Tweet
Tweet

Slide 1

Slide 1 text

Sichere Web-Applikationen am Beispiel von Django Markus Zapke-Gründemann LinuxTag 2014

Slide 2

Slide 2 text

Markus Zapke-Gründemann Softwareentwickler seit 2001 Python, Django und Mercurial Inhaber von transcode Vorstand des Deutschen Django-Vereins keimlink.de // @keimlink

Slide 3

Slide 3 text

Einführung

Slide 4

Slide 4 text

Django Python Web-Application Framework Open Source (BSD-Lizenz) Rapid Development Model Template View (MTV) Object Relational Mapper (ORM) www.djangoproject.com

Slide 5

Slide 5 text

OWASP Open Web Application Security Project Non-Profit-Organisation Alle Materialien unter freier Lizenz www.owasp.org

Slide 6

Slide 6 text

OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project

Slide 7

Slide 7 text

OWASP Top 10

Slide 8

Slide 8 text

OWASP Top 10 1. Injection

Slide 9

Slide 9 text

OWASP Top 10 1. Injection 2. Broken Authentication and Session Management

Slide 10

Slide 10 text

OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS)

Slide 11

Slide 11 text

OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References

Slide 12

Slide 12 text

OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration


Slide 13

Slide 13 text

OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure

Slide 14

Slide 14 text

OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control

Slide 15

Slide 15 text

OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF)

Slide 16

Slide 16 text

OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities

Slide 17

Slide 17 text

OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10.Unvalidated Redirects and Forwards

Slide 18

Slide 18 text

SQL Injection >>> cmd = "UPDATE animals SET name='%s' WHERE id='%s'" % (name, id) >>> cursor.execute(cmd)

Slide 19

Slide 19 text

SQL Injection Exploits of a Mom by Randall Munroe (cc-by-nc)

Slide 20

Slide 20 text

SQL Injection Exploits of a Mom by Randall Munroe (cc-by-nc) Datenbank-Eingaben bereinigen!

Slide 21

Slide 21 text

SQL Injection >>> from animals.models import Animal >>> Animal.objects.filter(id=id).update(name=name)

Slide 22

Slide 22 text

Broken Authentication and Session Management http://example.com/sale/saleitems;sessionid= 2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii

Slide 23

Slide 23 text

Cross-Site Scripting (XSS)

Preparation

{{ recipe.preparation }} ! alert('The best recipe in the world!') Heat the water in the pot to 100 °C. !

<script>alert('The best recipe in the

Heat the water in the pot to 100 °C.

Slide 24

Slide 24 text

Cross-Site Scripting (XSS)

Preparation

{{ recipe.preparation|safe }} ! alert('The best recipe in the world!') Heat the water in the pot to 100 °C. !

alert('The best recipe in the world!')</ script></p> <p>Heat the water in the pot to 100 °C.</p>

Slide 25

Slide 25 text

Security Misconfiguration DEBUG = True

Slide 26

Slide 26 text

Sensitive Data Exposure >>> from django.contrib.auth.models import User >>> User.objects.get(pk=1).password u'pbkdf2_sha256$10000$sDN75YuuoUWi$Ua/ H364jPAPTPBiAyJ1fc0uB4ClzQD5yGFisYrxCo40='

Slide 27

Slide 27 text

Cross-Site Request Forgery (CSRF) http://example.com/app/transferFunds? amount=1500 &destinationAccount=4673243243

Slide 28

Slide 28 text

Cross-Site Request Forgery (CSRF) {{ form.as_p }} {% csrf_token %}

Slide 29

Slide 29 text

Cross-Site Request Forgery (CSRF) ...

Slide 30

Slide 30 text

Clickjacking X-Frame-Options Header aktivieren: MIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )

Slide 31

Slide 31 text

Information Leakage

Slide 32

Slide 32 text

Werkzeuge OWASP Cheat Sheet Series HackBar Tamper Data sqlmap Scapy dsniff

Slide 33

Slide 33 text

Django Apps django-secure django-configurations

Slide 34

Slide 34 text

Code sicher(er) machen Code Review Security Scanner Security Audit

Slide 35

Slide 35 text

Danke! ! www.transcode.de @keimlink