SlideShare una empresa de Scribd logo

Case Study of Django: Web Frameworks that are Secure by Default

Descargar como PPTX, PDF
Mohammed ALDOUB
Mohammed ALDOUB

A case study of security features inside the popular python-based web framework, Django. Made by Mohammed ALDOUB (@Voulnet)

Tecnología
1 de 34
A Case Study of Django Web Applications that are Secure by Default Mohammed ALDOUB @Voulnet
Web Security Essentials • The essentials of web application security are still not well understood. • Most developers have little to no idea about web security fundamentals. • Higher adoption to new web technologies, but no accompanying security awareness.
Web Security Essentials • The basic idea of web security: Never trust users, and never trust their data. No exceptions. • Many layers exist in web technologies, and therefore many attack vectors and possibilities. • Web developers must understand risks and mitigations for all web layers.
Problems in Applying Web Security • Web security cannot be achieved if developers are not well trained in security. Education is key. • Deadlines will almost always result in security vulnerabilities. Developers who are too busy and under pressure will not focus on security. • Security is not integrated early in the development process, so it gets delayed/forgotten.
Bad Practices in Web Security • Developers don’t validate user input. • Even if they validate it, they do it poorly or out of context. • Developers make wrong assumptions about security: – “It’s ok, we use SSL!” – “The Firewall will protect us” – “Who will think of attacking this function?” • Most developers copy/paste code from the internet. Admit it.
Bad Practices in Web Security • Session/password management is done poorly: – Sessions are easy to forge by attackers. – Passwords are stored as plaintext. • Server & Database configuration/security are not understood by web developers. • Developers don’t realize the threats on end users: – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF)
• Django is a Web Application Framework, written in Python • Allows rapid, secure and agile web development. • Write better web applications in less time & effort.
• Django is loaded with security features that are used by default. • Security by default provides great protection to developers with no security experience • Django makes it more difficult to write insecure code.
• Django is used by many popular websites/services:
Security Features of Django • Django provides many default protections against web threats, mainly against problems of: – User Management – Authorization – Cookies – SQL Injection – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF) – Clickjacking – Files – E-mail Header Injection – Cryptography – Directory Traversal
User Management • Developers make many mistakes in user management. • Passwords are stored/transferred as plaintext. • Users are exposed if databases get leaked. • Weak authentication methods are used by inexperienced developers.
User Management • Django provides a default User model that can be used in any website. It comes equipped with correct session management, permissions, registration and login. • Developers don’t need to re-invent the wheel and re- introduce user management risks. • Django provides strong password hashing methods (bcrypt, PBKDF2, SHA1), with increasing work factors. • • Django makes passwords very hard to crack.
User Management • Django provides easy methods for user management such as is_authenticated(), permission_required(), requires_login(), and more, offsetting difficult session and permission code away from the developer. • Django provides secure default password reset and login redirection functionality. Developers don’t need to create password reset forms and introduce risks. • By using Django’s user management module, developers will not make mistakes such as ‘admin=true’ in cookies!
Clickjacking • Clickjacking is an attack where an attackers loads an invisible page over a visible one. The user thinks he is clicking on the visible page, but he’s actually clicking on invisible buttons and links. • Can be used to trick users into buying items, deleting content or adding fake friends online. • Django provides direct protection against Clickjacking attacks using the X-Frame-Options header. Only one line of code!
Clickjacking Example Image taken from ‘Busting Frame Busting’ research paper (found in references)
Cross Site Scripting (XSS) • XSS is one of the most dangerous and popular attacks, where users instead of servers are targeted. • In an XSS attack, an attacker runs evil scripts on the user’s browser, through a vulnerable website. • It can be used to steal cookies, accounts, install malware, deface websites and many more uses.
Cross Site Scripting (XSS) • XSS is very easy to introduce by ignorant developers, example: <?php echo "Results for: " . $_GET["query"]; ?> • It’s okay if the search query was Car, but what if the attacker entered… <script>alert(document.cookie)</script>
