is your python application secure? - pycon canada - 2015-11-07
TRANSCRIPT
Is your Python application secure?
Frédéric Harper
@fharper
http://immun.io
Sr. Technical Evangelist @ IMMUNIO
Pycon Canada – 2015-11-07
Crea
tive
Com
mon
s: h
ttps
://f
lic.k
r/p/
34T4
Z
is security important?
Creative Commons: https://flic.kr/p/s8hvJo
do you have time?
Crea
tive
Com
mon
s: h
ttps
://f
lic.k
r/p/
b7w
RTX
do you have the expertise?
Creative Commons: https://flic.kr/p/n7qDvJ
do you have the money?
Creative Commons: https://flic.kr/p/rAG5dm
is your app that secure?
Crea
tive
Com
mon
s: h
ttps
://f
lic.k
r/p/
bY6u
U7
what about legacy apps?
Creative Commons: https://flic.kr/p/7fFQug
it’s probably happening, now
Creative Commons: https://flic.kr/p/acnkbU
...
warning
Creative Commons: https://flic.kr/p/oosB
I succeed if…
Creative Commons: https://flic.kr/p/ehZRGj
mess with the best
die like the rest
SQL injection vulnerabilities allow attackers to modify the structure of SQL
queries in ways that allow for data exfiltration or manipulation of existing data.
SQL Injection (SQLi)
MIT: http://j.mp/1kKuced
no password
require
Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on
your pages in your customers' browsers.
§ Hijack of legitimate user sessions
§ Disclosure of sensitive information
§ Access to privileged services and functionality
§ Delivery of malware and browser exploits from our trusted domain
Cross-Site Scripting
MIT: http://j.mp/1kKuced
Search or not
Remote Command Execution vulnerabilities allow attackers to run arbitrary code
on your servers.
There are two classes of Remote Command Execution:
1. Shell Command Execution
2. Eval Execution.
Remote Command Execution
• Brute force
• Common username
• Cookie tampering
• CSRF tampering
• Excessive 4XX & 5XX
• HTTP method tampering
• HTTP response splitting
• Redirect
• Session farming
• Session hijack
• Stolen account
• Shellshock
• Suspicious Exception
• Suspicious HTTP header
• Unauthorized file access
• Username hijack
…
follow the
white rabbit
anything from users is unsafe
Creative Commons: https://flic.kr/p/m2BKPn
cp = subprocess.Popen(['ls', '-l'], shell=True) # disables shell based features (like no pipe) cp= subprocess.Popen(['ls', '-l’) filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(filename) print(command) # noooooooooo >>> ls -l somefile; rm -rf ~
filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(quote(filename)) print(command) # better luck next time >>> ls -l 'somefile; rm -rf ~’
shell & quote
# unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name
# using escape function from flask import escape @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % escape(name)
escape
use a framework
Creative Commons: https://flic.kr/p/cHto9S
# unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name
# using template @app.route("/") def hello(): name = request.args.get('name') return render('hello.html', name=name) # where hello.html is: # <html>Hello {{ name }}</html>
templates
# Unsafe example using the Python DB API cmd = "update people set name='%s' where id='%s'" % (name, id) curs.execute(cmd) # Sanitize your parameters cmd = "update people set name=%s where id=%s" curs.execute(cmd, (name, id)) # Placeholder syntax depends on the database
sanitize
# Unsafe example using the Python DB API cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode) curs.execute(cmd) # Using Django ORM, we assign the data to users variable users = Users.objects.filter(zip_code=zipcode)
object-relational mapper
# My awesome Python skills s = "print(\"Hello, World!\")" exec s
# Refactor using function def print_hello_world(): print("Hello, World!") print_hello_world()
avoid exec (if possible)
ORM libraries
Source: http://www.fullstackpython.com/object-relational-mappers-orms.html
OWASP XSS Cheat Sheet
Strengths
• Scales Well
• Find issues like buffer overflows, SQL Injection Flaws with high confidence
Weaknesses
• Many types of security vulnerabilities are very difficult to find automatically, such as
authentication problems, access control issues, insecure use of cryptography, etc.
• High numbers of false positives.
• Frequently can't find configuration issues, since they are not represented in the code.
• Difficulty analyzing code that can't be compiled (using librairies as an example).
static code analysis
MIT: http://j.mp/1kKuced
XSScrapy
Runtime application self-protection (RASP) is a security technology that is built or
linked into an application or application runtime environment, and is capable of
controlling application execution and detecting and preventing real-time attacks.
RASP
IMMUNIO
Developers
§ Use a cryptographically slow hash function
(bcrypt & PBKDF2) to store password
§ Stored procedures if possible
§ Up-to-date frameworks & libraries
Devops
§ HTTPS
§ Web Application Firewall (WAF)
§ Intrusion prevention systems (IPS)
§ Up-to-date platform & infrastructure
truist… or not
to infinity... and beyond!
Creative Commons: https://flic.kr/p/8Z1Cxm
thanks but
no thanks
stop
Creative Commons: https://flic.kr/p/gpVdD
I’m serious!
Crea
tive
Com
mon
s: h
ttps
://f
lic.k
r/p/
9CG
51N
plan for it
Creative Commons: https://flic.kr/p/5bn2nD
now.
Creative Commons: https://flic.kr/p/fA6vnM
nothing is 100% bulletproof
Creative Commons: https://flic.kr/p/hpE97
IMMUNIO – Real-time web application security - https://www.immun.io/
OWASP (Open Web Application Security Project) - https://www.owasp.org/
Security in Django - http://j.mp/1Q8VMBP
Security system in Pyramid - http://j.mp/1Q8VHxT
Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/
XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW
XSScrapy - https://github.com/DanMcInerney/xsscrapy
www