pycon canada 2015 - is your python application secure
TRANSCRIPT
Is your Python application secure?Frdric Harper@fharperhttp://immun.ioSr. Technical Evangelist @ IMMUNIOPycon Canada 2015-11-07Creative Commons: https://flic.kr/p/34T4Z
START CAMSTUDIO
ZOOM CMD + ALT + 81
is security important?Creative Commons: https://flic.kr/p/s8hvJo
2
do you have time?Creative Commons: https://flic.kr/p/b7wRTX
3
do you have the expertise?Creative Commons: https://flic.kr/p/n7qDvJ
4
do you have the money?Creative Commons: https://flic.kr/p/rAG5dm
5
is your app that secure?Creative Commons: https://flic.kr/p/bY6uU7
6
what about legacy apps?Creative Commons: https://flic.kr/p/7fFQug
7
its probably happening, nowCreative Commons: https://flic.kr/p/acnkbU
8
...
9
warningCreative Commons: https://flic.kr/p/oosB
10
I succeed ifCreative Commons: https://flic.kr/p/ehZRGj
11
mess with the bestdie like the rest
12
SQL injection vulnerabilities allow attackers to modify the structure of SQL queries in ways that allow for data exfiltration or manipulation of existing data.SQL Injection (SQLi)
13
nopasswordrequire
MIT: http://j.mp/1kKuced
http://www.codebashing.com/log_in
' or 1=1)#14
Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on your pages in your customers' browsers.
Hijack of legitimate user sessionsDisclosure of sensitive informationAccess to privileged services and functionalityDelivery of malware and browser exploits from our trusted domain
Cross-Site Scripting
15
Searchor not
MIT: http://j.mp/1kKuced
http://www.insecurelabs.org/Talk
alert('Hi!')
http://www.insecurelabs.org/Search.aspx?Query=%3Cscript%3Ealert%28%27Hi%21%27%29%3C%2Fscript%3E16
Remote Command Execution vulnerabilities allow attackers to run arbitrary code on your servers.
There are two classes of Remote Command Execution:Shell Command ExecutionEval Execution.Remote Command Execution
17
Brute forceCommon usernameCookie tamperingCSRF tamperingExcessive 4XX & 5XXHTTP method tamperingHTTP response splittingRedirectSession farmingSession hijackStolen accountShellshockSuspicious ExceptionSuspicious HTTP headerUnauthorized file accessUsername hijack
18
followthewhite rabbit
19
anything from users is unsafeCreative Commons: https://flic.kr/p/m2BKPn
Is unsafe20
cp = subprocess.Popen(['ls', '-l'], shell=True)# disables shell based features (like no pipe)cp= subprocess.Popen(['ls', '-l)
filename = 'somefile; rm -rf ~command = 'ls -l {}'.format(filename)print(command) # noooooooooo>>> ls -l somefile; rm -rf ~
filename = 'somefile; rm -rf ~command = 'ls -l {}'.format(quote(filename))print(command) # better luck next time>>> ls -l 'somefile; rm -rf ~shell & quote
21
# unsafe flask [email protected]("/")def hello(): name = request.args.get('name') return "Hello %s" % name
# using escape functionfrom flask import [email protected]("/")def hello(): name = request.args.get('name') return "Hello %s" % escape(name)escape
22
use a frameworkCreative Commons: https://flic.kr/p/cHto9S
23
# unsafe flask [email protected]("/")def hello(): name = request.args.get('name') return "Hello %s" % name
# using [email protected]("/")def hello(): name = request.args.get('name') return render('hello.html', name=name)
# where hello.html is:# Hello {{ name }}templates
24
# Unsafe example using the Python DB APIcmd = "update people set name='%s' where id='%s'" % (name, id)curs.execute(cmd)
# Sanitize your parameterscmd = "update people set name=%s where id=%s"curs.execute(cmd, (name, id))
# Placeholder syntax depends on the databasesanitize
25
# Unsafe example using the Python DB APIcmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode)curs.execute(cmd)
# Using Django ORM, we assign the data to users variableusers = Users.objects.filter(zip_code=zipcode)object-relational mapper
26
# My awesome Python skillss = "print(\"Hello, World!\")"exec s
# Refactor using functiondef print_hello_world(): print("Hello, World!")
print_hello_world()avoid exec (if possible)
27
ORM librariesSource: http://www.fullstackpython.com/object-relational-mappers-orms.html
28
OWASP XSS Cheat Sheet
29
StrengthsScales Well Find issues like buffer overflows, SQL Injection Flaws with high confidenceWeaknessesMany types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc.High numbers of false positives.Frequently can't find configuration issues, since they are not represented in the code.Difficulty analyzing code that can't be compiled (using librairies as an example).static code analysis
30
XSScrapy
MIT: http://j.mp/1kKuced
cd Immunio/xsscrapy/./xsscrapy.py -u http://www.insecurelabs.org/31
Runtime application self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks.RASP
32
IMMUNIO
33
DevelopersUse a cryptographically slow hash function (bcrypt & PBKDF2) to store passwordStored procedures if possibleUp-to-date frameworks & libraries
DevopsHTTPSWeb Application Firewall (WAF)Intrusion prevention systems (IPS)Up-to-date platform & infrastructure
truist or not
34
to infinity... and beyond!Creative Commons: https://flic.kr/p/8Z1Cxm
35
thanksbutno thanks
36
stopCreative Commons: https://flic.kr/p/gpVdD
37
Im serious!Creative Commons: https://flic.kr/p/9CG51N
38
plan for itCreative Commons: https://flic.kr/p/5bn2nD
39
now.Creative Commons: https://flic.kr/p/fA6vnM
40
nothing is 100% bulletproofCreative Commons: https://flic.kr/p/hpE97
41
IMMUNIO Real-time web application security - https://www.immun.io/OWASP (Open Web Application Security Project) - https://www.owasp.org/Security in Django - http://j.mp/1Q8VMBPSecurity system in Pyramid - http://j.mp/1Q8VHxTBobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsWXSScrapy - https://github.com/DanMcInerney/xsscrapywww
42
Frdric [email protected]@fharperhttp://outofcomfortzone.nethttp://immun.io
43