Skip this Video
Download Presentation
Django Security

Loading in 2 Seconds...

play fullscreen
1 / 24

Django Security - PowerPoint PPT Presentation

  • Uploaded on

Django Security. About Me. Levi Gross Chapter Leader at OWASP NYC Security Consultant at Matasano Previously responsible for the development and security of a large Django application. What is Django. A web application framework written in Python MVC “Secure” by default

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' Django Security' - thy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
about me
About Me
  • Levi Gross
  • Chapter Leader at OWASP NYC
  • Security Consultant at Matasano
  • Previously responsible for the development and security of a large Django application.
what is django
What is Django
  • A web application framework written in Python
    • MVC
  • “Secure” by default
  • Loosely coupled by default
  • Batteries included
    • Admin
    • Auth
    • Sessions
    • Permissions
frameworks are taking over
Frameworks are Taking over
  • ORMS
    • With Parameterized Queries
  • Automatic escaping on “unsafe” data
    • Output encoding
  • Robust handling of HTTP headers
    • Eliminates HTTP Response splitting
  • Pain free secure session handling
what is new in django 1 4
What is new in Django 1.4
  • HTTPonly cookies by default
  • The SECRET_KEY is required
  • Enhanced CSRF protection
  • Cryptographic Helpers
  • Password Hashers
  • CSRF protection in the Admin Application
  • A Page dedicated to security
    • Finally!!
what is new in django 1 4 cont
What is new in Django 1.4 Cont.
  • @sensitive_variables
  • Session Cookie can be modified
  • Hashed passwords shielded with the Admin
  • Protection against cryptographic timing attacks
    • Somewhat
  • Generic views prevent HTTP verb tampering and enhance CSRF protection
  • Automatic Clickjacking protection
password hashers
Password Hashers
  • Salted SHA1 hashes are gone! (Kinda)
  • PBKDF2 with 10000 iterations by default
  • Easy to extend and enhance
  • Bcrypt support built-in
signed cookies
Signed Cookies
  • Signed not encrypted
  • Open to replay attacks
    • Cookie refreshes every 2 weeks by default
  • Cookie is compressed using zlib
enhanced csrf protection
Enhanced CSRF Protection
  • Random SHA256 hash
  • Cross HTTP/HTTPS protection
  • Rejects all “safe” methods
    • \'GET\', \'HEAD\', \'OPTIONS\', \'TRACE’
  • Now you can customize the cookie
    • Name
    • Domain
    • Path
    • Secure
cryptographic helpers
Cryptographic Helpers
  • The key defaults to your SECRET_KEY
  • Uses Pythons built-in HMAC
    • SHA1
  • Custom key/salt
  • Time based signing as well
view protection
View Protection
  • HTTP Verb manipulation
    • Generic views require a specific method for every HTTP method
      • def get(self, request,*args, **kwargs):
      • Don’t use function based views
  • Automatic CSRF protection without any “extras”
    • no more dealing with request context
  • Regex based URL routing
things aren t perfect just yet
Things aren’t perfect just yet
  • Invalid logic
  • Issues with timing attacks
  • Confusing code constructs
    • user.set_password(UNUSABLE_PASSWORD)
  • CRUD Permissions
    • Not object based
  • Insecure usage of standard libraries
    • Serialized data isn’t signed or encrypted
    • Pickle
    • YAML is loaded insecurely
  • Mass Assignment?
    • Django’s model forms
xss even with autoescaping
XSS Even with Autoescaping
  • This is still vulnerable if you use the input as a HTML tag attribute
    • <span class={{user_input}} >

SQLi in Django

  • Queryset().order_by
  • Queryset().extra() does not support parameterized queries
blind redirect on login
Blind Redirect on Login
  • Functionality relies on urlparse which does not decode the URL
  • Framework only go so far
  • Even engines cannot help us
  • We don’t educate developers properly
  • We don’t provide them with the right resources
  • We need to give them a boost!
what is djangoat
What is DjanGoat
  • A Learning Tool To Help Pen Testers Learn How To Break Django Based Web Application
  • A Point Of Reference To Learn How to Write Secure Django Applications
  • Unlike WebGoat, Djangoat Better Simulates A Real-World Application
why djangoat
Why DjanGoat
  • Developers always making the same mistakes
    • Lack of GOOD examples
  • I am a fan of Django
why a real web application
Why a real web application?
  • This will be a banking application
    • Developers will identify with code and constraints that they encounter daily
  • This puts the developer in the pen testers chair
  • Great for Students
  • Pen testers love full applications
layers of insecurity
Layers of insecurity
  • There will be a range of challenges provided
  • Useful for both a developer and a pen tester
the goal
The Goal
  • Developers need to learn how vulnerabilities are introduced into applications.
  • Pen testers need an example of insecure Django code
  • Django needs to grow.
  • Django needs to be used in a security conscious way.