Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Frog and Toad Learn Django Security
Search
Philip James
July 20, 2016
Technology
0
140
Frog and Toad Learn Django Security
Talk given at DjangoCon US 2016
Philip James
July 20, 2016
Tweet
Share
More Decks by Philip James
See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
24
The Elephant and the Serpent (PyLatam 2019)
phildini
0
44
Account Security for the Fashionable App Developer
phildini
1
64
All in the Timing: Side-Channel Attacks
phildini
0
54
Giving Thanks
phildini
0
42
All in the Timing: Side-Channel Attacks in Python
phildini
0
400
API-Driven Django
phildini
1
350
Type uWSGI; Press Enter; What Happens?
phildini
0
93
Type uWSGI; Press Enter; What Happens?
phildini
1
73
Other Decks in Technology
See All in Technology
Application Signalsで始めるSLO ユーザー満足度を数値化する第一歩
niftycorp
PRO
2
160
さくっと実践!Postmanを活用した高品質で持続可能なAPI管理
yokawasa
5
360
GPSデバイスを使った簡易位置案内システムの構築をしてみた話。/jawsfesta2024
kwada
0
230
フェンリルの SwiftUI の研修を覗いてみる / Fenrir SwiftUI Training
studio_rookery
0
160
Cosmos DB で持続可能な RAG を実現しよう!~ AOAI Dev Day ふりかえりを添えて / Sustainable RAG with Cosmos DB with recap AOAI Dev Day
miyake
0
180
プログラミング写経のすすめ
natsutan
0
170
Reality is not an End-to-End Prediction Problem: Applied NLP in the Age of Generative AI
inesmontani
PRO
0
190
暴カワでビデオシンセサイザーを導入する技術
yuchi
2
130
VueとViteで作るUIコンポーネントライブラリ ~デザインシステムとプロダクトの理想的な分離を目指して~ / 20241019_cloudsign_VueFesJapan2024_1
bengo4com
8
4.5k
サーバレスで挑む IoT プロジェクトの現実解 / Real solutions for the IoT project using serverless service
genkiogasawara
1
130
生成AI入門
shukob
0
160
From naive to advanced RAG: the complete guide
glaforge
0
680
Featured
See All Featured
Adopting Sorbet at Scale
ufuk
73
9k
Why You Should Never Use an ORM
jnunemaker
PRO
53
9k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
5
130
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
9
630
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
irinanazarova
4
260
A Tale of Four Properties
chriscoyier
156
22k
Rails Girls Zürich Keynote
gr2m
93
13k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
mongodb
41
9.2k
A designer walks into a library…
pauljervisheath
202
24k
The Language of Interfaces
destraynor
154
24k
Git: the NoSQL Database
bkeepers
PRO
425
64k
How to Ace a Technical Interview
jacobian
275
23k
Transcript
@phildini #djangotoad Frog and Toad Learn Django Security
@phildini #djangotoad I have this great idea for a startup!
@phildini #djangotoad Bezos Books • A site for selling books
• Authors have a form where they can put in book informaDon • That book informaDon gets rendered to a book page • There is a form on the book page for buying the book
@phildini #djangotoad Django!
@phildini #djangotoad SECURITY?!?
@phildini #djangotoad XSS Cross-Site ScripDng
@phildini #djangotoad <script>alert(‘hello’)</script> <script>alert('hello')</script>
@phildini #djangotoad return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>',
'>') .replace('"', '"') .replace("'", ''') )
@phildini #djangotoad django.uDls.html https://github.com/django/django/blob/master/django/utils/html.py#L47
@phildini #djangotoad Context -> VariableNode -> condiDonal_escape -> escape https://github.com/django/django/blob/master/django/template/base.py
@phildini #djangotoad mark_safe(), | n, | safe
@phildini #djangotoad CSRF Cross-Site Request Forgery
@phildini #djangotoad CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py
@phildini #djangotoad if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #djangotoad def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_airs(view_func) )(wrapped_view)
@phildini #djangotoad django.views.decorators.csrf.csrf_exempt
@phildini #djangotoad @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):
….
@phildini #djangotoad if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #djangotoad Cookies
@phildini #djangotoad SQLi SQL InjecDon
@phildini #djangotoad [This Slide IntenDonally Len Blank]
@phildini #djangotoad .extra(), RawSQL(), .raw()
@phildini #djangotoad Clickjacking
@phildini #djangotoad XFrameOpDonsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py
@phildini #djangotoad @xframe_op1ons_exempt def my_view(request): … @method_decorator(xframe_op1ons_exempt, dispatch) class MyCBV(View):
….
@phildini #djangotoad Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
@phildini #djangotoad Host Header ValidaDon
@phildini #djangotoad get_host() https://github.com/django/django/blob/master/django/http/request.py#L95
@phildini #djangotoad if domain and in ALLOWED_HOSTS: proceed else: raise
error
@phildini #djangotoad Passwords
@phildini #djangotoad django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py
@phildini #djangotoad How do we make this beier?
@phildini #djangotoad Constant Vigilance!
@phildini #djangotoad HTTPS
@phildini #djangotoad CSP ReporDng Content Security Policy
@phildini #djangotoad django_encrypted_fields hips:/ /github.com/defrex/django-encrypted-fields
@phildini #djangotoad django-secure hip:/ /django-secure.readthedocs.org/en/v0.1.2/
@phildini #djangotoad Pony Checkup hips:/ /www.ponycheckup.com/
@phildini #djangotoad Making Django Ridiculously Secure hip:/ /nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
@phildini #djangotoad
@phildini #djangotoad The End. Philip James @phildini hip:/ /bit.ly/djangotoad