SlideShare una empresa de Scribd logo

The net is dark and full of terrors - James Bennett

L
Leo Zhou

Django Con Euro 2015

Tecnología
1 de 65
Descargar para leer sin conexión
T H E N E T I S D A R K A N D F U L L O F T E R R O R S J A M E S B E N N E T T · D J A N G O C O N E U R O P E · 3 R D J U N E 2 0 1 5
W H O I A M Working with Django 9 years, 5 at Lawrence Journal- World Commit bit since 2007 Involved in Django’s release and security process ~8 years
W H AT T H I S I S History of Django and security How Django tries to protect you Some ways we’ve screwed up and what you can learn from that
S E C U R I T Y I S H A R D
I N T H E B E G I N N I N G …
D J A N G O ’ S F I R S T V U L N E R A B I L I T Y 1 6 T H A U G U S T 2 0 0 6 C V E - 2 0 0 7 - 0 4 0 4
N I N E Y E A R S A N D 4 8 M O R E S E C U R I T Y I S S U E S L AT E R …
D J A N G O ’ S L AT E S T V U L N E R A B I L I T Y 2 0 T H M A Y 2 0 1 5 C V E - 2 0 1 5 - 3 9 8 2
Security issues are archived in the documentation: https://docs.djangoproject.com/en/dev/ releases/security/
2 0 0 7 · P R E - 1 . 0 I N F O R M A L S E C U R I T Y P R O C E S S 2 0 0 8 · D J A N G O 1 . 0 T E M P L AT E A U T O E S C A P I N G 2 0 1 0 · D J A N G O 1 . 2 M O D E R N C S R F P R O T E C T I O N 2 0 1 2 · D J A N G O 1 . 4 H A S H I N G , C RY P T O , S I G N E D C O O K I E S , C L I C K J A C K I N G , S E N S I T I V E E R R O R S , F O R M A L S E C U R I T Y P R O C E S S
2 0 1 3 · D J A N G O 1 . 5 · D J A N G O 1 . 6 H O S T H E A D E R H A R D E N I N G , I N C R E A S E D H A S H I T E R AT I O N S , H A S H T R U N C AT I O N 2 0 1 4 · D J A N G O 1 . 7 S Y S T E M C H E C K F R A M E W O R K 2 0 1 5 · D J A N G O 1 . 8 S E C U R I T Y M I D D L E WA R E , D E P L O Y M E N T C H E C K
D J A N G O ’ S S E C U R I T Y P R O C E S S
TL;DR: email security@djangoproject.com if you think you’ve found a security issue in Django. Full security policy always accessible at https://www.djangoproject.com/security/
S E C U R I T Y I S S U E V E R I F I C AT I O N Try out a proof-of-concept, if provided Coordinate with reporter for more info if needed Once verified, begin tracking issue (privately)
S E C U R I T Y PAT C H I N G P R O C E S S Patches submitted in private tracker (only core team has access) Reviewed and, if needed, ported to multiple versions of Django
S E C U R I T Y N O T I F I C AT I O N P R O C E S S Request a CVE identifier for the issue One week prior to release, send to our security notification list Pre-notification can be abbreviated for issues already public/exploited
S E C U R I T Y R E L E A S E P R O C E S S Patches merged from private security branches to public GitHub repository Releases issued with blog post containing details of issue(s) and CVE identifier(s) Spam ALL the social media sites!
The goals of our process are to ensure responsible reporting and disclosure of security issues.
D J A N G O V S . T H E O WA S P T O P T E N
https://www.owasp.org/index.php/ Category:OWASP_Top_Ten_Project
Injection attacks ✅ Authentication and session management ✅ Cross-site scripting (XSS) ✅ Direct object references ✅ Misconfiguration ✅
Sensitive data exposure ✅ Function level access control ✅ Cross-site request forgery (CSRF) ✅ Components with known vulnerabilities ✅ Unvalidated redirects and forwards ✅
A B O V E A N D B E Y O N D
Django tries very hard to be secure-by-default, and to offer the tools you need to harden your applications beyond the common cases.
However…
W H Y D O W E FA L L ?
W H Y D O W E FA L L ?
W H Y D O W E FA I L ?
– T H E D J A N G O T E A M , C I R C A 2 0 0 7 “Parsing the Accept-Language header is expensive to do every time, let’s do it once per unique value and cache the results!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Let’s use a one-time base36 token to do password resets!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Formsets need to dynamically grow the number of forms they use!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Restrictions on password length are dumb! Long passwords are better!”
CVE-2007-5712 Denial-of-service via arbitrarily-large Accept-Language header CVE-2010-4535 Denial-of-service in password-reset mechanism CVE-2013-0306 Denial-of-service via formset max_num bypass CVE-2013-1443 Denial-of-service via large passwords
CVE-2007-5712 Denial-of-service via arbitrarily-large Accept-Language header CVE-2010-4535 Denial-of-service in password-reset mechanism CVE-2013-0306 Denial-of-service via formset max_num bypass CVE-2013-1443 Denial-of-service via large passwords
P Y T H O N I S G R E AT No buffer overflows But you can still DoS yourself if you’re not careful We learned this the hard way so you shouldn’t have to
