Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Beau Butler: Intro to flask-security

New Zealand Python User Group
September 13, 2014
Programming
1
270

Beau Butler: Intro to flask-security

= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
Beau Butler:
Intro to flask-security
= = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = = =
@ Kiwi PyCon 2014 - Saturday, 13 Sep 2014 - Track 2
http://kiwi.pycon.org/

**Audience level**

Intermediate

**Description**

Turning your web app into a webapp-with-users looks like an onerous yak-shaving mission, full of DNS and email configuration, password databases, and so on. We will use the great flask-security metamodule, and a little bit of glue, to show just how easy this formerly-annoying process can be, from go to whoa.

**Abstract**

Say you’re using Flask, and your happy little app now suddenly needs an endpoint user-secured, Because Reasons… what do you do?

Either you hardcode a password in, hook up basic-auth, and go home,

OR, you face the fun of users, roles, the users need to sign up, now they’ve forgotten their passwords again, and so on. There’s really no middle ground.

Going from "open season" to "i want this function protected with a role permission" is a big old yak-shaving mission, full of DNS configuration, the dismaying realisation that now your app has to send email, and so on.

In the spirit of self-sufficiency and ‘DevOps’, this talk takes you from a bare 'hello world' flask app, through to a bare 'hello world' app with role protection for endpoints. We’ll start with a domain name and a VPS, and end with an app that people can sign up to.

We'll be using the great flask-security metamodule, and a little bit of glue, to show just how easy this formerly-annoying process can be, from go to whoa.

**YouTube**

https://www.youtube.com/watch?v=g0bZA9K2A84

New Zealand Python User Group

September 13, 2014
Tweet

More Decks by New Zealand Python User Group

See All by New Zealand Python User Group
Francesco Biscani: A Snake in Space - The rise of scientific Python in Astrodynamics and Astronomy (Keynote)
nzpug
0
460
Holger Spill: An introduction to Python and graph databases with Neo4j
nzpug
1
960
Reed Wade: Bottle + uWSGI: simple web app configuration and fun hidden features
nzpug
0
530
Robert King: Making a scalable course search engine with Python
nzpug
0
290
Ryan Kelly: PyPy.js: What? How? Why?
nzpug
1
460
Tim Penhey: Deploying a Django application using Juju
nzpug
0
230
Alyona Medelyan: Understanding human language with Python
nzpug
1
420
Douglas Bagnall: Multimedia programming using Gstreamer (and, of course, Python)
nzpug
0
490
Carl Cerecke: goto in python. Yes. Really.
nzpug
0
790

Other Decks in Programming

See All in Programming
SpringBoot+MyBatisで例外が出たときどこを見るか
syukai
0
110
Folding Cheat Sheet #2
philipschwarz
PRO
0
110
Git Rebase
bkuhlmann
11
1.6k
App Router への移行は「改善」となり得るのか?/ Can migration to App Router be an improvement
takefumiyoshii
8
2.1k
Rails と人魚の話/rails-and-mermaid
sanfrecce_osaka
0
100
코틀린으로 멀티플랫폼 만들기
pangmoo
0
120
せっかくモデル図描くのなら、 嬉しいことが多い方がいいよね!
kuboaki
1
3.1k
OpenAPIを中心に考えるAPI開発入門 / Introduction to API Development with a Focus on OpenAPI
seike460
PRO
2
100
[技育CAMPアカデミア]アイディアを形に!【超入門】スマホアプリ開発〜リリースまでの流れをご紹介
teamlab
PRO
0
340
puregoの活用例
aethiopicuschan
0
220
Javaエンジニアのための Nodejs/Nuxt3入門
hidekatsu_izuno
0
280
脱・初心者!脱・マネコン!AWS CDKを使ってみませんか!?
har1101
0
300