Cross Site Scripting (XSS) • Evidently XSS is a critical attack, so Django provides great default protections against it. • HTML output is always escaped by Django to ensure that user input cannot execute code. • Django’s templating engine provides autoescaping. • HTML Attributes must always be quoted so that Django’s protections can be activated. • For extra XSS protections, use ESAPI, lxml, html5lib, Bleach or Markdown
SQL Injection (SQLi) • SQL Injection is a dangerous attack in which evil data is sent to the database to be executed as destructive commands. • Developers write SQL queries in a wrong way, allowing attackers to inject SQL commands into the query, to be executed as SQL code. Example: string sql = “SELECT * FROM USERS WHERE name=‘” + Request[‘username’] + “’”; • Looks innocent, but what if the user entered ‘; DROP TABLE USERS;-- ?
SQL Injection (SQLi) • SQL injection attacks are used to read and corrupt databases, take complete control over servers as well as modify web pages (and therefore steal user sessions or install malware) • The good news is that Django provides excellent defense against SQL Injection! • Django uses ORM and query sets to make sure all input is escaped & validated. • Developers do not need to write any SQL. Just write Python classes and Django will convert them to SQL securely!
SQL Injection (SQLi) • No matter where input comes from (GET,POST,COOKIES), Django will escape all input that goes to the database. • Even if developers needed to write raw SQL, they can use placeholders like "Select * from users where id = %s ” which will safely validate input.
Cookies • Django sets cookies to HttpOnly by default, to prevent sessions from getting stolen in most browsers. • Session ID are never used in URLs even if cookies are disabled. • Django will always give a new session ID if a user tried a non- existent one, to protect against session fixation. • Cookies can be digitally signed and time-stamped, to protect against tampering of data.
Files • Django provides excellent protection to files. • No webroot concept in Django. Only the directories and files you allow are requested. Even if attackers upload a file, it is only downloaded if you allow it in URLConf. • Django executes Python code from the outside of the web root, so attackers cannot retrieve any files not explicitly allowed from the web root.
Cross Site Request Forgery (CSRF) • CSRF is an attack where an attacker can force users of a website to perform actions without their permission. • If a user is logged into website A, an attacker can let a user visit website B, which will perform actions on website A on behalf of the user. • This happens because the forms in website A are not protected against CSRF. • Basically CSRF means evil websites can let users of other websites perform actions without user permission.
Cross Site Request Forgery (CSRF) • Example: A form in website A allows a logged in user to delete his account. If there is no CSRF protection, website B can force visitors to delete their account on website A. • Example: Suppose website B has this HTML form in its code. What happens if a user of website A visits B? <form action="http://websiteA.com/deleteMyAccount.php” method=”post” > </form>
Cross Site Request Forgery (CSRF) • The effects of CSRF is that attackers can make users perform ANY action on the vulnerable website. • Django provides CSRF protections for all POST,PUT,DELETE requests (according to RFC2616). • If website A used Django CSRF protection, the form would be: <form action=”/deleteMyAccount.php” method=”post” > <input type='hidden' name='csrfmiddlewaretoken' value='Aes4YiAfBQwCS8d4T1ngDAa6jJQiYDFs' /> </form>
E-mail Header Injection • E-mail Header injection is a less popular attack that targets weak email-sending forms in websites. • By crafting a special string, attackers can use your email form to spend spam through your mail server, resulting in your domains/IPs getting blocked and possible worse effects. • Example email form: To: mycustomer@example.com Subject: Customer feedback <email content here>
E-mail Header Injection • What if the attacker supplies the following data as the email content? They will be able to use your website as a spam base. • “ncc: spamVictim@example.comn<spam content>” • It would be: To: mycustomer@example.com Subject: Customer feedback cc: spamVictim@example.com <spam message content, buy drugs, lose weight or something> • Django provides default protection by using the built-in email form.
Final Remarks • It must be understood that nothing can protect developers if they refuse to learn about web security and vulnerabilities. • The point of Django’s default security features is to make it very easy to add security, and very difficult to remove security. • However, developers still need to learn the basics of security and risk assessment. • Knowledge is the best defense against web attacks.
References • http://davidbliss.com/sites-built-using-django • https://docs.djangoproject.com/en/1.4/topics/security/ • http://www.djangobook.com/en/2.0/chapter20/ • http://seclab.stanford.edu/websec/framebusting/framebust.p df
Questions? • Do not hesitate to ask any question! • Do not hesitate to let your developers try Django in the workplace! It could be your road to increased productivity and security!