S T O P D O S ’ I N G Y O U R S E L F Sanity-check your inputs for length before you start processing them Yes, even passwords (when appropriate)! Configure your web server to cap the length of HTTP headers and request bodies
– T H E D J A N G O T E A M , C I R C A 2 0 0 6 “URLField should really check whether the URL exists before accepting the value!”
– T H E D J A N G O T E A M , C I R C A 2 0 0 6 “URLField should accept anything that matches the format of a valid URL!”
– T H E D J A N G O T E A M , C I R C A 2 0 0 6 “EmailField should accept anything that matches the format of a valid email address!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 2 “Checking for corrupt image files is easy, we can just use PIL’s routines for that!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 2 “Most image formats store metadata in a header, let’s find it by only reading a few bytes at a time!”
CVE-2011-4137 Denial-of-service via URLField.verify_exists CVE-2009-3965 Denial-of-service via pathological regular-expression performance CVE-2012-3443 Denial-of-service via compressed image files CVE-2012-3444 Denial-of-service via large image files
CVE-2011-4137 Denial-of-service via URLField.verify_exists CVE-2009-3965 Denial-of-service via pathological regular-expression performance CVE-2012-3443 Denial-of-service via compressed image files CVE-2012-3444 Denial-of-service via large image files
T H E B I G O Expresses upper bound on your algorithm Also, apparently, an anime But more important is the “upper bound” bit
– A C T U A L LY A V E RY U S E F U L Q U E S T I O N “What’s the worst that could happen?”
N O R E A L LY, S T O P D O S ’ I N G Y O U R S E L F ! Figure out how much work your code should do Then figure out whether you can make it do more Then figure out ways to ensure it does less Some issues (compressed formats, incremental reads, pathological regex, etc.) have been around forever — read up on them!
(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:r n)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(? =[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)? [ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?: rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?: (?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:r n)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)|(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)? [ t])*)*:(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^ "r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?: (?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)? [ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;: ".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:r n)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^ "r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)(?:,s*(?:(?:[^()<>@,;:". [] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?: (?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+ (?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:. (?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?: (?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?: rn)?[ t])*))*)?;s*)
– T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Values of cookies we’ve set can be trusted!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Admin users can be trusted with a bit of the lookup API!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 1 “We can trust the browser same-origin sandbox!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 3 “We can trust admin users with the history log!”
– T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Once we’ve validated a value and stored it, we can trust it!”
CVE-2010-3082 XSS via trusting unsafe cookie value CVE-2010-4534 Information leakage in administrative interface CVE-2011-0696 CSRF via forged HTTP headers CVE-2013-0305 Information leakage via admin history log NO CVE, DISCLOSED 2013-08-13 XSS via admin trusting URLField values
– T H E D J A N G O T E A M , O V E R A N D O V E R A G A I N … “We can trust the HTTP Host header now!”
CVE-2011-4139 Host header cache poisoning CVE-2011-4140 Potential CSRF via Host header CVE-2012-4520 Host header poisoning ADVISORY, 2012-12-10 Additional hardening of Host header handling ADVISORY, 2013-02-19 Additional hardening of Host header handling
“I did warn you not to trust me.”
T H E R E I S N O S U C H T H I N G A S “ S E C U R E ”
W H Y D O W E FA L L ?
❓
Q U O T E S / I M A G E S http://www.marriedtothesea.com/index.php?date=012710 http://en.wikipedia.org/wiki/File:Selfmade_Big_O.png http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html http://highlighthollywood.com/2015/02/game-of-thrones-actor-aidan- gillen-lord-petyr-baelish-talks-season-5-sansa-and-little-finger- highlight-hollywood-news/ http://x-files.wikia.com/wiki/File:Trust_No_One_tagline.jpg http://www.slideshare.net/ChristofHammel/process-iceberg-21703547

