SlideShare uma empresa Scribd logo

Case Study of Django: Web Frameworks that are Secure by Default

Transferir como PPTX, PDF
Mohammed ALDOUB
Mohammed ALDOUB

A case study of security features inside the popular python-based web framework, Django. Made by Mohammed ALDOUB (@Voulnet)

Tecnologia
1 de 34
A Case Study of Django Web Applications that are Secure by Default Mohammed ALDOUB @Voulnet
Web Security Essentials • The essentials of web application security are still not well understood. • Most developers have little to no idea about web security fundamentals. • Higher adoption to new web technologies, but no accompanying security awareness.
Web Security Essentials • The basic idea of web security: Never trust users, and never trust their data. No exceptions. • Many layers exist in web technologies, and therefore many attack vectors and possibilities. • Web developers must understand risks and mitigations for all web layers.
Problems in Applying Web Security • Web security cannot be achieved if developers are not well trained in security. Education is key. • Deadlines will almost always result in security vulnerabilities. Developers who are too busy and under pressure will not focus on security. • Security is not integrated early in the development process, so it gets delayed/forgotten.
Bad Practices in Web Security • Developers don’t validate user input. • Even if they validate it, they do it poorly or out of context. • Developers make wrong assumptions about security: – “It’s ok, we use SSL!” – “The Firewall will protect us” – “Who will think of attacking this function?” • Most developers copy/paste code from the internet. Admit it.
Bad Practices in Web Security • Session/password management is done poorly: – Sessions are easy to forge by attackers. – Passwords are stored as plaintext. • Server & Database configuration/security are not understood by web developers. • Developers don’t realize the threats on end users: – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF)
• Django is a Web Application Framework, written in Python • Allows rapid, secure and agile web development. • Write better web applications in less time & effort.
• Django is loaded with security features that are used by default. • Security by default provides great protection to developers with no security experience • Django makes it more difficult to write insecure code.
• Django is used by many popular websites/services:
Security Features of Django • Django provides many default protections against web threats, mainly against problems of: – User Management – Authorization – Cookies – SQL Injection – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF) – Clickjacking – Files – E-mail Header Injection – Cryptography – Directory Traversal
User Management • Developers make many mistakes in user management. • Passwords are stored/transferred as plaintext. • Users are exposed if databases get leaked. • Weak authentication methods are used by inexperienced developers.
User Management • Django provides a default User model that can be used in any website. It comes equipped with correct session management, permissions, registration and login. • Developers don’t need to re-invent the wheel and re- introduce user management risks. • Django provides strong password hashing methods (bcrypt, PBKDF2, SHA1), with increasing work factors. • • Django makes passwords very hard to crack.
User Management • Django provides easy methods for user management such as is_authenticated(), permission_required(), requires_login(), and more, offsetting difficult session and permission code away from the developer. • Django provides secure default password reset and login redirection functionality. Developers don’t need to create password reset forms and introduce risks. • By using Django’s user management module, developers will not make mistakes such as ‘admin=true’ in cookies!
Clickjacking • Clickjacking is an attack where an attackers loads an invisible page over a visible one. The user thinks he is clicking on the visible page, but he’s actually clicking on invisible buttons and links. • Can be used to trick users into buying items, deleting content or adding fake friends online. • Django provides direct protection against Clickjacking attacks using the X-Frame-Options header. Only one line of code!
Clickjacking Example Image taken from ‘Busting Frame Busting’ research paper (found in references)
Cross Site Scripting (XSS) • XSS is one of the most dangerous and popular attacks, where users instead of servers are targeted. • In an XSS attack, an attacker runs evil scripts on the user’s browser, through a vulnerable website. • It can be used to steal cookies, accounts, install malware, deface websites and many more uses.
Cross Site Scripting (XSS) • XSS is very easy to introduce by ignorant developers, example: <?php echo "Results for: " . $_GET["query"]; ?> • It’s okay if the search query was Car, but what if the attacker entered… <script>alert(document.cookie)</script>