Recomendados

WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
KuldeepPandya5
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 

Recomendados

WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
Scott Sutherland
 
Vulnerabilities in modern web applications
Vulnerabilities in modern web applicationsVulnerabilities in modern web applications
Vulnerabilities in modern web applications
Niyas Nazar
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
KuldeepPandya5
 
Secure code
Secure codeSecure code
Secure code
ddeogun
 
Thick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdfThick Client Penetration Testing.pdf
Thick Client Penetration Testing.pdf
SouvikRoy114738
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
Mohammed Danish Amber
 
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Copy & Pest - A case-study on the clipboard, blind trust and invisible cross-...
Mario Heiderich
 
Using Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security MonitoringUsing Canary Honeypots for Network Security Monitoring
Using Canary Honeypots for Network Security Monitoring
chrissanders88
 
Secure code practices
Secure code practicesSecure code practices
Secure code practices
Hina Rawal
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
Christian Heinrich
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
Mohammed Akbar Shariff
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
bugcrowd
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
Christopher Korban
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
Mahendra Pratap Singh
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Soroush Dalili
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
Tariq Islam
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
OWASP Delhi
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
G Prachi
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Brian Huff
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
Sam Bowne
 
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA (European Emergency Number Association)
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
bugcrowd
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
Vi Tính Hoàng Nam
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
Kashyap Mandaliya
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
Will Schroeder
 
Common malware and countermeasures
Common malware and countermeasuresCommon malware and countermeasures
Common malware and countermeasures
Noushin Ahson
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin Policy
Fabrizio Farinacci
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case Studies
Leo TechnoSoft
 

Más contenido relacionado

La actualidad más candente

Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
Denim Group
 

La actualidad más candente (20)

Secure code practices
Secure code practicesSecure code practices
Secure code practices
 
OWASP Top Ten
OWASP Top TenOWASP Top Ten
OWASP Top Ten
 
Nmap and metasploitable
Nmap and metasploitableNmap and metasploitable
Nmap and metasploitable
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018Purple Teaming with ATT&CK - x33fcon 2018
Purple Teaming with ATT&CK - x33fcon 2018
 
Snort IDS/IPS Basics
Snort IDS/IPS BasicsSnort IDS/IPS Basics
Snort IDS/IPS Basics
 
Security Testing Mobile Applications
Security Testing Mobile ApplicationsSecurity Testing Mobile Applications
Security Testing Mobile Applications
 
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 EditionGoing Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
Going Beyond Microsoft IIS Short File Name Disclosure - NahamCon 2023 Edition
 
A5: Security Misconfiguration
A5: Security Misconfiguration A5: Security Misconfiguration
A5: Security Misconfiguration
 
Owasp top 10 vulnerabilities
Owasp top 10 vulnerabilitiesOwasp top 10 vulnerabilities
Owasp top 10 vulnerabilities
 
Exploitation techniques and fuzzing
Exploitation techniques and fuzzingExploitation techniques and fuzzing
Exploitation techniques and fuzzing
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)Top 10 Web Security Vulnerabilities (OWASP Top 10)
Top 10 Web Security Vulnerabilities (OWASP Top 10)
 
CNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 DisassemblyCNIT 126 4: A Crash Course in x86 Disassembly
CNIT 126 4: A Crash Course in x86 Disassembly
 
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
EENA 2021: Keynote – Open-Source Intelligence (OSINT) for emergency services ...
 
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
How to Shot Web - Jason Haddix at DEFCON 23 - See it Live: Details in Descrip...
 
Ceh v5 module 04 enumeration
Ceh v5 module 04 enumerationCeh v5 module 04 enumeration
Ceh v5 module 04 enumeration
 
VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )VULNERABILITY ( CYBER SECURITY )
VULNERABILITY ( CYBER SECURITY )
 
Building an Empire with PowerShell
Building an Empire with PowerShellBuilding an Empire with PowerShell
Building an Empire with PowerShell
 
Common malware and countermeasures
Common malware and countermeasuresCommon malware and countermeasures
Common malware and countermeasures
 
The Same-Origin Policy
The Same-Origin PolicyThe Same-Origin Policy
The Same-Origin Policy
 

Destacado

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
levigross
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
Igor Bossenko
 

Destacado (18)

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case Studies
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Django book20 security
Django book20 securityDjango book20 security
Django book20 security
 
Comparing web frameworks
Comparing web frameworksComparing web frameworks
Comparing web frameworks
 
Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro services
 
Evil Shell: Hacking Linux Users
Evil Shell: Hacking Linux UsersEvil Shell: Hacking Linux Users
Evil Shell: Hacking Linux Users
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!
 