Featured

See All Featured
RailsConf 2023
tenderlove
1
530
Being A Developer After 40
akosma
56
580k
Imperfection Machines: The Place of Print at Facebook
scottboms
258
12k
Why You Should Never Use an ORM
jnunemaker
PRO
50
8.6k
[RailsConf 2023] Rails as a piece of cake
palkan
22
3.9k
Designing with Data
zakiwarfel
95
4.8k
How GitHub Uses GitHub to Build GitHub
holman
468
290k
WebSockets: Embracing the real-time Web
robhawkes
59
7k
The Cost Of JavaScript in 2023
addyosmani
13
3.8k
StorybookのUI Testing Handbookを読んだ
zakiyama
10
4.5k
Keith and Marios Guide to Fast Websites
keithpitt
408
22k
The MySQL Ecosystem @ GitHub 2015
samlambert
242
12k

Transcript

  1. Flask-Security Intro Security Security

  2. whoami / whatido • ‘Oddy’ – Beau Butler • BASIC->Pascal->C->Python

    • Computer Hacking at S-A • 3x Kiwicon-er, 1st time PyCon-er • Now code infosec S/W • All Python all the time! • “Nothing left to take away”

  3. Why Flask? • Different (perceived) Learning Curve

  4. Setup • Minimal app, one page, page is editable. •

    https://github.com/oddy/bangingminimal

  5. Goal • Only let some users deface edit • Want

    not just a shared, hardwired user/PW. • RBAC as minimum, not just user-based.

  6. Working Backwards • Users, Roles • DB for them •

    Login, Reg etc • Admin add Users<->Roles actions • But wait, users will forget their pa-

  7. Email • The app has to be able to send

    emails.

  8. You Get You Don’t Get • Sess auth + RBAC

    • Base users DB • All the std ‘workflows’ • Email-assisted • Passwd crypto • Token/JSON auth* • *Async* mail sending • *Pretty* forms

  9. First up • In new virtualenv: • Do a helloworld

    app:

  10. Email Sending • Get an email-sending account • I used

    google-

  11. Email Sending 2 • Prove Domain Ownership

  12. Email Sending 3 • Make an account • Log into

    it in gmail and change the password! • Give to flask! Done!

  13. Templates & Links • Forms in templates/security • See ‘customizing

    views’ in FS docs • /login, /register links in navbar • See ‘configuration’ in FS docs.

  14. User Code • Add code for user datastore • See

    the various ‘quick starts’ • Add code to call these APIs in some way: • user_datastore.create_role • user_datastore.add_role_to_user

  15. Finally • Chuck flask behind a webserver • Apache glue

    available on request • Run app up, register yourself • Run your role_to_user call to give self ‘editor’ • Log in • Done!

  16. Only one way to find out… IS IT SECURE!?

  17. Black Box Testing • Pay megabucks for pentesting 1. Make

    minimal flask app 2. Know LOTS OF HACKERS 3. ??????

  18. Apply BEER • Hackers DRINK

  19. Worked for Django

  20. Black Box Testing 3. BEER-

  21. Black Box Testing 4. Sit back.

  22. PWNED

  23. Whodunit!? TKN DONE IT Aka Notorious Hacker Ven Mike Jager

  24. How? 1. ARP redir MitM app->net 2. SSL intercept proxy

    • “SSLSplit” 3. Do ‘forgot password’ using MY email/login 4. Intercept reset URL sent via goog to me 5. Use reset URL to chpwd, login as me 6. LOLLLBUTTTTSSS

  25. What did we learn? • Shared hosting/network baaad • “Scope”

    can get in the way of Good Hacking • Py smtplib doesn’t check Google’s Cert! • 2.x smtplib cant do it at all. 3.4x can, but off by default. • Debate about this now http://lwn.net/Articles/582065/ • Armin Ronacher FTW • Some tokens need looking into (Chris & Cartel) • Flask-Sec RBAC itself still not broken

  26. • ~2 Days • 26,025 GETs • 5,695 POSTs •

    7 sets of path traversal attacks (yay) • 2 token enumerations (yay) • 3 dirbuster-esque keyword path scans • 149 unique IPs. • 22 signed up users (not including me) • At least 1 TOR user • Someone hacking from their iphone4 • Flask-Sec RBAC itself still not broken • I’m leaving it up, have a go!! (pwnoddy.com) Conclusion