Recomendados

Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) wwWireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
yesumanitvr
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible Interference
Julie Tsai
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
Reality Net System Solutions
 
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre..."2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
Yandex
 
DNS fragmentation attacks - the dangers of not validating DNSSEC
DNS fragmentation attacks - the dangers of not validating DNSSEC DNS fragmentation attacks - the dangers of not validating DNSSEC
DNS fragmentation attacks - the dangers of not validating DNSSEC
Men and Mice
 
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Ricardo Fanjul Fandiño
 
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud BackendsoFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
June Park
 
Adaptive Parser-Centric Text Normalization
Adaptive Parser-Centric Text NormalizationAdaptive Parser-Centric Text Normalization
Adaptive Parser-Centric Text Normalization
Yunyao Li
 

Recomendados

Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) wwWireless crime and forensic investigation g. kipper (auerbach, 2007) ww
Wireless crime and forensic investigation g. kipper (auerbach, 2007) ww
yesumanitvr
 
API Security: Assume Possible Interference
API Security: Assume Possible InterferenceAPI Security: Assume Possible Interference
API Security: Assume Possible Interference
Julie Tsai
 
(in)Secure Secret Zone
(in)Secure Secret Zone(in)Secure Secret Zone
(in)Secure Secret Zone
Reality Net System Solutions
 
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre..."2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
"2Fac: Facebook's internal multi-factor authentication". Tim Tickel, Chad Gre...
Yandex
 
DNS fragmentation attacks - the dangers of not validating DNSSEC
DNS fragmentation attacks - the dangers of not validating DNSSEC DNS fragmentation attacks - the dangers of not validating DNSSEC
DNS fragmentation attacks - the dangers of not validating DNSSEC
Men and Mice
 
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Designing a Horizontally Scalable Event-Driven Big Data Architecture with Apa...
Ricardo Fanjul Fandiño
 
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud BackendsoFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
soFrida Dynamic Analysis Tool for Mobile Apps with Cloud Backend
June Park
 
Adaptive Parser-Centric Text Normalization
Adaptive Parser-Centric Text NormalizationAdaptive Parser-Centric Text Normalization
Adaptive Parser-Centric Text Normalization
Yunyao Li
 
Nra Background Checks
Nra Background ChecksNra Background Checks
Nra Background Checks
eminentsilhouet88
 
Retail Banking_Cyber Fraud
Retail Banking_Cyber FraudRetail Banking_Cyber Fraud
Retail Banking_Cyber Fraud
Nataliya Frolova
 
Pradeep CV
Pradeep CVPradeep CV
Pradeep CV
Pradeep Kumar
 
Presentacion
Presentacion Presentacion
Presentacion
manuelsuarez14769
 
Capacitacion docente laptop xo
Capacitacion docente laptop xoCapacitacion docente laptop xo
Capacitacion docente laptop xo
Becker Morales Collao
 
Barcode
BarcodeBarcode
Barcode
paisan1
 
WIM_Lessard Interview 2015
WIM_Lessard Interview 2015WIM_Lessard Interview 2015
WIM_Lessard Interview 2015
Chantae Lessard
 
Carátula
CarátulaCarátula
Carátula
Agustín Fernandez
 
Estudios de gabinete
Estudios de gabineteEstudios de gabinete
Estudios de gabinete
german9571
 
Maxillary permanent incisors
Maxillary permanent incisorsMaxillary permanent incisors
Maxillary permanent incisors
MO'men AbuDaif
 
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCS1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
Yi-Hsueh Tsai
 
Cocoa
CocoaCocoa
Cocoa
Belencitha Leon
 
Message de solidarité de l'UIA
Message de solidarité de l'UIAMessage de solidarité de l'UIA
Message de solidarité de l'UIA
JLMB
 
