Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Frog and Toad Learn about Django Security - NBT6

Frog and Toad Learn about Django Security - NBT6

Philip James

December 17, 2021
Tweet

More Decks by Philip James

Other Decks in Technology

Transcript

  1. @phildini


    #nbt6
    Frog and Toad


    Learn Django Security

    View full-size slide

  2. @phildini


    #nbt6
    I have this great
    idea for a startup!

    View full-size slide

  3. @phildini


    #nbt6
    Novels by Frog and Toad (NFTs)
    • A site for selling books


    • Authors have a form where they can
    put in book information


    • That book information gets rendered to
    a book page


    • There is a form on the book page for
    buying the book

    View full-size slide

  4. @phildini


    #nbt6
    Django!

    View full-size slide

  5. @phildini


    #nbt6
    SECURITY?!?

    View full-size slide

  6. @phildini


    #nbt6
    XSS


    Cross-Site Scripting

    View full-size slide

  7. @phildini


    #nbt6
    alert(‘hello’)
    <script>alert('hello')</
    script>

    View full-size slide

  8. @phildini


    #nbt6
    return mark_safe(


    force_text(text)


    .replace('&', '&')


    .replace('<', '<')


    .replace('>', '>')


    .replace('"', '"')


    .replace("'", ''')


    )

    View full-size slide

  9. @phildini


    #nbt6
    django.utils.html


    https://github.com/django/django/blob/master/django/utils/html.py#L47

    View full-size slide

  10. @phildini


    #nbt6
    Context ->


    VariableNode ->


    conditional_escape ->


    escape
    https://github.com/django/django/blob/master/django/template/base.py

    View full-size slide

  11. @phildini


    #nbt6
    mark_safe(), | n, | safe

    View full-size slide

  12. @phildini


    #nbt6
    CSRF


    Cross-Site Request
    Forgery

    View full-size slide

  13. @phildini


    #nbt6
    CsrfViewMiddleware
    https://github.com/django/django/blob/master/django/middleware/csrf.py

    View full-size slide

  14. @phildini


    #nbt6
    if request is a POST:


    get csrf_token from cookie


    get csrfmiddlewaretoken from request.POST


    if both match:


    accept


    else:


    reject

    View full-size slide

  15. @phildini


    #nbt6
    def csrf_exempt(view_func):


    def wrapped_view(*args, **kwargs):


    return view_func(*args, **kwargs)


    wrapped_view.csrf_exempt = True


    return wraps(


    view_func, assigned=available_attrs(view_func)


    )(wrapped_view)

    View full-size slide

  16. @phildini


    #nbt6
    django.views.decorators.csrf.csrf_exempt

    View full-size slide

  17. @phildini


    #nbt6
    @csrf_exempt


    def my_view(request):



    @method_decorator(csrf_exempt, dispatch)


    class MyCBV(View):


    ….

    View full-size slide

  18. @phildini


    #nbt6
    if request is a POST and not view.csrf_exempt:


    get csrf_token from cookie


    get csrfmiddlewaretoken from request.POST


    if both match:


    accept


    else:


    reject

    View full-size slide

  19. @phildini


    #nbt6
    Cookies

    View full-size slide

  20. @phildini


    #nbt6
    SQLi


    SQL Injection

    View full-size slide

  21. @phildini


    #nbt6
    [This Slide Intentionally Left Blank]

    View full-size slide

  22. @phildini


    #nbt6
    .extra(), RawSQL(), .raw()

    View full-size slide

  23. @phildini


    #nbt6
    Clickjacking

    View full-size slide

  24. @phildini


    #nbt6
    XFrameOptionsMiddleware
    https://github.com/django/django/blob/master/django/middleware/clickjacking.py

    View full-size slide

  25. @phildini


    #nbt6
    @xframe_options_exempt


    def my_view(request):



    @method_decorator(xframe_options_exempt, dispatch)


    class MyCBV(View):


    ….

    View full-size slide

  26. @phildini


    #nbt6
    Internet Explorer 8+


    Firefox 3.6.9+


    Opera 10.5+


    Safari 4+


    Chrome 4.1+

    View full-size slide

  27. @phildini


    #nbt6
    Host
    Header
    Validation

    View full-size slide

  28. @phildini


    #nbt6
    get_host()
    https://github.com/django/django/blob/master/django/http/request.py#L95

    View full-size slide

  29. @phildini


    #nbt6
    if domain and in ALLOWED_HOSTS:


    proceed


    else:


    raise error

    View full-size slide

  30. @phildini


    #nbt6
    Passwords

    View full-size slide

  31. @phildini


    #nbt6
    django.contrib.auth.hashers.check_password
    https://github.com/django/django/blob/master/django/contrib/auth/hashers.py

    View full-size slide

  32. @phildini


    #nbt6
    How do we make
    this better?

    View full-size slide

  33. @phildini


    #nbt6
    Constant Vigilance!

    View full-size slide

  34. @phildini


    #nbt6
    Package updates!

    View full-size slide

  35. @phildini


    #nbt6
    Package Updates
    https://pyup.io/safety/, GitHub dependabot

    View full-size slide

  36. @phildini


    #nbt6
    HTTPS
    https://letsencrypt.org/

    View full-size slide

  37. @phildini


    #nbt6
    HTTPS
    SECURE_SSL_REDIRECT


    SESSION_COOKIE_SECURE


    CSRF_COOKIE_SECURE


    SECURE_BROWSER_XSS_FILTER


    View full-size slide

  38. @phildini


    #nbt6
    HTTPS
    SECURE_HSTS_SECONDS


    SECURE_HSTS_PRELOAD


    SECURE_HSTS_INCLUDE_SUBDOMAINS

    View full-size slide

  39. @phildini


    #nbt6
    CSP Reporting
    Content Security Policy

    View full-size slide

  40. @phildini


    #nbt6
    django_encrypted_
    fi
    elds
    https://github.com/defrex/django-encrypted-
    fi
    elds

    View full-size slide

  41. @phildini


    #nbt6
    Django Defender
    https://github.com/jazzband/django-defender

    View full-size slide

  42. @phildini


    #nbt6
    Token Vaulting
    https://www.verygoodsecurity.com/

    View full-size slide

  43. @phildini


    #nbt6
    Making Django Ridiculously Secure
    http://nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
    Account Security Best Practices
    https://pyvideo.org/pycon-us-2019/account-security-patterns-how-logged-in-are-you.html

    View full-size slide

  44. @phildini


    #nbt6

    View full-size slide

  45. @phildini


    #nbt6
    The End.


    Philip James


    @phildini

    View full-size slide