pony pwning djangocon 2010
DESCRIPTION
Pony Pwning Djangocon 2010TRANSCRIPT
![Page 1: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/1.jpg)
Pony PwningDjangocon 2010 // Adam Baldwin
Wednesday, September 8, 2010
![Page 2: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/2.jpg)
Hi, I’m not that Adam Baldwin.
I’m this one:
@adam_baldwin
ngenuity-is.com
evilpacket.net
Wednesday, September 8, 2010
![Page 3: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/3.jpg)
I break stuff
Wednesday, September 8, 2010
![Page 4: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/4.jpg)
Django = pile of awesome
Wednesday, September 8, 2010
![Page 5: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/5.jpg)
Django isn’tperfect
Wednesday, September 8, 2010
![Page 6: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/6.jpg)
Developers aren’t perfect
Wednesday, September 8, 2010
![Page 7: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/7.jpg)
I WANT TOHELP YOU
AVOID HUGE ASSMISTAKES
Captain Howdy McAssumptions,the nGenuity Mascot
Wednesday, September 8, 2010
![Page 8: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/8.jpg)
★ ★ ★ ★
Completely
made upstatistics
★ ★ ★ ★
INTRODUCING!
Wednesday, September 8, 2010
![Page 9: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/9.jpg)
of securityfailures60%
projectconstraints!
★ ★ ★ ★
Wednesday, September 8, 2010
![Page 10: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/10.jpg)
Wednesday, September 8, 2010
![Page 11: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/11.jpg)
of securityfailures30%
incompetenceor ignorance
★ ★ ★ ★
Wednesday, September 8, 2010
![Page 12: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/12.jpg)
See http://evilpacket.net/2010/jan/14/mifi-geopwn/
Wednesday, September 8, 2010
![Page 13: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/13.jpg)
of securityfailures9%
needle inthe haystack
★ ★ ★ ★
Wednesday, September 8, 2010
![Page 14: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/14.jpg)
See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/
Wednesday, September 8, 2010
![Page 15: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/15.jpg)
of securityfailures1%
0 days
★ ★ ★ ★
Wednesday, September 8, 2010
![Page 16: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/16.jpg)
90%Let’s talkabout the
Wednesday, September 8, 2010
![Page 17: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/17.jpg)
Sad PonyWarning
Wednesday, September 8, 2010
![Page 18: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/18.jpg)
cross-site scripting
Wednesday, September 8, 2010
![Page 19: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/19.jpg)
the
BigFive
double quote
single quote
ampersand
less than
greater than
“‘
&<>{
Wednesday, September 8, 2010
![Page 20: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/20.jpg)
{% autoescape off %}
|safe filter
mark_safe( )
Wednesday, September 8, 2010
![Page 21: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/21.jpg)
Context matters.
<a href=”{{object.absolute_url}}” alt=”{{object.name}}”>{{object.name}}</a>
<a href={{object.absolute_url}} alt={{object.name}}>{{object.name}}</a>
Missing quotes in the second URL make it possible to inject malicious code.
Which is bad.
Wednesday, September 8, 2010
![Page 22: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/22.jpg)
swingsetOWASP ESAPI Swingset by Craig Younkins
http://www.owasp.org/index.php/ESAPI_Swingset
Wednesday, September 8, 2010
![Page 23: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/23.jpg)
Browser behavior
<style /><a href="[user provided data here]">click</a>
This works in IE8, without the “big five” and executeswithout user interaction.
<style /><a href="}@import/**/data:text/css%3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpfQ%3D%3D;">click</a>
Wednesday, September 8, 2010
![Page 24: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/24.jpg)
Avoid getting burned
• Consider OWASP ESAPI
• Audit templates
• Audit reusables and snippets
• Educate designers
Wednesday, September 8, 2010
![Page 25: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/25.jpg)
FILE UPLOADS
Wednesday, September 8, 2010
![Page 26: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/26.jpg)
Evil Avatars
Images can contain PHP.
ImageField does not care.
ImageField does not check extensions.
File uploads often are put inunprotected directories.
Wednesday, September 8, 2010
![Page 27: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/27.jpg)
Avoid getting burned
• Check file extensions
• Disable PHP
Wednesday, September 8, 2010
![Page 28: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/28.jpg)
secret_report.pdf
File upload TMI
secret_report_1.pdf
Wednesday, September 8, 2010
![Page 29: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/29.jpg)
Avoid getting burned
• Put user content behind a file API
• Obfuscate filenames of uploads
Wednesday, September 8, 2010
![Page 30: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/30.jpg)
DirectObject Access
Wednesday, September 8, 2010
![Page 31: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/31.jpg)
“Not Found”
General TMI
“Forbidden” / “Access denied”
vs.
Wednesday, September 8, 2010
![Page 32: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/32.jpg)
Avoid getting burned
• Return consistent results (preferably “Not Found”)
• Log security violations
Wednesday, September 8, 2010
![Page 33: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/33.jpg)
eg /object/delete/2
Doing stupid things
Privileged operations with HTTP GET
Wednesday, September 8, 2010
![Page 34: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/34.jpg)
Avoid getting burned
• Don’t do stupid things.
• Consider Django-Piston for REST
Wednesday, September 8, 2010
![Page 35: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/35.jpg)
ClickJacking
What the hell is it?
Wednesday, September 8, 2010
![Page 36: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/36.jpg)
Click jackets
/admin/ is vulnerable.
pre-filling forms removes most user interaction
Wednesday, September 8, 2010
![Page 37: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/37.jpg)
Avoid getting burned
• Set X-FRAME-OPTIONS DENY header
• Use django-xframeoptions middleware
• Implement frame breakout code
Wednesday, September 8, 2010
![Page 38: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/38.jpg)
Abusing /admin/
:(
Wednesday, September 8, 2010
![Page 39: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/39.jpg)
Wuh-oh, kids.
[ REDACTED ]
Wednesday, September 8, 2010
![Page 40: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/40.jpg)
Avoid getting burned
• I HAVE NO IDEA.
• [email protected] needs to check their email ;)
Wednesday, September 8, 2010
![Page 41: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/41.jpg)
Wednesday, September 8, 2010
![Page 42: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/42.jpg)
I have ahard job
Wednesday, September 8, 2010
![Page 43: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/43.jpg)
Your jobis harder.
Wednesday, September 8, 2010
![Page 44: Pony Pwning Djangocon 2010](https://reader033.vdocument.in/reader033/viewer/2022052505/55527a67b4c905115b8b49a0/html5/thumbnails/44.jpg)
Questions?
@adam_baldwin // ngenuity-is.com // evilpacket.net
Wednesday, September 8, 2010