Data Modelling at Scale
Data Modelling at ScaleData Modelling at Scale
Data Modelling at Scale
David Simons
 
Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!
Scott Sosna
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
University of Hertfordshire
 
Meteor WWNRW Intro
Meteor WWNRW IntroMeteor WWNRW Intro
Meteor WWNRW Intro
Stephan Hochhaus
 
10 d bs in 30 minutes
10 d bs in 30 minutes10 d bs in 30 minutes
10 d bs in 30 minutes
David Simons
 
Switching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to AgileSwitching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to Agile
Doc Norton
 
Choosing the right database
Choosing the right databaseChoosing the right database
Choosing the right database
David Simons
 
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Amazon Web Services
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning
Abhishek Sharma
 

Más contenido relacionado

Destacado

Retail Banking_Cyber Fraud
Retail Banking_Cyber FraudRetail Banking_Cyber Fraud
Retail Banking_Cyber Fraud
Nataliya Frolova
 
WIM_Lessard Interview 2015
WIM_Lessard Interview 2015WIM_Lessard Interview 2015
WIM_Lessard Interview 2015
Chantae Lessard
 

Destacado (13)

Nra Background Checks
Nra Background ChecksNra Background Checks
Nra Background Checks
 
Retail Banking_Cyber Fraud
Retail Banking_Cyber FraudRetail Banking_Cyber Fraud
Retail Banking_Cyber Fraud
 
Pradeep CV
Pradeep CVPradeep CV
Pradeep CV
 
Presentacion
Presentacion Presentacion
Presentacion
 
Capacitacion docente laptop xo
Capacitacion docente laptop xoCapacitacion docente laptop xo
Capacitacion docente laptop xo
 
Barcode
BarcodeBarcode
Barcode
 
WIM_Lessard Interview 2015
WIM_Lessard Interview 2015WIM_Lessard Interview 2015
WIM_Lessard Interview 2015
 
Carátula
CarátulaCarátula
Carátula
 
Estudios de gabinete
Estudios de gabineteEstudios de gabinete
Estudios de gabinete
 
Maxillary permanent incisors
Maxillary permanent incisorsMaxillary permanent incisors
Maxillary permanent incisors
 
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GCS1 154010 Summary of CEPT Report 52 regarding BDA2GC
S1 154010 Summary of CEPT Report 52 regarding BDA2GC
 
Cocoa
CocoaCocoa
Cocoa
 
Message de solidarité de l'UIA
Message de solidarité de l'UIAMessage de solidarité de l'UIA
Message de solidarité de l'UIA
 

Similar a The net is dark and full of terrors - James Bennett

Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
University of Hertfordshire
 
10 d bs in 30 minutes
10 d bs in 30 minutes10 d bs in 30 minutes
10 d bs in 30 minutes
David Simons
 
Switching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to AgileSwitching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to Agile
Doc Norton
 
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Amazon Web Services
 
Nuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summitNuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summit
Greta Strolyte
 

Similar a The net is dark and full of terrors - James Bennett (20)

Data Modelling at Scale
Data Modelling at ScaleData Modelling at Scale
Data Modelling at Scale
 
Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!Demonolithing The Monolith? Bullocks!
Demonolithing The Monolith? Bullocks!
 
Cyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile WorldCyber Security in a Fully Mobile World
Cyber Security in a Fully Mobile World
 
Meteor WWNRW Intro
Meteor WWNRW IntroMeteor WWNRW Intro
Meteor WWNRW Intro
 
10 d bs in 30 minutes
10 d bs in 30 minutes10 d bs in 30 minutes
10 d bs in 30 minutes
 
Switching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to AgileSwitching horses midstream - From Waterfall to Agile
Switching horses midstream - From Waterfall to Agile
 
Choosing the right database
Choosing the right databaseChoosing the right database
Choosing the right database
 
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
Create an IoT Gateway and Establish a Data Pipeline to AWS IoT with Intel - I...
 