Cross Site Scripting (XSS) • Evidently XSS is a critical attack, so Django provides great default protections against it. • HTML output is always escaped by Django to ensure that user input cannot execute code. • Django’s templating engine provides autoescaping. • HTML Attributes must always be quoted so that Django’s protections can be activated. • For extra XSS protections, use ESAPI, lxml, html5lib, Bleach or Markdown
SQL Injection (SQLi) • SQL Injection is a dangerous attack in which evil data is sent to the database to be executed as destructive commands. • Developers write SQL queries in a wrong way, allowing attackers to inject SQL commands into the query, to be executed as SQL code. Example: string sql = “SELECT * FROM USERS WHERE name=‘” + Request[‘username’] + “’”; • Looks innocent, but what if the user entered ‘; DROP TABLE USERS;-- ?
SQL Injection (SQLi) • SQL injection attacks are used to read and corrupt databases, take complete control over servers as well as modify web pages (and therefore steal user sessions or install malware) • The good news is that Django provides excellent defense against SQL Injection! • Django uses ORM and query sets to make sure all input is escaped & validated. • Developers do not need to write any SQL. Just write Python classes and Django will convert them to SQL securely!
SQL Injection (SQLi) • No matter where input comes from (GET,POST,COOKIES), Django will escape all input that goes to the database. • Even if developers needed to write raw SQL, they can use placeholders like "Select * from users where id = %s ” which will safely validate input.
Cookies • Django sets cookies to HttpOnly by default, to prevent sessions from getting stolen in most browsers. • Session ID are never used in URLs even if cookies are disabled. • Django will always give a new session ID if a user tried a non- existent one, to protect against session fixation. • Cookies can be digitally signed and time-stamped, to protect against tampering of data.
Files • Django provides excellent protection to files. • No webroot concept in Django. Only the directories and files you allow are requested. Even if attackers upload a file, it is only downloaded if you allow it in URLConf. • Django executes Python code from the outside of the web root, so attackers cannot retrieve any files not explicitly allowed from the web root.
Cross Site Request Forgery (CSRF) • CSRF is an attack where an attacker can force users of a website to perform actions without their permission. • If a user is logged into website A, an attacker can let a user visit website B, which will perform actions on website A on behalf of the user. • This happens because the forms in website A are not protected against CSRF. • Basically CSRF means evil websites can let users of other websites perform actions without user permission.
Cross Site Request Forgery (CSRF) • Example: A form in website A allows a logged in user to delete his account. If there is no CSRF protection, website B can force visitors to delete their account on website A. • Example: Suppose website B has this HTML form in its code. What happens if a user of website A visits B? <form action="http://websiteA.com/deleteMyAccount.php” method=”post” > </form>
Cross Site Request Forgery (CSRF) • The effects of CSRF is that attackers can make users perform ANY action on the vulnerable website. • Django provides CSRF protections for all POST,PUT,DELETE requests (according to RFC2616). • If website A used Django CSRF protection, the form would be: <form action=”/deleteMyAccount.php” method=”post” > <input type='hidden' name='csrfmiddlewaretoken' value='Aes4YiAfBQwCS8d4T1ngDAa6jJQiYDFs' /> </form>
E-mail Header Injection • E-mail Header injection is a less popular attack that targets weak email-sending forms in websites. • By crafting a special string, attackers can use your email form to spend spam through your mail server, resulting in your domains/IPs getting blocked and possible worse effects. • Example email form: To: mycustomer@example.com Subject: Customer feedback <email content here>
E-mail Header Injection • What if the attacker supplies the following data as the email content? They will be able to use your website as a spam base. • “ncc: spamVictim@example.comn<spam content>” • It would be: To: mycustomer@example.com Subject: Customer feedback cc: spamVictim@example.com <spam message content, buy drugs, lose weight or something> • Django provides default protection by using the built-in email form.
Final Remarks • It must be understood that nothing can protect developers if they refuse to learn about web security and vulnerabilities. • The point of Django’s default security features is to make it very easy to add security, and very difficult to remove security. • However, developers still need to learn the basics of security and risk assessment. • Knowledge is the best defense against web attacks.
References • http://davidbliss.com/sites-built-using-django • https://docs.djangoproject.com/en/1.4/topics/security/ • http://www.djangobook.com/en/2.0/chapter20/ • http://seclab.stanford.edu/websec/framebusting/framebust.p df
Questions? • Do not hesitate to ask any question! • Do not hesitate to let your developers try Django in the workplace! It could be your road to increased productivity and security!

