Tweet
Tweet

Slide 1

Slide 1 text

@phildini #djangotoad Frog and Toad Learn Django Security

Slide 2

Slide 2 text

@phildini #djangotoad I have this great idea for a startup!

Slide 3

Slide 3 text

@phildini #djangotoad Bezos Books • A site for selling books • Authors have a form where they can put in book informaDon • That book informaDon gets rendered to a book page • There is a form on the book page for buying the book

Slide 4

Slide 4 text

@phildini #djangotoad Django!

Slide 5

Slide 5 text

@phildini #djangotoad SECURITY?!?

Slide 6

Slide 6 text

@phildini #djangotoad XSS Cross-Site ScripDng

Slide 7

Slide 7 text

@phildini #djangotoad alert(‘hello’) <script>alert('hello')</script>

Slide 8

Slide 8 text

@phildini #djangotoad return mark_safe( force_text(text) .replace('&', '&') .replace('<', '<') .replace('>', '>') .replace('"', '"') .replace("'", ''') )

Slide 9

Slide 9 text

@phildini #djangotoad django.uDls.html https://github.com/django/django/blob/master/django/utils/html.py#L47

Slide 10

Slide 10 text

@phildini #djangotoad Context -> VariableNode -> condiDonal_escape -> escape https://github.com/django/django/blob/master/django/template/base.py

Slide 11

Slide 11 text

@phildini #djangotoad mark_safe(), | n, | safe

Slide 12

Slide 12 text

@phildini #djangotoad CSRF Cross-Site Request Forgery

Slide 13

Slide 13 text

@phildini #djangotoad CsrfViewMiddleware https://github.com/django/django/blob/master/django/middleware/csrf.py

Slide 14

Slide 14 text

@phildini #djangotoad if request is a POST: get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

Slide 15

Slide 15 text

@phildini #djangotoad def csrf_exempt(view_func): def wrapped_view(*args, **kwargs): return view_func(*args, **kwargs) wrapped_view.csrf_exempt = True return wraps( view_func, assigned=available_airs(view_func) )(wrapped_view)

Slide 16

Slide 16 text

@phildini #djangotoad django.views.decorators.csrf.csrf_exempt

Slide 17

Slide 17 text

@phildini #djangotoad @csrf_exempt def my_view(request): … @method_decorator(csrf_exempt, dispatch) class MyCBV(View): ….

Slide 18

Slide 18 text

@phildini #djangotoad if request is a POST and not view.csrf_exempt: get csrf_token from cookie get csrfmiddlewaretoken from request.POST if both match: accept else: reject

Slide 19

Slide 19 text

@phildini #djangotoad Cookies

Slide 20

Slide 20 text

@phildini #djangotoad SQLi SQL InjecDon

Slide 21

Slide 21 text

@phildini #djangotoad [This Slide IntenDonally Len Blank]

Slide 22

Slide 22 text

@phildini #djangotoad .extra(), RawSQL(), .raw()

Slide 23

Slide 23 text

@phildini #djangotoad Clickjacking

Slide 24

Slide 24 text

@phildini #djangotoad XFrameOpDonsMiddleware https://github.com/django/django/blob/master/django/middleware/clickjacking.py

Slide 25

Slide 25 text

@phildini #djangotoad @xframe_op1ons_exempt def my_view(request): … @method_decorator(xframe_op1ons_exempt, dispatch) class MyCBV(View): ….

Slide 26

Slide 26 text

@phildini #djangotoad Internet Explorer 8+ Firefox 3.6.9+ Opera 10.5+ Safari 4+ Chrome 4.1+

Slide 27

Slide 27 text

@phildini #djangotoad Host Header ValidaDon

Slide 28

Slide 28 text

@phildini #djangotoad get_host() https://github.com/django/django/blob/master/django/http/request.py#L95

Slide 29

Slide 29 text

@phildini #djangotoad if domain and in ALLOWED_HOSTS: proceed else: raise error

Slide 30

Slide 30 text

@phildini #djangotoad Passwords

Slide 31

Slide 31 text

@phildini #djangotoad django.contrib.auth.hashers.check_password https://github.com/django/django/blob/master/django/contrib/auth/hashers.py

Slide 32

Slide 32 text

@phildini #djangotoad How do we make this beier?

Slide 33

Slide 33 text

@phildini #djangotoad Constant Vigilance!

Slide 34

Slide 34 text

@phildini #djangotoad HTTPS

Slide 35

Slide 35 text

@phildini #djangotoad CSP ReporDng Content Security Policy

Slide 36

Slide 36 text

@phildini #djangotoad django_encrypted_fields hips:/ /github.com/defrex/django-encrypted-fields

Slide 37

Slide 37 text

@phildini #djangotoad django-secure hip:/ /django-secure.readthedocs.org/en/v0.1.2/

Slide 38

Slide 38 text

@phildini #djangotoad Pony Checkup hips:/ /www.ponycheckup.com/

Slide 39

Slide 39 text

@phildini #djangotoad Making Django Ridiculously Secure hip:/ /nerd.kelseyinnis.com/blog/2015/09/08/making-django-really-really-ridiculously-secure/

Slide 40

Slide 40 text

@phildini #djangotoad

Slide 41

Slide 41 text

@phildini #djangotoad The End. Philip James @phildini hip:/ /bit.ly/djangotoad