    View full-size slide

  20. CVEs per classification

    View full-size slide

  21. XSS
    Cross Site Scripting
    var json = {{ data|json.dumps|safe }};

    View full-size slide

  22. <br/>var json = JSON.parse(“{{ data | escapejs }}”);<br/>
    https://code.djangoproject.com/ticket/17419
    Avoiding XSS

    View full-size slide


  23. In your .js file (with jQuery)
    $(‘#json2’).data(‘foo’)
    https://code.djangoproject.com/ticket/17419
    Avoiding XSS

    View full-size slide

  24. CSRF
    Cross Site Request Forgery

    View full-size slide

  25. DoS
    Denial of Service

    View full-size slide

  26. Unvalidated Redirects
    http://yoursite.eu/login?next=mysite.eu

    View full-size slide

  27. Header Poisoning
    POST /password_reset/ HTTP/1.1
    Host: somethingevil.com
    Content-Type: …urlencoded
    email=your_email&action=reset

    View full-size slide

  28. RCE
    Remote Code Execution
    pickle.loads("cposix\nsystem\np0\n(S'ls'…")
    exec/eval

    View full-size slide

  29. Authentication/Authorization
    Failure
    @login_required()
    def delete_user(request, uid):
    User.objects.filter(id=uid).delete()
    return redirect(‘index’)

    View full-size slide

  30. Directory Traversal
    os.path.join(MEDIA_ROOT, “../../settings.py”)

    View full-size slide

  31. Information Leakage

    View full-size slide

  32. OWASP Top 10
    https://www.owasp.org/

    View full-size slide

  33. Thank you!
    Also thanks to @fapolloner
    who helped me prep this talk
    @m_holtermann

    View full-size slide