Pony Pwning
Djangocon 2010 // Adam Baldwin
Wednesday, September 8, 2010
Hi, I’m not that Adam Baldwin.
I’m this one:
@adam_baldw...
I break stuff
Wednesday, September 8, 2010
Django = pile
of awesome
Wednesday, September 8, 2010
Django isn’t
perfect
Wednesday, September 8, 2010
Developers
aren’t perfect
Wednesday, September 8, 2010
I WANT TO
HELP YOU
AVOID
...
INTRODUCING!
Completely
made up
...
60% of security
failures
project
...
Wednesday, September 8, 2010
30% of security
failures
incompetence
or ignorance
Wednesday...
See http://evilpacket.net/2010/jan/14/mifi-geopwn/
Wednesday, September 8, 2010
9% of security
failures
needle in
the haystack...
See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/
and http://evilpacket.net/2009/jul/9/theft-racks...
1% of security
failures
0 days
Wednesday, Septembe...
Let’s talk
about the 90%
Wednesday, September 8, 2010
Sad Pony
Warning
Wednesday, September 8, 2010
cross-site scripting
Wednesday, September 8, 2010
{
the
“ double quote
Big ‘ si...
{% autoescape off %}
|safe filter
mark_safe( )
Wednesday, S...
Context matters.
<a href=”{{object.absolute_url}}” alt=”{{object.name}}”>
{{object...
swingset
OWASP ESAPI Swingset by Craig Younkins
http:...
Browser behavior
This works in IE8, without the “big five” and executes
without use...
Avoid • Consider OWASP ESAPI
• Audit templates
...
FILE UP
LOADS
Wednesday, September 8, 2010
Evil Avatars
Images can contain PHP.
ImageField does not ca...
Avoid • Check file extensions
• Disable PHP
get...
File upload TMI
secret_report.pdf
secret_report_1....
Avoid • Put user content behind a file API
• Obfuscate filenames of uploads
...
Direct
Object
Access
Wednesday, September 8, 2010
General TMI
“Not Found”
vs.
...
Avoid • Return consistent results
(preferably “Not Found”)
...
Doing stupid things
Privileged operations with HTTP GET
eg...
Avoid • Don’t do stupid things.
• Consider Django-Piston for REST
...
Click
Jacking
What the hell is it?
Wednesday, Septemb...
Click jackets
/admin/ is vulnerable.
pre-filling forms remov...
Avoid • Set X-FRAME-OPTIONS DENY
header
gett...
Abusing
:(
/admin/
Wednesday, September 8, 2010
Wuh-oh, kids.
[ REDACTED ]
Wednesday, September 8, 2010
Avoid • I HAVE NO IDEA.
• security@djangoproject.com
...
Wednesday, September 8, 2010
I have a
hard job
Wednesday, September 8, 2010
Your job
is harder.
Wednesday, September 8, 2010
Questions?
@adam_baldwin // ngenuity-is.com // evilpacket.net
Wednesday, September 8, 2010
of 44

Pony Pwning Djangocon 2010

Pony Pwning Djangocon 2010
Published on: Mar 4, 2016
Published in: Technology      
Source: www.slideshare.net


