django book20 security
DESCRIPTION
A brief introduction of Django Book ch 20. With basic network security knowledge.TRANSCRIPT
Django bookChapter 20 - Security
Alfred
113年10月1⽇日星期⼆二
Never - under any circumstances - trust data from browser!
213年10月1⽇日星期⼆二
A simple theory of security (based on 質餘)
‣ choose 2 prime p, q
‣ n = p, q
‣ based on Euler Function, phi(n) = (p-1)(q-1)
‣ 1 < e, public key <= phi(n)
‣ let d 是 e 的modulo reverse, d。e 同餘 1 mod phi(n)
313年10月1⽇日星期⼆二
A simple theory of security (based on 質餘) cont.
413年10月1⽇日星期⼆二
Number example (from wiki)
1. Choose two distinct prime numbers, such as and .
2. Compute n = p。q giving
3. Compute the totient of the product as φ(n) = (p − 1)(q − 1) giving.
4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for e leaves us only to check that e is not a divisor of 3120.Let
5. Compute d, the modular multiplicative inverse of e (mod φ(n)) yielding
The public key is (n = 3233, e = 17). For a padded plaintext message m, the encryption function is
The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the decryption function is c2753(mod 3233).
513年10月1⽇日星期⼆二
Identify Your Identity
613年10月1⽇日星期⼆二
Cross-Site Request Forgery, CSRF Attack
• Malicious Client request a fake link.
• Solution is mentioned by CSRF token, chapter 16.
713年10月1⽇日星期⼆二
Session Forging/Hijacking
• man-in-the-middle (男⼈人在中間)
• session forging
• cookie forging
• session fixation
• session poisoning
wiki:session fixation
813年10月1⽇日星期⼆二
Solutions
• Never allow session information to be contained in the URL.Django bless you.
• Don’t store data in cookies directly.request.session bless you.
• Prevent attackers from spoofing session IDs whenever possible.Django use hash function to protect you session ID. (As I know, some hash function is not safe, ex. SHA-1)
• Sensitive Data? use Https:// SESSION_COOKIE_SECURE = TRUE
913年10月1⽇日星期⼆二
Break....
1013年10月1⽇日星期⼆二
Code Injection
Code Injection is a type of system bugs that is caused by processing invalid data.
既然稱為Bug, 那當然就是你的問題阿
1113年10月1⽇日星期⼆二
SQL Injection
How a username could become invalid data?• Escape char ‘\’• SQL reserved word• SQL logic
1213年10月1⽇日星期⼆二
SQL Injection (Cont.)
Tears In Heaven...
1313年10月1⽇日星期⼆二
SQL Injection Solution1. Use Django API, please.
2. Exception Person.objects.raw('SELECT * FROM foo')
django.db.connection.ops.quote_name(user)
1413年10月1⽇日星期⼆二
Cross Site Script, XSS
XSS enables attackers to inject client-side script into Web pages viewed by other users.
xss, xsstc(css javascript)
1513年10月1⽇日星期⼆二
Cross Site Script, XSSQ. How it works?
A. 攻擊者利⽤用Client Browser可以動態執⾏行語法的特性,或可從其他Server讀取程式碼的⽅方式,設計⼀一組簡易的link提供victims。
1. Find a Web Page who contains leak of any kind of XSS.
2. Design the XSS script, stolen cookies, do sth., etc
3. Send a link to Victims. (By mail or anything.)再好的網站設計也不能阻擋清純的使⽤用者
1613年10月1⽇日星期⼆二
Example of XSS
http://example.com/hello/?name=Jacobhttp://example.com/hello/?name=<i>Jacob</i>
http://redirect.example.com/hello/?name=jacobMalicious Link
1713年10月1⽇日星期⼆二
Solution of XSS
1813年10月1⽇日星期⼆二
Email Header Injection
• A field of E-Mail form would provide another Injection method.
"hello\ncc:[email protected]" (where "\n” is a newline character)
solution: django.core.mail.send_mail
1913年10月1⽇日星期⼆二
Filename Injection
• A field to let user fill the file name...
• how about ../../../../../etc/passwd.
• Needless to say, you should never write code that can read from any area of the disk!
2013年10月1⽇日星期⼆二
Filename Injection (cont.)
2113年10月1⽇日星期⼆二
• 破解密碼 (暴⼒力法、字典、Birthday Attack)
• 偽裝( 男⼈人在中間, xx forging... )
• Code Injection (SQL, XSS, email header,...)
• 破壞 (DDOS, explode request)
• Zero-Day Attack + Service Scan
• Social-Engineering (information gathering)
2213年10月1⽇日星期⼆二
ThanksAlfred
2313年10月1⽇日星期⼆二