Recomendados

Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Semantic Web
Semantic WebSemantic Web
Semantic Web
hardchiu
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
tour management system
tour management systemtour management system
tour management system
Khwaja Yunus Ali Medical College and Hospital
 
Ai and traffic management application v1.0
Ai and traffic management application v1.0Ai and traffic management application v1.0
Ai and traffic management application v1.0
Jorge Sebastiao
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
Proxy log review and use cases
Proxy log review and use casesProxy log review and use cases
Proxy log review and use cases
Mostafa Yahia
 
ITSM Deep Dive: Prioritization, Escalation, and Alerting
ITSM Deep Dive: Prioritization, Escalation, and AlertingITSM Deep Dive: Prioritization, Escalation, and Alerting
ITSM Deep Dive: Prioritization, Escalation, and Alerting
Jesse Andrew
 

Recomendados

Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
Avinash Thapa
 
Semantic Web
Semantic WebSemantic Web
Semantic Web
hardchiu
 
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ BehaviourWAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
WAF Bypass Techniques - Using HTTP Standard and Web Servers’ Behaviour
Soroush Dalili
 
tour management system
tour management systemtour management system
tour management system
Khwaja Yunus Ali Medical College and Hospital
 
Ai and traffic management application v1.0
Ai and traffic management application v1.0Ai and traffic management application v1.0
Ai and traffic management application v1.0
Jorge Sebastiao
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
Proxy log review and use cases
Proxy log review and use casesProxy log review and use cases
Proxy log review and use cases
Mostafa Yahia
 
ITSM Deep Dive: Prioritization, Escalation, and Alerting
ITSM Deep Dive: Prioritization, Escalation, and AlertingITSM Deep Dive: Prioritization, Escalation, and Alerting
ITSM Deep Dive: Prioritization, Escalation, and Alerting
Jesse Andrew
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Travel and tourism management it project ppt
Travel and tourism management it project pptTravel and tourism management it project ppt
Travel and tourism management it project ppt
Madhukar Kumar
 
CS6010 Social Network Analysis Unit II
CS6010 Social Network Analysis Unit IICS6010 Social Network Analysis Unit II
CS6010 Social Network Analysis Unit II
pkaviya
 
Offensive Payment Security
Offensive Payment SecurityOffensive Payment Security
Offensive Payment Security
Payment Village
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
Jannis Kirschner
 
Travel website.pptx
Travel website.pptxTravel website.pptx
Travel website.pptx
rishabdey8
 
The Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
NUS-ISS
 
Tutorial on Web Scraping in Python
Tutorial on Web Scraping in PythonTutorial on Web Scraping in Python
Tutorial on Web Scraping in Python
Nithish Raghunandanan
 
Project Proposal document for Hotel Management System
Project Proposal document for Hotel Management SystemProject Proposal document for Hotel Management System
Project Proposal document for Hotel Management System
Charitha Gamage
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
Austin Gil
 
Visitor management system
Visitor management systemVisitor management system
Visitor management system
Rohit Talukdar
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
Web Scraping
Web ScrapingWeb Scraping
Web Scraping
Carlos Rodriguez
 
Travel Package Management System
Travel Package Management SystemTravel Package Management System
Travel Package Management System
Santanu Pattanayak
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
hardik soni
 
What is Web-scraping?
What is Web-scraping?What is Web-scraping?
What is Web-scraping?
Yu-Chang Ho
 
FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...
FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...
FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...
Flink Forward
 
E mail image spam filtering techniques
E mail image spam filtering techniquesE mail image spam filtering techniques
E mail image spam filtering techniques
ranjit banshpal
 
Presentation on driverless cars by shahin hussan
Presentation on driverless cars by shahin hussan Presentation on driverless cars by shahin hussan
Presentation on driverless cars by shahin hussan
Shahinhussan
 
