Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Frog and Toad Learn Django Security
Search
Philip James
July 20, 2016
Technology
0
150
Frog and Toad Learn Django Security
Talk given at DjangoCon US 2016
Philip James
July 20, 2016
Tweet
Share
More Decks by Philip James
See All by Philip James
Frog and Toad Learn about Django Security - NBT6
phildini
0
26
The Elephant and the Serpent (PyLatam 2019)
phildini
0
67
Account Security for the Fashionable App Developer
phildini
1
66
All in the Timing: Side-Channel Attacks
phildini
0
64
Giving Thanks
phildini
0
45
All in the Timing: Side-Channel Attacks in Python
phildini
0
420
API-Driven Django
phildini
1
400
Type uWSGI; Press Enter; What Happens?
phildini
0
97
Type uWSGI; Press Enter; What Happens?
phildini
1
79
Other Decks in Technology
See All in Technology
ZOZOマッチのアーキテクチャと技術構成
zozotech
PRO
3
1.4k
AI時代に非連続な成長を実現するエンジニアリング戦略
sansantech
PRO
3
1.2k
Codeful Serverless / 一人運用でもやり抜く力
_kensh
7
360
データアナリストからアナリティクスエンジニアになった話
hiyokko_data
2
430
Terraformで構築する セルフサービス型データプラットフォーム / terraform-self-service-data-platform
pei0804
1
110
AIのグローバルトレンド2025 #scrummikawa / global ai trend
kyonmm
PRO
1
260
DevIO2025_継続的なサービス開発のための技術的意思決定のポイント / how-to-tech-decision-makaing-devio2025
nologyance
1
350
テストを軸にした生き残り術
kworkdev
PRO
0
190
AWSで始める実践Dagster入門
kitagawaz
1
550
機械学習を扱うプラットフォーム開発と運用事例
lycorptech_jp
PRO
0
210
5分でカオスエンジニアリングを分かった気になろう
pandayumi
0
170
Webブラウザ向け動画配信プレイヤーの 大規模リプレイスから得た知見と学び
yud0uhu
0
220
Featured
See All Featured
Git: the NoSQL Database
bkeepers
PRO
431
66k
The Invisible Side of Design
smashingmag
301
51k
CoffeeScript is Beautiful & I Never Want to Write Plain JavaScript Again
sstephenson
162
15k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
187
54k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
kevinliebholz
34
6k
Principles of Awesome APIs and How to Build Them.
keavy
126
17k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
15
1.6k
Testing 201, or: Great Expectations
jmmastey
45
7.6k
BBQ
matthewcrist
89
9.8k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
Bash Introduction
62gerente
615
210k
Transcript
@phildini #djangotoad Frog and Toad Learn Django Security
@phildini #djangotoad I have this great idea for a startup!
@phildini #djangotoad Bezos Books • A site for selling books
• Authors have a form where they can put in book informaDon • That book informaDon gets rendered to a book page • There is a form on the book page for buying the book
@phildini #djangotoad Django!
@phildini #djangotoad SECURITY?!?
@phildini #djangotoad XSS Cross-Site ScripDng
@phildini #djangotoad <script>alert(‘hello’)</script> <script>alert('hello')</script>
@phildini #djangotoad return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>',
'>') .replace('"', '"') .replace("'", ''') )
@phildini #djangotoad django.uDls.html https://github.com/django/django/blob/master/django/utils/html.py#L47
@phildini #djangotoad Context -> VariableNode -> condiDonal_escape -> escape https://github.com/django/django/blob/master/django/template/base.py
@phildini #djangotoad mark_safe(), | n, | safe
@phildini #djangotoad CSRF Cross-Site Request Forgery
@phildini #djangotoad CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py
@phildini #djangotoad if request is a POST: get csrf_token from
cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #djangotoad def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs)
wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_airs(view_func) )(wrapped_view)
@phildini #djangotoad django.views.decorators.csrf.csrf_exempt
@phildini #djangotoad @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View):
….
@phildini #djangotoad if request is a POST and not view.csrf_exempt:
get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject
@phildini #djangotoad Cookies
@phildini #djangotoad SQLi SQL InjecDon
@phildini #djangotoad [This Slide IntenDonally Len Blank]
@phildini #djangotoad .extra(), RawSQL(), .raw()
@phildini #djangotoad Clickjacking
@phildini #djangotoad XFrameOpDonsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py
@phildini #djangotoad @xframe_op1ons_exempt def my_view(request): … @method_decorator(xframe_op1ons_exempt, dispatch) class MyCBV(View):
….
@phildini #djangotoad Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari
4+ Chrome 4.1+
@phildini #djangotoad Host Header ValidaDon
@phildini #djangotoad get_host() https://github.com/django/django/blob/master/django/http/request.py#L95
@phildini #djangotoad if domain and in ALLOWED_HOSTS: proceed else: raise
error
@phildini #djangotoad Passwords
@phildini #djangotoad django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py
@phildini #djangotoad How do we make this beier?
@phildini #djangotoad Constant Vigilance!
@phildini #djangotoad HTTPS
@phildini #djangotoad CSP ReporDng Content Security Policy
@phildini #djangotoad django_encrypted_fields hips:/ /github.com/defrex/django-encrypted-fields
@phildini #djangotoad django-secure hip:/ /django-secure.readthedocs.org/en/v0.1.2/
@phildini #djangotoad Pony Checkup hips:/ /www.ponycheckup.com/
@phildini #djangotoad Making Django Ridiculously Secure hip:/ /nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/
@phildini #djangotoad
@phildini #djangotoad The End. Philip James @phildini hip:/ /bit.ly/djangotoad