Artificial Intelligence and Machine Learning
Artificial Intelligence and Machine LearningArtificial Intelligence and Machine Learning
Artificial Intelligence and Machine Learning
 
Reducing Resistance: Deployment as Surface
Reducing Resistance: Deployment as SurfaceReducing Resistance: Deployment as Surface
Reducing Resistance: Deployment as Surface
 
DevOps introduction
DevOps introductionDevOps introduction
DevOps introduction
 
Nuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summitNuno Job - what's next for software - ANDdigital tech summit
Nuno Job - what's next for software - ANDdigital tech summit
 
Gain Maximum Visibility into Your Applications
Gain Maximum Visibility into Your Applications Gain Maximum Visibility into Your Applications
Gain Maximum Visibility into Your Applications
 
eHarmony @ Phoenix Con 2016
eHarmony @ Phoenix Con 2016eHarmony @ Phoenix Con 2016
eHarmony @ Phoenix Con 2016
 
100% Visibility - Jason Yee - Codemotion Amsterdam 2018
100% Visibility - Jason Yee - Codemotion Amsterdam 2018100% Visibility - Jason Yee - Codemotion Amsterdam 2018
100% Visibility - Jason Yee - Codemotion Amsterdam 2018
 
Pro Dev Day 2018 - Passwords are Dead
Pro Dev Day 2018 - Passwords are DeadPro Dev Day 2018 - Passwords are Dead
Pro Dev Day 2018 - Passwords are Dead
 
Choosing the Right Database
Choosing the Right DatabaseChoosing the Right Database
Choosing the Right Database
 
CIA For WordPress Developers
CIA For WordPress DevelopersCIA For WordPress Developers
CIA For WordPress Developers
 
Mock proposal for digitisation project
Mock proposal for digitisation projectMock proposal for digitisation project
Mock proposal for digitisation project
 
Gain Maximum Visibility into Your Applications - DEM03 - Chicago AWS Summit
Gain Maximum Visibility into Your Applications - DEM03 - Chicago AWS SummitGain Maximum Visibility into Your Applications - DEM03 - Chicago AWS Summit
Gain Maximum Visibility into Your Applications - DEM03 - Chicago AWS Summit
 

Más de Leo Zhou

1.4 go在数据存储上面的应用—毛剑
1.4 go在数据存储上面的应用—毛剑1.4 go在数据存储上面的应用—毛剑
1.4 go在数据存储上面的应用—毛剑
Leo Zhou
 
1.2 刘奇 go在分布式数据库中的应用
1.2 刘奇 go在分布式数据库中的应用1.2 刘奇 go在分布式数据库中的应用
1.2 刘奇 go在分布式数据库中的应用
Leo Zhou
 
Protocol libraries the right way
Protocol libraries the right wayProtocol libraries the right way
Protocol libraries the right way
Leo Zhou
 
特卖场景下的大数据平台和机器学习实践
特卖场景下的大数据平台和机器学习实践特卖场景下的大数据平台和机器学习实践
特卖场景下的大数据平台和机器学习实践
Leo Zhou
 

Más de Leo Zhou (20)

第三名 3rd zhyict
第三名 3rd zhyict第三名 3rd zhyict
第三名 3rd zhyict
 
异常检测在苏宁的实践
异常检测在苏宁的实践异常检测在苏宁的实践
异常检测在苏宁的实践
 
第二名 2nd 火眼金睛
第二名 2nd 火眼金睛第二名 2nd 火眼金睛
第二名 2nd 火眼金睛
 
第四名 4th H3C AI Institute
第四名 4th H3C AI Institute第四名 4th H3C AI Institute
第四名 4th H3C AI Institute
 
第一名 1st Bocoiops
第一名 1st Bocoiops第一名 1st Bocoiops
第一名 1st Bocoiops
 
第六名 6th Aurora
第六名 6th Aurora第六名 6th Aurora
第六名 6th Aurora
 
AI使能网络自动驾驶 AI Building Autonomous Driving Network
AI使能网络自动驾驶 AI Building Autonomous Driving NetworkAI使能网络自动驾驶 AI Building Autonomous Driving Network
AI使能网络自动驾驶 AI Building Autonomous Driving Network
 
2.2 go在阿里云cdn系统的应用
2.2 go在阿里云cdn系统的应用2.2 go在阿里云cdn系统的应用
2.2 go在阿里云cdn系统的应用
 
1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb1.6 米嘉 gobuildweb
1.6 米嘉 gobuildweb
 