Practical Introduction to Web scraping using R
Practical Introduction to Web scraping using RPractical Introduction to Web scraping using R
Practical Introduction to Web scraping using R
Rsquared Academy
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case Studies
Leo TechnoSoft
 

Mais conteúdo relacionado

Mais procurados

The Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
NUS-ISS
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
CODE BLUE
 
FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...
FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...
FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...
Flink Forward
 

Mais procurados (20)

Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Travel and tourism management it project ppt
Travel and tourism management it project pptTravel and tourism management it project ppt
Travel and tourism management it project ppt
 
CS6010 Social Network Analysis Unit II
CS6010 Social Network Analysis Unit IICS6010 Social Network Analysis Unit II
CS6010 Social Network Analysis Unit II
 
Offensive Payment Security
Offensive Payment SecurityOffensive Payment Security
Offensive Payment Security
 
Web Application Security 101
Web Application Security 101Web Application Security 101
Web Application Security 101
 
Travel website.pptx
Travel website.pptxTravel website.pptx
Travel website.pptx
 
The Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital TransformationThe Importance of Cybersecurity for Digital Transformation
The Importance of Cybersecurity for Digital Transformation
 
Tutorial on Web Scraping in Python
Tutorial on Web Scraping in PythonTutorial on Web Scraping in Python
Tutorial on Web Scraping in Python
 
Project Proposal document for Hotel Management System
Project Proposal document for Hotel Management SystemProject Proposal document for Hotel Management System
Project Proposal document for Hotel Management System
 
Content Security Policy
Content Security PolicyContent Security Policy
Content Security Policy
 
Visitor management system
Visitor management systemVisitor management system
Visitor management system
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Web Scraping
Web ScrapingWeb Scraping
Web Scraping
 
Travel Package Management System
Travel Package Management SystemTravel Package Management System
Travel Package Management System
 
Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)Security Information and Event Management (SIEM)
Security Information and Event Management (SIEM)
 
What is Web-scraping?
What is Web-scraping?What is Web-scraping?
What is Web-scraping?
 
FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...
FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...
FlinkDTW: Time-series Pattern Search at Scale Using Dynamic Time Warping - Ch...
 
E mail image spam filtering techniques
E mail image spam filtering techniquesE mail image spam filtering techniques
E mail image spam filtering techniques
 
Presentation on driverless cars by shahin hussan
Presentation on driverless cars by shahin hussan Presentation on driverless cars by shahin hussan
Presentation on driverless cars by shahin hussan
 
Practical Introduction to Web scraping using R
Practical Introduction to Web scraping using RPractical Introduction to Web scraping using R
Practical Introduction to Web scraping using R
 

Destaque

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 

Destaque (18)

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case Studies
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Django book20 security
Django book20 securityDjango book20 security
Django book20 security
 
Comparing web frameworks
Comparing web frameworksComparing web frameworks
Comparing web frameworks
 
Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro services
 
Evil Shell: Hacking Linux Users
Evil Shell: Hacking Linux UsersEvil Shell: Hacking Linux Users
Evil Shell: Hacking Linux Users
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!
 
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
 
[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
The Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital TransformationThe Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital Transformation
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 

Semelhante a Case Study of Django: Web Frameworks that are Secure by Default

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
SilverGold16
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 

Semelhante a Case Study of Django: Web Frameworks that are Secure by Default (20)

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Security testing
Security testingSecurity testing
Security testing
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
Andrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.pptAndrews whitakrer lecture18-security.ppt
Andrews whitakrer lecture18-security.ppt
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 

Último

From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 

Último (20)

Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

Case Study of Django: Web Frameworks that are Secure by Default

  • 1. A Case Study of Django Web Applications that are Secure by Default Mohammed ALDOUB @Voulnet
  • 2. Web Security Essentials • The essentials of web application security are still not well understood. • Most developers have little to no idea about web security fundamentals. • Higher adoption to new web technologies, but no accompanying security awareness.
  • 3. Web Security Essentials • The basic idea of web security: Never trust users, and never trust their data. No exceptions. • Many layers exist in web technologies, and therefore many attack vectors and possibilities. • Web developers must understand risks and mitigations for all web layers.
  • 4. Problems in Applying Web Security • Web security cannot be achieved if developers are not well trained in security. Education is key. • Deadlines will almost always result in security vulnerabilities. Developers who are too busy and under pressure will not focus on security. • Security is not integrated early in the development process, so it gets delayed/forgotten.
  • 5. Bad Practices in Web Security • Developers don’t validate user input. • Even if they validate it, they do it poorly or out of context. • Developers make wrong assumptions about security: – “It’s ok, we use SSL!” – “The Firewall will protect us” – “Who will think of attacking this function?” • Most developers copy/paste code from the internet. Admit it.
  • 6. Bad Practices in Web Security • Session/password management is done poorly: – Sessions are easy to forge by attackers. – Passwords are stored as plaintext. • Server & Database configuration/security are not understood by web developers. • Developers don’t realize the threats on end users: – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF)
  • 7. • Django is a Web Application Framework, written in Python • Allows rapid, secure and agile web development. • Write better web applications in less time & effort.
  • 8. • Django is loaded with security features that are used by default. • Security by default provides great protection to developers with no security experience • Django makes it more difficult to write insecure code.
  • 9. • Django is used by many popular websites/services:
  • 10. Security Features of Django • Django provides many default protections against web threats, mainly against problems of: – User Management – Authorization – Cookies – SQL Injection – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF) – Clickjacking – Files – E-mail Header Injection – Cryptography – Directory Traversal
  • 11. User Management • Developers make many mistakes in user management. • Passwords are stored/transferred as plaintext. • Users are exposed if databases get leaked. • Weak authentication methods are used by inexperienced developers.
  • 12. User Management • Django provides a default User model that can be used in any website. It comes equipped with correct session management, permissions, registration and login. • Developers don’t need to re-invent the wheel and re- introduce user management risks. • Django provides strong password hashing methods (bcrypt, PBKDF2, SHA1), with increasing work factors. • • Django makes passwords very hard to crack.
  • 13. User Management • Django provides easy methods for user management such as is_authenticated(), permission_required(), requires_login(), and more, offsetting difficult session and permission code away from the developer. • Django provides secure default password reset and login redirection functionality. Developers don’t need to create password reset forms and introduce risks. • By using Django’s user management module, developers will not make mistakes such as ‘admin=true’ in cookies!
  • 14. Clickjacking • Clickjacking is an attack where an attackers loads an invisible page over a visible one. The user thinks he is clicking on the visible page, but he’s actually clicking on invisible buttons and links. • Can be used to trick users into buying items, deleting content or adding fake friends online. • Django provides direct protection against Clickjacking attacks using the X-Frame-Options header. Only one line of code!
  • 15. Clickjacking Example Image taken from ‘Busting Frame Busting’ research paper (found in references)
  • 16. Cross Site Scripting (XSS) • XSS is one of the most dangerous and popular attacks, where users instead of servers are targeted. • In an XSS attack, an attacker runs evil scripts on the user’s browser, through a vulnerable website. • It can be used to steal cookies, accounts, install malware, deface websites and many more uses.
  • 17. Cross Site Scripting (XSS) • XSS is very easy to introduce by ignorant developers, example: <?php echo "Results for: " . $_GET["query"]; ?> • It’s okay if the search query was Car, but what if the attacker entered… <script>alert(document.cookie)</script>
  • 18.
  • 19. Cross Site Scripting (XSS) • Evidently XSS is a critical attack, so Django provides great default protections against it. • HTML output is always escaped by Django to ensure that user input cannot execute code. • Django’s templating engine provides autoescaping. • HTML Attributes must always be quoted so that Django’s protections can be activated. • For extra XSS protections, use ESAPI, lxml, html5lib, Bleach or Markdown