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
 
[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
The Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital TransformationThe Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital Transformation
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 

Similar a Case Study of Django: Web Frameworks that are Secure by Default

Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
IBM Security
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
Security Innovation
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Michael Pirnat
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
Brian Huff
 

Similar a Case Study of Django: Web Frameworks that are Secure by Default (20)

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Security testing
Security testingSecurity testing
Security testing
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
 

Último

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
Delhi Call girls
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
Earley Information Science
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
Enterprise Knowledge
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 

Último (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 

Case Study of Django: Web Frameworks that are Secure by Default

  • 1. A Case Study of Django Web Applications that are Secure by Default Mohammed ALDOUB @Voulnet
  • 2. Web Security Essentials • The essentials of web application security are still not well understood. • Most developers have little to no idea about web security fundamentals. • Higher adoption to new web technologies, but no accompanying security awareness.
  • 3. Web Security Essentials • The basic idea of web security: Never trust users, and never trust their data. No exceptions. • Many layers exist in web technologies, and therefore many attack vectors and possibilities. • Web developers must understand risks and mitigations for all web layers.
  • 4. Problems in Applying Web Security • Web security cannot be achieved if developers are not well trained in security. Education is key. • Deadlines will almost always result in security vulnerabilities. Developers who are too busy and under pressure will not focus on security. • Security is not integrated early in the development process, so it gets delayed/forgotten.
  • 5. Bad Practices in Web Security • Developers don’t validate user input. • Even if they validate it, they do it poorly or out of context. • Developers make wrong assumptions about security: – “It’s ok, we use SSL!” – “The Firewall will protect us” – “Who will think of attacking this function?” • Most developers copy/paste code from the internet. Admit it.
  • 6. Bad Practices in Web Security • Session/password management is done poorly: – Sessions are easy to forge by attackers. – Passwords are stored as plaintext. • Server & Database configuration/security are not understood by web developers. • Developers don’t realize the threats on end users: – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF)
  • 7. • Django is a Web Application Framework, written in Python • Allows rapid, secure and agile web development. • Write better web applications in less time & effort.
  • 8. • Django is loaded with security features that are used by default. • Security by default provides great protection to developers with no security experience • Django makes it more difficult to write insecure code.
  • 9. • Django is used by many popular websites/services:
  • 10. Security Features of Django • Django provides many default protections against web threats, mainly against problems of: – User Management – Authorization – Cookies – SQL Injection – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF) – Clickjacking – Files – E-mail Header Injection – Cryptography – Directory Traversal
  • 11. User Management • Developers make many mistakes in user management. • Passwords are stored/transferred as plaintext. • Users are exposed if databases get leaked. • Weak authentication methods are used by inexperienced developers.
  • 12. User Management • Django provides a default User model that can be used in any website. It comes equipped with correct session management, permissions, registration and login. • Developers don’t need to re-invent the wheel and re- introduce user management risks. • Django provides strong password hashing methods (bcrypt, PBKDF2, SHA1), with increasing work factors. • • Django makes passwords very hard to crack.
  • 13. User Management • Django provides easy methods for user management such as is_authenticated(), permission_required(), requires_login(), and more, offsetting difficult session and permission code away from the developer. • Django provides secure default password reset and login redirection functionality. Developers don’t need to create password reset forms and introduce risks. • By using Django’s user management module, developers will not make mistakes such as ‘admin=true’ in cookies!
  • 14. Clickjacking • Clickjacking is an attack where an attackers loads an invisible page over a visible one. The user thinks he is clicking on the visible page, but he’s actually clicking on invisible buttons and links. • Can be used to trick users into buying items, deleting content or adding fake friends online. • Django provides direct protection against Clickjacking attacks using the X-Frame-Options header. Only one line of code!
  • 15. Clickjacking Example Image taken from ‘Busting Frame Busting’ research paper (found in references)
  • 16. Cross Site Scripting (XSS) • XSS is one of the most dangerous and popular attacks, where users instead of servers are targeted. • In an XSS attack, an attacker runs evil scripts on the user’s browser, through a vulnerable website. • It can be used to steal cookies, accounts, install malware, deface websites and many more uses.
