Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
駭客看 Django
Search
Orange
May 26, 2013
Technology
25
13k
駭客看 Django
Taiwan Python Conference 2013
Orange
May 26, 2013
Tweet
Share
More Decks by Orange
See All by Orange
Best Practices - The Upload
p8361
0
91
Security in PHP 那些在滲透測試的小技巧
p8361
0
170
網頁安全 Web Security 入門
p8361
0
170
Bug Bounty 獎金獵人甘苦談 - 那些年我回報過的漏洞
p8361
13
36k
那些 Web Hacking 中的奇技淫巧
p8361
16
14k
關於 HITCON CTF 的那些事 之 Web 狗如何在險惡的 CTF 世界中存活?
p8361
6
13k
PHPConf 2013 - 矛盾大對決
p8361
53
28k
0-Day 輕鬆談 - Happy Fuzzing Internet Explorer
p8361
15
12k
Other Decks in Technology
See All in Technology
Terraformで構築する セルフサービス型データプラットフォーム / terraform-self-service-data-platform
pei0804
1
170
AWSを利用する上で知っておきたい名前解決のはなし(10分版)
nagisa53
10
3.1k
【実演版】カンファレンス登壇者・スタッフにこそ知ってほしいマイクの使い方 / 大吉祥寺.pm 2025
arthur1
1
830
MCPで変わる Amebaデザインシステム「Spindle」の開発
spindle
PRO
3
3.2k
研究開発と製品開発、両利きのロボティクス
youtalk
1
520
オブザーバビリティが広げる AIOps の世界 / The World of AIOps Expanded by Observability
aoto
PRO
0
370
Firestore → Spanner 移行 を成功させた段階的移行プロセス
athug
1
470
Evolución del razonamiento matemático de GPT-4.1 a GPT-5 - Data Aventura Summit 2025 & VSCode DevDays
lauchacarro
0
190
「全員プロダクトマネージャー」を実現する、Cursorによる仕様検討の自動運転
applism118
21
11k
Codeful Serverless / 一人運用でもやり抜く力
_kensh
7
410
バイブスに「型」を!Kent Beckに学ぶ、AI時代のテスト駆動開発
amixedcolor
2
540
Automating Web Accessibility Testing with AI Agents
maminami373
0
1.3k
Featured
See All Featured
Rails Girls Zürich Keynote
gr2m
95
14k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
51
5.6k
The Pragmatic Product Professional
lauravandoore
36
6.9k
What’s in a name? Adding method to the madness
productmarketing
PRO
23
3.7k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3k
The Success of Rails: Ensuring Growth for the Next 100 Years
eileencodes
46
7.6k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
285
13k
ピンチをチャンスに:未来をつくるプロダクトロードマップ #pmconf2020
aki_iinuma
126
53k
Building Adaptive Systems
keathley
43
2.7k
The Cult of Friendly URLs
andyhume
79
6.6k
Docker and Python
trallard
45
3.6k
The Straight Up "How To Draw Better" Workshop
denniskardys
236
140k
Transcript
駭客看 DJANGO 2013/05/26 @ PyCon <
[email protected]
>
本場演講「四不一沒有」
四不一沒有 • 四不 – 我不是駭客 – 我不會寫 django – 不會有 django 新漏洞( 請洽七月台灣駭客年會
) – 這場演講不難,真的很簡單 • 沒有 – 這場演講沒有梗,有笑點的話拜託笑一下
About Me • 蔡政達 aka Orange • 2009 台灣駭客年會競賽 冠軍
• 2011, 2012 全國資安競賽 金盾獎冠軍 • 2011 東京 AVTOKYO 講師 • 2012 香港 VXRLConf 講師 • 台灣 PHPConf, WebConf 講 師 • 專精於 – 駭客攻擊手法 – Web Security – Windows Vulnerability Exploitation
About Me • CHROOT Security Group 成員 • NISRA 資訊安全研究會
成員 • Disclosed – Windows MS12-071(CVE-2012-4775) – Django (CVE-2013-0305) • Blog – http://blog.orange.tw/
2013 年 X 月 O 日 天氣晴,今天是寒假的第一天… 幹, Rails 爆遠端執行代碼漏洞欸
None
Django 會不會有同樣的問題呢? 學生什麼都沒有, 最多的就是時間。 來研究個 Open Source 專案很正常吧!
