Frog and Toad Learn Django Security

Transcript

1. @phildini #djangotoad Frog and Toad Learn Django Security

2. @phildini #djangotoad I have this great idea for a startup!

3. @phildini #djangotoad Bezos Books • A site for selling books

   • Authors have a form where they can put in book informaDon • That book informaDon gets rendered to a book page • There is a form on the book page for buying the book

4. @phildini #djangotoad Django!

5. @phildini #djangotoad SECURITY?!?

6. @phildini #djangotoad XSS Cross-Site ScripDng

7. @phildini #djangotoad <script>alert(‘hello’)</script> &lt;script&gt;alert(&#39;hello&#39;)&lt;/script&gt;

8. @phildini #djangotoad return mark_safe( force_text(text) .replace('&', '&amp;') .replace('<', '&lt;') .replace('>',

   '&gt;') .replace('"', '&quot;') .replace("'", '&#39;') )

9. @phildini #djangotoad django.uDls.html https://github.com/django/django/blob/master/django/utils/html.py#L47

10. @phildini #djangotoad Context -> VariableNode -> condiDonal_escape -> escape https://github.com/django/django/blob/master/django/template/base.py

11. @phildini #djangotoad mark_safe(), | n, | safe

12. @phildini #djangotoad CSRF Cross-Site Request Forgery

13. @phildini #djangotoad CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py

14. @phildini #djangotoad if request is a POST: get csrf_token from

    cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

15. @phildini #djangotoad def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)

    wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_airs(view_func) )(wrapped_view)

16. @phildini #djangotoad django.views.decorators.csrf.csrf_exempt

17. @phildini #djangotoad @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):

    ….

18. @phildini #djangotoad if request is a POST and not view.csrf_exempt:

    get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

19. @phildini #djangotoad Cookies

20. @phildini #djangotoad SQLi SQL InjecDon

21. @phildini #djangotoad [This Slide IntenDonally Len Blank]

22. @phildini #djangotoad .extra(), RawSQL(), .raw()

23. @phildini #djangotoad Clickjacking

24. @phildini #djangotoad XFrameOpDonsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py

25. @phildini #djangotoad @xframe_op1ons_exempt def my_view(request): … @method_decorator(xframe_op1ons_exempt, dispatch) class MyCBV(View):

    ….

26. @phildini #djangotoad Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari

    4+ Chrome 4.1+

27. @phildini #djangotoad Host Header ValidaDon

28. @phildini #djangotoad get_host() https://github.com/django/django/blob/master/django/http/request.py#L95

29. @phildini #djangotoad if domain and in ALLOWED_HOSTS: proceed else: raise

    error

30. @phildini #djangotoad Passwords

31. @phildini #djangotoad django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py

32. @phildini #djangotoad How do we make this beier?

33. @phildini #djangotoad Constant Vigilance!

34. @phildini #djangotoad HTTPS

35. @phildini #djangotoad CSP ReporDng Content Security Policy

36. @phildini #djangotoad django_encrypted_fields hips:/ /github.com/defrex/django-encrypted-fields

37. @phildini #djangotoad django-secure hip:/ /django-secure.readthedocs.org/en/v0.1.2/

38. @phildini #djangotoad Pony Checkup hips:/ /www.ponycheckup.com/

39. @phildini #djangotoad Making Django Ridiculously Secure hip:/ /nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/

40. @phildini #djangotoad

41. @phildini #djangotoad The End. Philip James @phildini hip:/ /bit.ly/djangotoad