  • 17. Cross Site Scripting (XSS) • XSS is very easy to introduce by ignorant developers, example: <?php echo "Results for: " . $_GET["query"]; ?> • It’s okay if the search query was Car, but what if the attacker entered… <script>alert(document.cookie)</script>
  • 18.
  • 19. Cross Site Scripting (XSS) • Evidently XSS is a critical attack, so Django provides great default protections against it. • HTML output is always escaped by Django to ensure that user input cannot execute code. • Django’s templating engine provides autoescaping. • HTML Attributes must always be quoted so that Django’s protections can be activated. • For extra XSS protections, use ESAPI, lxml, html5lib, Bleach or Markdown
  • 20. SQL Injection (SQLi) • SQL Injection is a dangerous attack in which evil data is sent to the database to be executed as destructive commands. • Developers write SQL queries in a wrong way, allowing attackers to inject SQL commands into the query, to be executed as SQL code. Example: string sql = “SELECT * FROM USERS WHERE name=‘” + Request[‘username’] + “’”; • Looks innocent, but what if the user entered ‘; DROP TABLE USERS;-- ?
  • 21.
  • 22. SQL Injection (SQLi) • SQL injection attacks are used to read and corrupt databases, take complete control over servers as well as modify web pages (and therefore steal user sessions or install malware) • The good news is that Django provides excellent defense against SQL Injection! • Django uses ORM and query sets to make sure all input is escaped & validated. • Developers do not need to write any SQL. Just write Python classes and Django will convert them to SQL securely!
  • 23. SQL Injection (SQLi) • No matter where input comes from (GET,POST,COOKIES), Django will escape all input that goes to the database. • Even if developers needed to write raw SQL, they can use placeholders like "Select * from users where id = %s ” which will safely validate input.
  • 24. Cookies • Django sets cookies to HttpOnly by default, to prevent sessions from getting stolen in most browsers. • Session ID are never used in URLs even if cookies are disabled. • Django will always give a new session ID if a user tried a non- existent one, to protect against session fixation. • Cookies can be digitally signed and time-stamped, to protect against tampering of data.
  • 25. Files • Django provides excellent protection to files. • No webroot concept in Django. Only the directories and files you allow are requested. Even if attackers upload a file, it is only downloaded if you allow it in URLConf. • Django executes Python code from the outside of the web root, so attackers cannot retrieve any files not explicitly allowed from the web root.
  • 26. Cross Site Request Forgery (CSRF) • CSRF is an attack where an attacker can force users of a website to perform actions without their permission. • If a user is logged into website A, an attacker can let a user visit website B, which will perform actions on website A on behalf of the user. • This happens because the forms in website A are not protected against CSRF. • Basically CSRF means evil websites can let users of other websites perform actions without user permission.
  • 27. Cross Site Request Forgery (CSRF) • Example: A form in website A allows a logged in user to delete his account. If there is no CSRF protection, website B can force visitors to delete their account on website A. • Example: Suppose website B has this HTML form in its code. What happens if a user of website A visits B? <form action="http://websiteA.com/deleteMyAccount.php” method=”post” > </form>
  • 28.
  • 29. Cross Site Request Forgery (CSRF) • The effects of CSRF is that attackers can make users perform ANY action on the vulnerable website. • Django provides CSRF protections for all POST,PUT,DELETE requests (according to RFC2616). • If website A used Django CSRF protection, the form would be: <form action=”/deleteMyAccount.php” method=”post” > <input type='hidden' name='csrfmiddlewaretoken' value='Aes4YiAfBQwCS8d4T1ngDAa6jJQiYDFs' /> </form>
  • 30. E-mail Header Injection • E-mail Header injection is a less popular attack that targets weak email-sending forms in websites. • By crafting a special string, attackers can use your email form to spend spam through your mail server, resulting in your domains/IPs getting blocked and possible worse effects. • Example email form: To: mycustomer@example.com Subject: Customer feedback <email content here>
  • 31. E-mail Header Injection • What if the attacker supplies the following data as the email content? They will be able to use your website as a spam base. • “ncc: spamVictim@example.comn<spam content>” • It would be: To: mycustomer@example.com Subject: Customer feedback cc: spamVictim@example.com <spam message content, buy drugs, lose weight or something> • Django provides default protection by using the built-in email form.
  • 32. Final Remarks • It must be understood that nothing can protect developers if they refuse to learn about web security and vulnerabilities. • The point of Django’s default security features is to make it very easy to add security, and very difficult to remove security. • However, developers still need to learn the basics of security and risk assessment. • Knowledge is the best defense against web attacks.
  • 33. References • http://davidbliss.com/sites-built-using-django • https://docs.djangoproject.com/en/1.4/topics/security/ • http://www.djangobook.com/en/2.0/chapter20/ • http://seclab.stanford.edu/websec/framebusting/framebust.p df
  • 34. Questions? • Do not hesitate to ask any question! • Do not hesitate to let your developers try Django in the workplace! It could be your road to increased productivity and security!