Oh, I Found a Security Issue (DjangoCPH 2018)

Slide 1

Slide 1 text

Oh, I Found a Security Issue #DjangoCPH 2018 • @m_holtermann

Slide 2

Slide 2 text

I’m Markus Holtermann @m_holtermann • github.com/MarkusH • markusholtermann.eu @laterpay • laterpay.net • Django Core Developer • Software Engineer at

Slide 3

Slide 3 text

Date: Tue, 4 Apr 2017 08:31:25 -0700 (PDT) From: Tim Graham <*****@gmail.com> To: django-announce Subject: [django-announce] Django security releases issued: 1.10.7, 1.9.13, and 1.8.18 Today the Django team issued 1.10.7, 1.9.13, and 1.8.18 as part of our security process. These releases address two security issues, and we encourage all users to upgrade as soon as possible: https://www.djangoproject.com/weblog/2017/apr/04/security-releases/ As a reminder, we ask that potential security issues be reported via private email to security@djangoproject.com and not via Django's Trac instance or the django-developers list. Please see https://www.djangoproject.com/security for further information.

Slide 4

Slide 4 text

Django’s Security Policy https://docs.djangoproject.com/en/dev/internals/security/

Slide 5

Slide 5 text

Django’s Security Report & Release Process

Slide 6

Slide 6 text

Report to security@djangoproject.com

Slide 7

Slide 7 text

Assessing the reported issue

Slide 8

Slide 8 text

Fixing the issue

Slide 9

Slide 9 text

Confirming the fix

Slide 10

Slide 10 text

Pre-notification

Slide 11

Slide 11 text

Release

Slide 12

Slide 12 text

Announcement

Slide 13

Slide 13 text

Bounty

Slide 14

Slide 14 text

How to apply this?

Slide 15

Slide 15 text

● Setup reporting channel

Slide 16

Slide 16 text

● Setup reporting channel ● Monitor reporting channel

Slide 17

Slide 17 text

● Setup reporting channel ● Monitor reporting channel ● Fix the issue

Slide 18

Slide 18 text

● Setup reporting channel ● Monitor reporting channel ● Fix the issue ● Release & Announce

Slide 19

Slide 19 text

● Setup reporting channel ● Monitor reporting channel ● Fix the issue ● Release & Announce ● Learn from it

Slide 20

Slide 20 text

Django’s History https://docs.djangoproject.com/en/dev/releases/security/

Slide 21

Slide 21 text

Reassuringly secure. Django takes security seriously and helps developers avoid many common security mistakes.

Slide 22

Slide 22 text

Number of CVEs per year

Slide 23

Slide 23 text

CVEs per classification

Slide 24

Slide 24 text

XSS Cross Site Scripting var json = {{ data|json.dumps|safe }};

Slide 25

Slide 25 text

var json = JSON.parse(“{{ data | escapejs }}”); https://code.djangoproject.com/ticket/17419 Avoiding XSS

Slide 26

Slide 26 text

In your .js file (with jQuery) $(‘#json2’).data(‘foo’) https://code.djangoproject.com/ticket/17419 Avoiding XSS

Slide 27

Slide 27 text

CSRF Cross Site Request Forgery

Slide 28

Slide 28 text

DoS Denial of Service

Slide 29

Slide 29 text

Unvalidated Redirects http://yoursite.eu/login?next=mysite.eu

Slide 30

Slide 30 text

Header Poisoning POST /password_reset/ HTTP/1.1 Host: somethingevil.com Content-Type: …urlencoded email=your_email&action=reset

Slide 31

Slide 31 text

RCE Remote Code Execution pickle.loads("cposix\nsystem\np0\n(S'ls'…") exec/eval

Slide 32

Slide 32 text

Authentication/Authorization Failure @login_required() def delete_user(request, uid): User.objects.filter(id=uid).delete() return redirect(‘index’)

Slide 33

Slide 33 text

Directory Traversal os.path.join(MEDIA_ROOT, “../../settings.py”)

Slide 34

Slide 34 text

Information Leakage

Slide 35

Slide 35 text

OWASP Top 10 https://www.owasp.org/

Slide 36

Slide 36 text

Thank you! Also thanks to @fapolloner who helped me prep this talk @m_holtermann

Slide 37

Slide 37 text

django-announce@googlegroups.com django-developers@googlegroups.com django-users@googlegroups.com oss-security@lists.openwall.com