  • 20. SQL Injection (SQLi) • SQL Injection is a dangerous attack in which evil data is sent to the database to be executed as destructive commands. • Developers write SQL queries in a wrong way, allowing attackers to inject SQL commands into the query, to be executed as SQL code. Example: string sql = “SELECT * FROM USERS WHERE name=‘” + Request[‘username’] + “’”; • Looks innocent, but what if the user entered ‘; DROP TABLE USERS;-- ?
  • 21.
  • 22. SQL Injection (SQLi) • SQL injection attacks are used to read and corrupt databases, take complete control over servers as well as modify web pages (and therefore steal user sessions or install malware) • The good news is that Django provides excellent defense against SQL Injection! • Django uses ORM and query sets to make sure all input is escaped & validated. • Developers do not need to write any SQL. Just write Python classes and Django will convert them to SQL securely!
  • 23. SQL Injection (SQLi) • No matter where input comes from (GET,POST,COOKIES), Django will escape all input that goes to the database. • Even if developers needed to write raw SQL, they can use placeholders like "Select * from users where id = %s ” which will safely validate input.
  • 24. Cookies • Django sets cookies to HttpOnly by default, to prevent sessions from getting stolen in most browsers. • Session ID are never used in URLs even if cookies are disabled. • Django will always give a new session ID if a user tried a non- existent one, to protect against session fixation. • Cookies can be digitally signed and time-stamped, to protect against tampering of data.
  • 25. Files • Django provides excellent protection to files. • No webroot concept in Django. Only the directories and files you allow are requested. Even if attackers upload a file, it is only downloaded if you allow it in URLConf. • Django executes Python code from the outside of the web root, so attackers cannot retrieve any files not explicitly allowed from the web root.
  • 26. Cross Site Request Forgery (CSRF) • CSRF is an attack where an attacker can force users of a website to perform actions without their permission. • If a user is logged into website A, an attacker can let a user visit website B, which will perform actions on website A on behalf of the user. • This happens because the forms in website A are not protected against CSRF. • Basically CSRF means evil websites can let users of other websites perform actions without user permission.
  • 27. Cross Site Request Forgery (CSRF) • Example: A form in website A allows a logged in user to delete his account. If there is no CSRF protection, website B can force visitors to delete their account on website A. • Example: Suppose website B has this HTML form in its code. What happens if a user of website A visits B? <form action="http://websiteA.com/deleteMyAccount.php” method=”post” > </form>
  • 28.
  • 29. Cross Site Request Forgery (CSRF) • The effects of CSRF is that attackers can make users perform ANY action on the vulnerable website. • Django provides CSRF protections for all POST,PUT,DELETE requests (according to RFC2616). • If website A used Django CSRF protection, the form would be: <form action=”/deleteMyAccount.php” method=”post” > <input type='hidden' name='csrfmiddlewaretoken' value='Aes4YiAfBQwCS8d4T1ngDAa6jJQiYDFs' /> </form>
  • 30. E-mail Header Injection • E-mail Header injection is a less popular attack that targets weak email-sending forms in websites. • By crafting a special string, attackers can use your email form to spend spam through your mail server, resulting in your domains/IPs getting blocked and possible worse effects. • Example email form: To: mycustomer@example.com Subject: Customer feedback <email content here>
  • 31. E-mail Header Injection • What if the attacker supplies the following data as the email content? They will be able to use your website as a spam base. • “ncc: spamVictim@example.comn<spam content>” • It would be: To: mycustomer@example.com Subject: Customer feedback cc: spamVictim@example.com <spam message content, buy drugs, lose weight or something> • Django provides default protection by using the built-in email form.
  • 32. Final Remarks • It must be understood that nothing can protect developers if they refuse to learn about web security and vulnerabilities. • The point of Django’s default security features is to make it very easy to add security, and very difficult to remove security. • However, developers still need to learn the basics of security and risk assessment. • Knowledge is the best defense against web attacks.
  • 33. References • http://davidbliss.com/sites-built-using-django • https://docs.djangoproject.com/en/1.4/topics/security/ • http://www.djangobook.com/en/2.0/chapter20/ • http://seclab.stanford.edu/websec/framebusting/framebust.p df
  • 34. Questions? • Do not hesitate to ask any question! • Do not hesitate to let your developers try Django in the workplace! It could be your road to increased productivity and security!