Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beau Butler: Intro to flask-security

Beau Butler: Intro to flask-security

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Beau Butler:
Intro to flask-security
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
@ Kiwi PyCon 2014 - Saturday, 13 Sep 2014 - Track 2
http://kiwi.pycon.org/

**Audience level**

Intermediate

**Description**

Turning your web app into a webapp-with-users looks like an onerous yak-shaving mission, full of DNS and email configuration, password databases, and so on. We will use the great flask-security metamodule, and a little bit of glue, to show just how easy this formerly-annoying process can be, from go to whoa.

**Abstract**

Say you’re using Flask, and your happy little app now suddenly needs an endpoint user-secured, Because Reasons… what do you do?

Either you hardcode a password in, hook up basic-auth, and go home,

OR, you face the fun of users, roles, the users need to sign up, now they’ve forgotten their passwords again, and so on. There’s really no middle ground.

Going from "open season" to "i want this function protected with a role permission" is a big old yak-shaving mission, full of DNS configuration, the dismaying realisation that now your app has to send email, and so on.

In the spirit of self-sufficiency and ‘DevOps’, this talk takes you from a bare 'hello world' flask app, through to a bare 'hello world' app with role protection for endpoints. We’ll start with a domain name and a VPS, and end with an app that people can sign up to.

We'll be using the great flask-security metamodule, and a little bit of glue, to show just how easy this formerly-annoying process can be, from go to whoa.

**YouTube**

https://www.youtube.com/watch?v=g0bZA9K2A84

New Zealand Python User Group

September 13, 2014
Tweet

More Decks by New Zealand Python User Group

Other Decks in Programming

Transcript

  1. whoami / whatido • ‘Oddy’ – Beau Butler • BASIC->Pascal->C->Python

    • Computer Hacking at S-A • 3x Kiwicon-er, 1st time PyCon-er • Now code infosec S/W • All Python all the time! • “Nothing left to take away”
  2. Setup • Minimal app, one page, page is editable. •

    https://github.com/oddy/bangingminimal
  3. Goal • Only let some users deface edit • Want

    not just a shared, hardwired user/PW. • RBAC as minimum, not just user-based.
  4. Working Backwards • Users, Roles • DB for them •

    Login, Reg etc • Admin add Users<->Roles actions • But wait, users will forget their pa-
  5. You Get You Don’t Get • Sess auth + RBAC

    • Base users DB • All the std ‘workflows’ • Email-assisted • Passwd crypto • Token/JSON auth* • *Async* mail sending • *Pretty* forms
  6. Email Sending 3 • Make an account • Log into

    it in gmail and change the password! • Give to flask! Done!
  7. Templates & Links • Forms in templates/security • See ‘customizing

    views’ in FS docs • /login, /register links in navbar • See ‘configuration’ in FS docs.
  8. User Code • Add code for user datastore • See

    the various ‘quick starts’ • Add code to call these APIs in some way: • user_datastore.create_role • user_datastore.add_role_to_user
  9. Finally • Chuck flask behind a webserver • Apache glue

    available on request • Run app up, register yourself • Run your role_to_user call to give self ‘editor’ • Log in • Done!
  10. Black Box Testing • Pay megabucks for pentesting 1. Make

    minimal flask app 2. Know LOTS OF HACKERS 3. ??????
  11. How? 1. ARP redir MitM app->net 2. SSL intercept proxy

    • “SSLSplit” 3. Do ‘forgot password’ using MY email/login 4. Intercept reset URL sent via goog to me 5. Use reset URL to chpwd, login as me 6. LOLLLBUTTTTSSS
  12. What did we learn? • Shared hosting/network baaad • “Scope”

    can get in the way of Good Hacking • Py smtplib doesn’t check Google’s Cert! • 2.x smtplib cant do it at all. 3.4x can, but off by default. • Debate about this now http://lwn.net/Articles/582065/ • Armin Ronacher FTW • Some tokens need looking into (Chris & Cartel) • Flask-Sec RBAC itself still not broken
  13. • ~2 Days • 26,025 GETs • 5,695 POSTs •

    7 sets of path traversal attacks (yay) • 2 token enumerations (yay) • 3 dirbuster-esque keyword path scans • 149 unique IPs. • 22 signed up users (not including me) • At least 1 TOR user • Someone hacking from their iphone4 • Flask-Sec RBAC itself still not broken • I’m leaving it up, have a go!! (pwnoddy.com) Conclusion