Scribd Logo
Upload

Welcome to Scribd!

  • Ngenuity Djangocon2010 Pony Pwning

    Uploaded by

    adam_baldwin
    449 views44 pages
    Adam Baldwin: django isn't perfect. Cross-site scripting the "big five" makes it possible to inject malicious code. NGenuity's mascot is howdy mcassumptions.

    Original Description:

    Original Title

    nGenuity Djangocon2010 Pony Pwning

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Adam Baldwin: django isn't perfect. Cross-site scripting the "big five" makes it possible to inject malicious code. NGenuity's mascot is howdy mcassumptions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    449 views44 pages

    Ngenuity Djangocon2010 Pony Pwning

    Uploaded by

    adam_baldwin
    Adam Baldwin: django isn't perfect. Cross-site scripting the "big five" makes it possible to inject malicious code. NGenuity's mascot is howdy mcassumptions.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 44

    Pony Pwning

    Djangocon 2010 // Adam Baldwin

    Wednesday, September 8, 2010


    Hi, I’m not that Adam Baldwin.

    I’m this one:


    @adam_baldwin
    ngenuity-is.com
    evilpacket.net

    Wednesday, September 8, 2010


    I break stuff

    Wednesday, September 8, 2010


    Django = pile
    of awesome

    Wednesday, September 8, 2010


    Django isn’t
    perfect

    Wednesday, September 8, 2010


    Developers
    aren’t perfect

    Wednesday, September 8, 2010


    I WANT TO
    HELP YOU
    AVOID
    HUGE ASS
    MISTAKES

    Captain Howdy McAssumptions,


    the nGenuity Mascot
    Wednesday, September 8, 2010
    INTRODUCING!
    ★★★★

    Completely
    made up
    statistics
    ★★★★

    Wednesday, September 8, 2010


    60% of security
    failures
    ★★★★

    project
    constraints!
    Wednesday, September 8, 2010
    Wednesday, September 8, 2010
    30% of security
    failures
    ★★★★

    incompetence
    or ignorance
    Wednesday, September 8, 2010
    See http://evilpacket.net/2010/jan/14/mifi-geopwn/
    Wednesday, September 8, 2010
    9% of security
    failures
    ★★★★

    needle in
    the haystack
    Wednesday, September 8, 2010
    See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/
    and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/
    Wednesday, September 8, 2010
    1% of security
    failures
    ★★★★

    0 days
    Wednesday, September 8, 2010
    Let’s talk
    about the 90%
    Wednesday, September 8, 2010
    Sad Pony
    Warning

    Wednesday, September 8, 2010


    cross-site scripting

    Wednesday, September 8, 2010


    {
    the
    “ double quote

    Big ‘ single quote

    & ampersand
    Five < less than

    > greater than

    Wednesday, September 8, 2010


    {% autoescape off %}

    |safe filter

    mark_safe( )
    Wednesday, September 8, 2010
    Context matters.
    <a href=”{{object.absolute_url}}” alt=”{{object.name}}”>
    {{object.name}}</a>

    <a href={{object.absolute_url}} alt={{object.name}}>


    {{object.name}}</a>

    Missing quotes in the second URL make it possible


    to inject malicious code.

    Which is bad.

    Wednesday, September 8, 2010


    swingset
    OWASP ESAPI Swingset by Craig Younkins
    http://www.owasp.org/index.php/ESAPI_Swingset
    Wednesday, September 8, 2010
    Browser behavior
    This works in IE8, without the “big five” and executes
    without user interaction.

    <style /><a href="[user provided data here]">click</a>


    <style /><a href="}@import/**/data:text/css
    %3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpf
    Q%3D%3D;">click</a>

    Wednesday, September 8, 2010


    Avoid • Consider OWASP ESAPI

    • Audit templates
    getting • Audit reusables and snippets

    burned • Educate designers

    Wednesday, September 8, 2010


    FILE UP
    LOADS
    Wednesday, September 8, 2010
    Evil Avatars
    Images can contain PHP.

    ImageField does not care.

    ImageField does not check extensions.

    File uploads often are put in


    unprotected directories.

    Wednesday, September 8, 2010


    Avoid • Check file extensions

    • Disable PHP
    getting
    burned

    Wednesday, September 8, 2010


    File upload TMI

    secret_report.pdf

    secret_report_1.pdf

    Wednesday, September 8, 2010


    Avoid • Put user content behind a file API

    • Obfuscate filenames of uploads


    getting
    burned

    Wednesday, September 8, 2010


    Direct
    Object
    Access

    Wednesday, September 8, 2010


    General TMI

    “Not Found”

    vs.

    “Forbidden” / “Access denied”

    Wednesday, September 8, 2010


    Avoid • Return consistent results
    (preferably “Not Found”)

    getting • Log security violations

    burned

    Wednesday, September 8, 2010


    Doing stupid things

    Privileged operations with HTTP GET

    eg /object/delete/2

    Wednesday, September 8, 2010


    Avoid • Don’t do stupid things.

    • Consider Django-Piston for REST


    getting
    burned

    Wednesday, September 8, 2010


    Click
    Jacking
    What the hell is it?

    Wednesday, September 8, 2010


    Click jackets
    /admin/ is vulnerable.

    pre-filling forms removes


    most user interaction

    Wednesday, September 8, 2010


    Avoid • Set X-FRAME-OPTIONS DENY
    header

    getting • Use django-xframeoptions


    middleware

    burned • Implement frame breakout code

    Wednesday, September 8, 2010


    Abusing
    :(
    /admin/
    Wednesday, September 8, 2010
    Wuh-oh, kids.

    [ REDACTED ]

    Wednesday, September 8, 2010


    Avoid • I HAVE NO IDEA.

    • security@djangoproject.com
    getting needs to check their email ;)

    burned

    Wednesday, September 8, 2010


    Wednesday, September 8, 2010
    I have a
    hard job
    Wednesday, September 8, 2010
    Your job
    is harder.
    Wednesday, September 8, 2010
    Questions?
    @adam_baldwin // ngenuity-is.com // evilpacket.net
    Wednesday, September 8, 2010

    You might also like