1.4 go在数据存储上面的应用—毛剑
1.4 go在数据存储上面的应用—毛剑1.4 go在数据存储上面的应用—毛剑
1.4 go在数据存储上面的应用—毛剑
 
1.2 刘奇 go在分布式数据库中的应用
1.2 刘奇 go在分布式数据库中的应用1.2 刘奇 go在分布式数据库中的应用
1.2 刘奇 go在分布式数据库中的应用
 
Protocol libraries the right way
Protocol libraries the right wayProtocol libraries the right way
Protocol libraries the right way
 
美团数据库运维平台介绍
美团数据库运维平台介绍美团数据库运维平台介绍
美团数据库运维平台介绍
 
特卖场景下的大数据平台和机器学习实践
特卖场景下的大数据平台和机器学习实践特卖场景下的大数据平台和机器学习实践
特卖场景下的大数据平台和机器学习实践
 
我的互联网运维理论与实践
我的互联网运维理论与实践我的互联网运维理论与实践
我的互联网运维理论与实践
 
如何选择 Docker 监控方案
如何选择 Docker 监控方案如何选择 Docker 监控方案
如何选择 Docker 监控方案
 
美团数据库运维平台介绍
美团数据库运维平台介绍美团数据库运维平台介绍
美团数据库运维平台介绍
 
Hypothesis randomised testing for django
Hypothesis randomised testing for djangoHypothesis randomised testing for django
Hypothesis randomised testing for django
 
NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享
NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享
NoSQL@VIP — 唯品会NoSQL平台⾃动化发展及运维经验分享
 
动静态混合网站或 APP的CDN优化方法
动静态混合网站或 APP的CDN优化方法动静态混合网站或 APP的CDN优化方法
动静态混合网站或 APP的CDN优化方法
 

Último

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
Enterprise Knowledge
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
Delhi Call girls
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
Enterprise Knowledge
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
vu2urc
 

Último (20)

IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 

The net is dark and full of terrors - James Bennett

  • 1. T H E N E T I S D A R K A N D F U L L O F T E R R O R S J A M E S B E N N E T T · D J A N G O C O N E U R O P E · 3 R D J U N E 2 0 1 5
  • 2. W H O I A M Working with Django 9 years, 5 at Lawrence Journal- World Commit bit since 2007 Involved in Django’s release and security process ~8 years
  • 3. W H AT T H I S I S History of Django and security How Django tries to protect you Some ways we’ve screwed up and what you can learn from that
  • 4. S E C U R I T Y I S H A R D
  • 5. I N T H E B E G I N N I N G …
  • 6. D J A N G O ’ S F I R S T V U L N E R A B I L I T Y 1 6 T H A U G U S T 2 0 0 6 C V E - 2 0 0 7 - 0 4 0 4
  • 7. N I N E Y E A R S A N D 4 8 M O R E S E C U R I T Y I S S U E S L AT E R …
  • 8. D J A N G O ’ S L AT E S T V U L N E R A B I L I T Y 2 0 T H M A Y 2 0 1 5 C V E - 2 0 1 5 - 3 9 8 2
  • 9. Security issues are archived in the documentation: https://docs.djangoproject.com/en/dev/ releases/security/
  • 10. 2 0 0 7 · P R E - 1 . 0 I N F O R M A L S E C U R I T Y P R O C E S S 2 0 0 8 · D J A N G O 1 . 0 T E M P L AT E A U T O E S C A P I N G 2 0 1 0 · D J A N G O 1 . 2 M O D E R N C S R F P R O T E C T I O N 2 0 1 2 · D J A N G O 1 . 4 H A S H I N G , C RY P T O , S I G N E D C O O K I E S , C L I C K J A C K I N G , S E N S I T I V E E R R O R S , F O R M A L S E C U R I T Y P R O C E S S
  • 11. 2 0 1 3 · D J A N G O 1 . 5 · D J A N G O 1 . 6 H O S T H E A D E R H A R D E N I N G , I N C R E A S E D H A S H I T E R AT I O N S , H A S H T R U N C AT I O N 2 0 1 4 · D J A N G O 1 . 7 S Y S T E M C H E C K F R A M E W O R K 2 0 1 5 · D J A N G O 1 . 8 S E C U R I T Y M I D D L E WA R E , D E P L O Y M E N T C H E C K
  • 12. D J A N G O ’ S S E C U R I T Y P R O C E S S
  • 13. TL;DR: email security@djangoproject.com if you think you’ve found a security issue in Django. Full security policy always accessible at https://www.djangoproject.com/security/
  • 14. S E C U R I T Y I S S U E V E R I F I C AT I O N Try out a proof-of-concept, if provided Coordinate with reporter for more info if needed Once verified, begin tracking issue (privately)
  • 15. S E C U R I T Y PAT C H I N G P R O C E S S Patches submitted in private tracker (only core team has access) Reviewed and, if needed, ported to multiple versions of Django
  • 16. S E C U R I T Y N O T I F I C AT I O N P R O C E S S Request a CVE identifier for the issue One week prior to release, send to our security notification list Pre-notification can be abbreviated for issues already public/exploited
  • 17. S E C U R I T Y R E L E A S E P R O C E S S Patches merged from private security branches to public GitHub repository Releases issued with blog post containing details of issue(s) and CVE identifier(s) Spam ALL the social media sites!
  • 18. The goals of our process are to ensure responsible reporting and disclosure of security issues.
  • 19. D J A N G O V S . T H E O WA S P T O P T E N
  • 21. Injection attacks ✅ Authentication and session management ✅ Cross-site scripting (XSS) ✅ Direct object references ✅ Misconfiguration ✅
  • 22. Sensitive data exposure ✅ Function level access control ✅ Cross-site request forgery (CSRF) ✅ Components with known vulnerabilities ✅ Unvalidated redirects and forwards ✅
  • 23. A B O V E A N D B E Y O N D
  • 24. Django tries very hard to be secure-by-default, and to offer the tools you need to harden your applications beyond the common cases.
  • 26.
  • 27. W H Y D O W E FA L L ?
  • 28. W H Y D O W E FA L L ?
  • 29. W H Y D O W E FA I L ?
  • 30. – T H E D J A N G O T E A M , C I R C A 2 0 0 7 “Parsing the Accept-Language header is expensive to do every time, let’s do it once per unique value and cache the results!”
  • 31. – T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Let’s use a one-time base36 token to do password resets!”
  • 32. – T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Formsets need to dynamically grow the number of forms they use!”
  • 33. – T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Restrictions on password length are dumb! Long passwords are better!”
  • 34. CVE-2007-5712 Denial-of-service via arbitrarily-large Accept-Language header CVE-2010-4535 Denial-of-service in password-reset mechanism CVE-2013-0306 Denial-of-service via formset max_num bypass CVE-2013-1443 Denial-of-service via large passwords
  • 35.
  • 36. CVE-2007-5712 Denial-of-service via arbitrarily-large Accept-Language header CVE-2010-4535 Denial-of-service in password-reset mechanism CVE-2013-0306 Denial-of-service via formset max_num bypass CVE-2013-1443 Denial-of-service via large passwords
  • 37. P Y T H O N I S G R E AT No buffer overflows But you can still DoS yourself if you’re not careful We learned this the hard way so you shouldn’t have to
  • 38. S T O P D O S ’ I N G Y O U R S E L F Sanity-check your inputs for length before you start processing them Yes, even passwords (when appropriate)! Configure your web server to cap the length of HTTP headers and request bodies
  • 39. – T H E D J A N G O T E A M , C I R C A 2 0 0 6 “URLField should really check whether the URL exists before accepting the value!”
  • 40. – T H E D J A N G O T E A M , C I R C A 2 0 0 6 “URLField should accept anything that matches the format of a valid URL!”
  • 41. – T H E D J A N G O T E A M , C I R C A 2 0 0 6 “EmailField should accept anything that matches the format of a valid email address!”