Transcripts - Pony Pwning Djangocon 2010

  • 1. Pony Pwning Djangocon 2010 // Adam Baldwin Wednesday, September 8, 2010
  • 2. Hi, I’m not that Adam Baldwin. I’m this one: @adam_baldwin ngenuity-is.com evilpacket.net Wednesday, September 8, 2010
  • 3. I break stuff Wednesday, September 8, 2010
  • 4. Django = pile of awesome Wednesday, September 8, 2010
  • 5. Django isn’t perfect Wednesday, September 8, 2010
  • 6. Developers aren’t perfect Wednesday, September 8, 2010
  • 7. I WANT TO HELP YOU AVOID HUGE ASS MISTAKES Captain Howdy McAssumptions, the nGenuity Mascot Wednesday, September 8, 2010
  • 8. INTRODUCING! Completely made up statistics Wednesday, September 8, 2010
  • 9. 60% of security failures project constraints! Wednesday, September 8, 2010
  • 10. Wednesday, September 8, 2010
  • 11. 30% of security failures incompetence or ignorance Wednesday, September 8, 2010
  • 12. See http://evilpacket.net/2010/jan/14/mifi-geopwn/ Wednesday, September 8, 2010
  • 13. 9% of security failures needle in the haystack Wednesday, September 8, 2010
  • 14. See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/ and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/ Wednesday, September 8, 2010
  • 15. 1% of security failures 0 days Wednesday, September 8, 2010
  • 16. Let’s talk about the 90% Wednesday, September 8, 2010
  • 17. Sad Pony Warning Wednesday, September 8, 2010
  • 18. cross-site scripting Wednesday, September 8, 2010
  • 19. { the “ double quote Big ‘ single quote & ampersand Five < less than > greater than Wednesday, September 8, 2010
  • 20. {% autoescape off %} |safe filter mark_safe( ) Wednesday, September 8, 2010
  • 21. Context matters. <a href=”{{object.absolute_url}}” alt=”{{object.name}}”> {{object.name}}</a> <a href={{object.absolute_url}} alt={{object.name}}> {{object.name}}</a> Missing quotes in the second URL make it possible to inject malicious code. Which is bad. Wednesday, September 8, 2010
  • 22. swingset OWASP ESAPI Swingset by Craig Younkins http://www.owasp.org/index.php/ESAPI_Swingset Wednesday, September 8, 2010
  • 23. Browser behavior This works in IE8, without the “big five” and executes without user interaction. <style /><a href="[user provided data here]">click</a> <style /><a href="}@import/**/data:text/css %3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpf Q%3D%3D;">click</a> Wednesday, September 8, 2010
  • 24. Avoid • Consider OWASP ESAPI • Audit templates getting • Audit reusables and snippets burned • Educate designers Wednesday, September 8, 2010
  • 25. FILE UP LOADS Wednesday, September 8, 2010
  • 26. Evil Avatars Images can contain PHP. ImageField does not care. ImageField does not check extensions. File uploads often are put in unprotected directories. Wednesday, September 8, 2010
  • 27. Avoid • Check file extensions • Disable PHP getting burned Wednesday, September 8, 2010
  • 28. File upload TMI secret_report.pdf secret_report_1.pdf Wednesday, September 8, 2010
  • 29. Avoid • Put user content behind a file API • Obfuscate filenames of uploads getting burned Wednesday, September 8, 2010
  • 30. Direct Object Access Wednesday, September 8, 2010
  • 31. General TMI “Not Found” vs. “Forbidden” / “Access denied” Wednesday, September 8, 2010
  • 32. Avoid • Return consistent results (preferably “Not Found”) getting • Log security violations burned Wednesday, September 8, 2010
  • 33. Doing stupid things Privileged operations with HTTP GET eg /object/delete/2 Wednesday, September 8, 2010
  • 34. Avoid • Don’t do stupid things. • Consider Django-Piston for REST getting burned Wednesday, September 8, 2010
  • 35. Click Jacking What the hell is it? Wednesday, September 8, 2010
  • 36. Click jackets /admin/ is vulnerable. pre-filling forms removes most user interaction Wednesday, September 8, 2010
  • 37. Avoid • Set X-FRAME-OPTIONS DENY header getting • Use django-xframeoptions middleware burned • Implement frame breakout code Wednesday, September 8, 2010
  • 38. Abusing :( /admin/ Wednesday, September 8, 2010
  • 39. Wuh-oh, kids. [ REDACTED ] Wednesday, September 8, 2010
  • 40. Avoid • I HAVE NO IDEA. • security@djangoproject.com getting needs to check their email ;) burned Wednesday, September 8, 2010
  • 41. Wednesday, September 8, 2010
  • 42. I have a hard job Wednesday, September 8, 2010
  • 43. Your job is harder. Wednesday, September 8, 2010
  • 44. Questions? @adam_baldwin // ngenuity-is.com // evilpacket.net Wednesday, September 8, 2010

Related Documents