Embed Size (px)
DESCRIPTION
Pony Pwning Djangocon 2010
Citation preview
Pony PwningDjangocon 2010 // Adam Baldwin
Wednesday, September 8, 2010
Hi, I’m not that Adam Baldwin.
I’m this one:
@adam_baldwin
ngenuity-is.com
evilpacket.net
Wednesday, September 8, 2010
I break stuff
Wednesday, September 8, 2010
Django = pile of awesome
Wednesday, September 8, 2010
Django isn’tperfect
Wednesday, September 8, 2010
Developers aren’t perfect
Wednesday, September 8, 2010
I WANT TOHELP YOU
AVOID HUGE ASSMISTAKES
Captain Howdy McAssumptions,the nGenuity Mascot
Wednesday, September 8, 2010
★ ★ ★ ★
Completely
made upstatistics
★ ★ ★ ★
INTRODUCING!
Wednesday, September 8, 2010
of securityfailures60%
projectconstraints!
★ ★ ★ ★
Wednesday, September 8, 2010
Wednesday, September 8, 2010
of securityfailures30%
incompetenceor ignorance
★ ★ ★ ★
Wednesday, September 8, 2010
See http://evilpacket.net/2010/jan/14/mifi-geopwn/
Wednesday, September 8, 2010
of securityfailures9%
needle inthe haystack
★ ★ ★ ★
Wednesday, September 8, 2010
See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/
Wednesday, September 8, 2010
of securityfailures1%
0 days
★ ★ ★ ★
Wednesday, September 8, 2010
90%Let’s talkabout the
Wednesday, September 8, 2010
Sad PonyWarning
Wednesday, September 8, 2010
cross-site scripting
Wednesday, September 8, 2010
the
BigFive
double quote
single quote
ampersand
less than
greater than
“‘
&<>{
Wednesday, September 8, 2010
{% autoescape off %}
|safe filter
mark_safe( )
Wednesday, September 8, 2010
Context matters.
<a href=”{{object.absolute_url}}” alt=”{{object.name}}”>{{object.name}}</a>
<a href={{object.absolute_url}} alt={{object.name}}>{{object.name}}</a>
Missing quotes in the second URL make it possible to inject malicious code.
Which is bad.
Wednesday, September 8, 2010
swingsetOWASP ESAPI Swingset by Craig Younkins
http://www.owasp.org/index.php/ESAPI_Swingset
Wednesday, September 8, 2010
Browser behavior
<style /><a href="[user provided data here]">click</a>
This works in IE8, without the “big five” and executeswithout user interaction.
<style /><a href="}@import/**/data:text/css%3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpfQ%3D%3D;">click</a>
Wednesday, September 8, 2010
Avoid getting burned
• Consider OWASP ESAPI
• Audit templates
• Audit reusables and snippets
• Educate designers
Wednesday, September 8, 2010
FILE UPLOADS
Wednesday, September 8, 2010
Evil Avatars
Images can contain PHP.
ImageField does not care.
ImageField does not check extensions.
File uploads often are put inunprotected directories.
Wednesday, September 8, 2010
Avoid getting burned
• Check file extensions
• Disable PHP
Wednesday, September 8, 2010
secret_report.pdf
File upload TMI
secret_report_1.pdf
Wednesday, September 8, 2010
Avoid getting burned
• Put user content behind a file API
• Obfuscate filenames of uploads
Wednesday, September 8, 2010
DirectObject Access
Wednesday, September 8, 2010
“Not Found”
General TMI
“Forbidden” / “Access denied”
vs.
Wednesday, September 8, 2010
Avoid getting burned
• Return consistent results (preferably “Not Found”)
• Log security violations
Wednesday, September 8, 2010
eg /object/delete/2
Doing stupid things
Privileged operations with HTTP GET
Wednesday, September 8, 2010
Avoid getting burned
• Don’t do stupid things.
• Consider Django-Piston for REST
Wednesday, September 8, 2010
ClickJacking
What the hell is it?
Wednesday, September 8, 2010
Click jackets
/admin/ is vulnerable.
pre-filling forms removes most user interaction
Wednesday, September 8, 2010
Avoid getting burned
• Set X-FRAME-OPTIONS DENY header
• Use django-xframeoptions middleware
• Implement frame breakout code
Wednesday, September 8, 2010
Abusing /admin/
:(
Wednesday, September 8, 2010
Wuh-oh, kids.
[ REDACTED ]
Wednesday, September 8, 2010
Avoid getting burned
• I HAVE NO IDEA.
• [email protected] needs to check their email ;)
Wednesday, September 8, 2010
Wednesday, September 8, 2010
I have ahard job
Wednesday, September 8, 2010
Your jobis harder.
Wednesday, September 8, 2010
Questions?
@adam_baldwin // ngenuity-is.com // evilpacket.net
Wednesday, September 8, 2010
