Presentation is loading. Please wait.

Presentation is loading. Please wait.

Security in Django.

Published byMavis Collins Modified over 6 years ago

Similar presentations

Presentation on theme: "Security in Django."— Presentation transcript:

1 Security in Django

2 Who am I 🚀? Django core developer
Member of Django's security & ops team Part time student, part time worker apollo13 on IRC & Github

3 Security would be easier without humans in the picture!
We will not talk about … Security would be easier without humans in the picture!

4 … or … any other of the attacks against SSL/TLS out there
(or server missconfigs for that matter) Oh: Update to the latest Python point release But please read and apply:

5 First stop https://djangoproject.com/security Only contact:
We fix, prenotify and release Please give us time and work with us!

6 OWASP (or: How are we doing)
Taken from: OWASP Top , CC-BY-SA 3.0 (

7 Security in Django SQL/SMTP/OS injections
Authentication and Session management Cross site scripting (XSS) Cross site request forgery (CSRF) Unvalidated redirects and forwards Activation of browser security features

8 Before we start DO NOT TRUST USER INPUT (EVER) pigtailpalsblog.com

9 SQL injections Database adapters
cursor.execute(), .extra(), .raw() & RawSQL() Exploit via: sql = 'select * from auth_user where username=%s' cursor.execute(sql % (username,)) Be safe (same for .extra(), .raw() & RawSQL()): cursor.execute(sql, (username,))

10 OS/LDAP/SMTP/etc. injections
Use Django components instead of rolling your own (storage/ ) Read 3rd party docs (LDAP/os.Popen) Generally: String interpolation is bad

11 DO NOT TRUST USER INPUT (EVER)
Repeating myself DO NOT TRUST USER INPUT (EVER) Everything the browser sends is user input, including EVERY header and filenames/contenttypes in uploads.

12 Auth and session management
What happens during login? (or: why shouldn't I implement it on my own) Authenticate the user Set session_auth_hash Flush/rotate session key Rotate CSRF token Check redirects Set session cookie & redirect

13 In detail Authentication: Compare (safely) against stored password and update if needed session_auth_hash: Sign out all other sessions after password change Change session and CSRF tokens on login to prevent fixation Check next target to ensure that the user stays on the same site

14 Password storage/validation
Multiple Algorithms ootb (bcrypt/PBKDF2/…) Iterations increased every release Upgrade to new algos always possible constant_time_compare Password validators since 1.9 Check length/numeric/common… Enabled only for new projects!

15 Password reset User requests a password reset link Emailed to the user
Link can be used once (!) to reset the password /reset/MQ/46h-6965b6f67bcf041e513a/ User Timestamp HMAC of User.pk, password, last login & timestamp

16 Signing in your code django.core.signing.*
dumps('HI', 'password', 'my_ns') => 'IkhJIg:1ZstkN:IflKlCmedvbp6- y8NYHdF5yBsi8' Includes the data! Adds an optional timestamp (Salted) HMAC over everything

17 XSS Cross-site scripting Reflected or persistent
=> You searched for: banana Often easy and can be very dangerous

18 XSS protection Auto escaping HTML only, not context aware
Replaces < > ' “ & with entities Always use quotes around attributes Javascript requires different escaping var mystr = '{{ value|escapejs }}'; Only for use in strings!

19 XSS Examples Attack: data = "</script><script>alert('xss');//" Worst case (in a script tag): var json = {{ data|dumps|safe }}; A little bit better and visibly broken: var json = {{ data|dumps }}; (Browser dev tools!)

20 XSS Examples 2 Using Django:
var json = JSON.parse('{{ data|escapejs }}'); Or simpler: var json = {{ data|json }}; from django-argonauts Do not use inside attributes!

21 XSS protection 2 Defense in Depth X-XSS-Protection: 1; mode=block
No inline JS, no event handlers Content-Security-Policy (not yet in Django) Check your (filter) libraries & code, many people just do mark_safe(json.dumps())

22 CSRF Cross-site request forgery
<img src='mybank.com/t/?amount=1000&to=ap ollo13'/> Still no kittens and money gone

23 CSRF protection Enabled by default
Does not cover GET/HEAD/OPTIONS/TRACE Server generates random value Put it into form (header for ajax) and cookie Compare values on the server again

24 CSRF protection 2 Why does it work and why can we trust the browser here. Form on evil.com: <form method='post' action='somesite.com'> <input name='csrfmiddlewaretoken' value='?' /> How to get the CSRF token? But you said the value is also in the Cookie!

25 CSRF protection 3 Our implementation is “secure”
(Even if auditors tend to disagree) Changing token via Firebug is NOT a security issue

26 Unvalidated redirects/forwards
Attacker redirects to: /auth/login/?next= After login you are on evil.com! django.utils.http.is_safe_url More comments than code → hard to get right

27 Security checklist ./manage.py check --deploy
System check identified 9 issues (0 silenced). DEBUG = False, SECRET_KEY is secret Enable SECURE_* settings *_COOKIE_(SECURE|HTTPONLY) = True X_FRAME_OPTIONS = 'DENY'

28 TODO in Django Implement rate limiting (for login etc)
2FA (TOTP & U2F as reference implementations) CSRF improvements (#16859) JSON filter for templates?

29 Even more TODOs Enhance SecurityMiddleware
(github.com/twitter/secureheaders) Implement Content-Security-Policy (admin & #15727 ) Limit POST data length & number (#21231)

30 Questions? & Thank you!

Download ppt "Security in Django."

Similar presentations

Nick Feamster CS 6262 Spring 2009

Nick Feamster CS 6262 Spring 2009
HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.

HI-TEC 2011 SQL Injection. Client’s Browser HTTP or HTTPS Web Server Apache or IIS HTML Forms CGI Scripts Database SQL Server or Oracle or MySQL ODBC.
Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!

Don’t get Stung (An introduction to the OWASP Top Ten Project) Barry Dorrans Microsoft Information Security Tools NEW AND IMPROVED!
©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane

©2009 Justin C. Klein Keane PHP Code Auditing Session 5 XSS & XSRF Justin C. Klein Keane
1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.

1 Project 2: Web App Security Collin Jackson CS 155 Spring 2007.
Copyright © 2004 - The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.

It’s always better live. MSDN Events Securing Web Applications Part 1 of 2 Understanding Threats and Attacks.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.

WEB SECURITY WORKSHOP TEXSAW 2013 Presented by Joshua Hammond Prepared by Scott Hand.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)

Introduction to InfoSec – Recitation 10 Nir Krakowski (nirkrako at post.tau.ac.il) Itamar Gilad (itamargi at post.tau.ac.il)
OWASP Zed Attack Proxy Project Lead

OWASP Zed Attack Proxy Project Lead
Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.

Origins, Cookies and Security – Oh My! John Kemp, Nokia Mobile Solutions.
WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.

WEB SECURITY WEEK 3 Computer Security Group University of Texas at Dallas.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.
Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.

Lecture 14 – Web Security SFDV3011 – Advanced Web Development 1.
© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.

© All rights reserved. Zend Technologies, Inc. PHP Security Kevin Schroeder Zend Technologies.
November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

November 13, 2008 Ohio Information Security Forum Attack Surface of Web Applications James Walden Northern Kentucky University

Similar presentations

Ads by Google