  • 42. – T H E D J A N G O T E A M , C I R C A 2 0 1 2 “Checking for corrupt image files is easy, we can just use PIL’s routines for that!”
  • 43. – T H E D J A N G O T E A M , C I R C A 2 0 1 2 “Most image formats store metadata in a header, let’s find it by only reading a few bytes at a time!”
  • 44. CVE-2011-4137 Denial-of-service via URLField.verify_exists CVE-2009-3965 Denial-of-service via pathological regular-expression performance CVE-2012-3443 Denial-of-service via compressed image files CVE-2012-3444 Denial-of-service via large image files
  • 45.
  • 46. CVE-2011-4137 Denial-of-service via URLField.verify_exists CVE-2009-3965 Denial-of-service via pathological regular-expression performance CVE-2012-3443 Denial-of-service via compressed image files CVE-2012-3444 Denial-of-service via large image files
  • 47. T H E B I G O Expresses upper bound on your algorithm Also, apparently, an anime But more important is the “upper bound” bit
  • 48. – A C T U A L LY A V E RY U S E F U L Q U E S T I O N “What’s the worst that could happen?”
  • 49. N O R E A L LY, S T O P D O S ’ I N G Y O U R S E L F ! Figure out how much work your code should do Then figure out whether you can make it do more Then figure out ways to ensure it does less Some issues (compressed formats, incremental reads, pathological regex, etc.) have been around forever — read up on them!
  • 50. (?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;: ".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:r n)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(? =[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)? [ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?: rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?: (?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:r n)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^ []r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)|(?:[^()<>@,;:".[] 000-031]+(?:(?: (?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)? [ t])*)*:(?:(?:rn)?[ t])*(?:(?:(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^ "r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?: (?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)? [ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;: ".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:r n)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[ ["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)? [ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^ "r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?:rn)?[ t])*)(?:,s*(?:(?:[^()<>@,;:". [] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?: (?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*|(?: [^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.| (?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*)*<(?:(?:rn)?[ t])*(?:@(?:[^()<>@,;:".[] 000-031]+ (?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*)(?:. (?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*(?:,@(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000- 031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*) (?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:". []]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*)*:(?:(?:rn)?[ t])*)?(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)? [ t]))*"(?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|"(?:[^"r]|.|(?:(?:rn)?[ t]))*"(?:(?:rn)?[ t])*))*@(?: (?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?:(?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))| [([^[]r]|.)*](?:(?:rn)?[ t])*)(?:.(?:(?:rn)?[ t])*(?:[^()<>@,;:".[] 000-031]+(?: (?:(?:rn)?[ t])+|Z|(?=[["()<>@,;:".[]]))|[([^[]r]|.)*](?:(?:rn)?[ t])*))*>(?:(?: rn)?[ t])*))*)?;s*)
  • 51. – T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Values of cookies we’ve set can be trusted!”
  • 52. – T H E D J A N G O T E A M , C I R C A 2 0 1 0 “Admin users can be trusted with a bit of the lookup API!”
  • 53. – T H E D J A N G O T E A M , C I R C A 2 0 1 1 “We can trust the browser same-origin sandbox!”
  • 54. – T H E D J A N G O T E A M , C I R C A 2 0 1 3 “We can trust admin users with the history log!”
  • 55. – T H E D J A N G O T E A M , C I R C A 2 0 1 3 “Once we’ve validated a value and stored it, we can trust it!”
  • 56. CVE-2010-3082 XSS via trusting unsafe cookie value CVE-2010-4534 Information leakage in administrative interface CVE-2011-0696 CSRF via forged HTTP headers CVE-2013-0305 Information leakage via admin history log NO CVE, DISCLOSED 2013-08-13 XSS via admin trusting URLField values
  • 57. – T H E D J A N G O T E A M , O V E R A N D O V E R A G A I N … “We can trust the HTTP Host header now!”
  • 58. CVE-2011-4139 Host header cache poisoning CVE-2011-4140 Potential CSRF via Host header CVE-2012-4520 Host header poisoning ADVISORY, 2012-12-10 Additional hardening of Host header handling ADVISORY, 2013-02-19 Additional hardening of Host header handling
  • 59. “I did warn you not to trust me.”
  • 60.
  • 61. T H E R E I S N O S U C H T H I N G A S “ S E C U R E ”
  • 62. W H Y D O W E FA L L ?
  • 63.
  • 64.
  • 65. Q U O T E S / I M A G E S http://www.marriedtothesea.com/index.php?date=012710 http://en.wikipedia.org/wiki/File:Selfmade_Big_O.png http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html http://highlighthollywood.com/2015/02/game-of-thrones-actor-aidan- gillen-lord-petyr-baelish-talks-season-5-sansa-and-little-finger- highlight-hollywood-news/ http://x-files.wikia.com/wiki/File:Trust_No_One_tagline.jpg http://www.slideshare.net/ChristofHammel/process-iceberg-21703547