Vulnerabilities by Year Django
Vulnerabilities by Year Django 同樣情境跟 Rails 比較...
包含至少 8 個 Remote Code Execution
......
其實我今天是來推廣 Rails 開玩笑的啦我沒有要戰語言 T_T
Django 現有的保護機制 Django Security Overview
Security Overview • Built-in XSS protection • Built-in SQL Injection
protection – ORM ( Q Object ) • Built-in CSRF protection – django.middleware.csrf.CsrfViewMiddleware – Check REFERER header – Compare CSRF token
Security Overview • Clickjacking protection – django.middleware.clickjacking.XFrameOptionsMiddleware – Optional in settings.py – X-Frame-Options:
SAMEORIGIN
Security Overview • Password hashing is more and more stronger
– Default is PBKDF2 hasher – django.contrib.auth.hahsers – 10000 iterators makes attackers say fuck … $ time python pbkdf2.py mypassword real 0m0.401s user 0m0.260s sys 0m0.074s
攻擊手法 Some Attacking Vectors
Some Attacking Vectors • VERY VERY BASIC attacking way •
Weak admin password • Debug mode on – Leakage URL pattern – Leakage database password
Some Attacking Vectors • Cross-Site Scripting – HttpResponse( html ) – {{
output|safe }} – {% autoescape off %} • Bad HTML style is always vulnerable – <a href="{{ url }}"> # safe – <a href={{ url }}> # unsafe – <a href=xxx onload=alert(/xss/)>
Some Attacking Vectors • SQL Injection in Django ORM – raw(
sql ) is injectable – extra( select=…, where=… ) is also injectable • String concatenate and format string are vulnerable in any case
Some Attacking Vectors • Third-party module security • Py-bcrypt #
CVE-2013-1895 – Authentication bypass • Python Image Library # CVE-2012-3443 – Denied-of-Service • Python XML.sax # CVE-2013-1664 & 1665 – XXE & XEE Injection
XML eXternal Entity Injection Parsing XML Document Type Definition issue
<?xml encoding='utf-8' ?> <!DOCTYPE account[ <!ENTITY output SYSTEM '/etc/passwd'>]> <account> &output; </account>
XML Entity Expansion Injection <?xml encoding='utf-8' ?> <!DOCTYPE account[ <!ENTITY
a "ooo"> <!ENTITY b "&a; &a; &a; &a; &a;"> <!ENTITY c "&b; &b; &b; &b; &b;"> ... <!ENTITY z "&y; &y; &y; &y; &y;"> ]> <account> &z; </account>
Secret Key Leakage Issue (1/3) • Django SECRET_KEY use in
– get_random_string() using in csrf and hash generating – Django session_data encryption – Django signed cookie encryption – ……
Secret Key Leakage Issue (2/3) • Signed cookie store python
object using Pickle – > HTTP_COOKIE – > decode with secret_key – > pickle.loads( … )
Pickle & cPickle • A module that serializing and De-serializing
python objects • Execute command >>> import pickle >>> pickle.loads( "cos\nsystem\n(S'/bin/sh'\ntR." ) • You can observe by using pickletools >>> import pickletools >>> pickletools.dis( "cos\nsystem\n(S'/bin/sh'\ntR." )
Secret Key Leakage Issue (3/3) • Signed_cookie is encoded by
Pickle – > HTTP_COOKIE # malicious cookie – > decode with secret_key – > pickle.loads( … ) # code execution • Protect your SECRET_KEY ( ex .gitignore )
Conclusion • I think Django is a secure framework •
More and more wrapper make the attack difficult • People is always the most dangerous things
Reference • Django Weblog – https://www.djangoproject.com/weblog/ • Security in Django – https://docs.djangoproject.com/en/dev/topics/security/
• CVE Details – http://www.cvedetails.com/
Any Questions ? Whatever can be asked
Thanks. <
[email protected]
>