practical django secuirty
TRANSCRIPT
Practical Django Security
Andy Dai
Software Security is HARD!
Quick Investigation
OWASP TOP 10 2013
10. Unvalidated Redirects and Forwards
http://www.example.com/redirect.jsp?url=evil.com
SOLUTION: Be careful!
9. Using Components with Known Vulnerabilities
SOLUTION: Check often and Upgrade often
8. Cross Site Request Forgery
SOLUTION: CSRF token & CAPTCHA
7. Missing Function Level Access Control
SOLUTION: Control your access
Django Provides
• @login_required
• Access Mixins in django-braces
6. Sensitive Data Exposure
Forget your password
NO SSL
SOLUTION: SSL & Encrypt all sensitive data
django-encrypted-fields
5. Security Misconfiguration
• Use default username/password
• Directory listing
• Debug Mode
4. Insecure Direct Object References
http://example.com/app/accountInfo?acct=notmyacct
SOLUTION: Access Control
3. Cross-Site Scripting(XSS)
SOLUTION: Check user input. Escape!
Django Template will do this for you
2. Broken Authentication and Session Management
h\p://example.com/sale/saleitems;jsessionid=
2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii
1. Injection
SOLUTION
• Don’t Use SQL directly
• Check user input
• Turn off debug mode
Software Security is HARD!
Other Rules
Don’t mixing up data and code
What is code? What is data?
Explicit is better than implicit
class ArticleForm(ModelForm): class Meta: model = Article fields = ['pub_date', 'headline', 'content', ]
class ArticleForm(ModelForm): class Meta: model = Article exclude = ['id', ]
v.s
Don’t reinvent the wheel
Look to assert what is supposed to happen in
your application
Software Security is IMPORTANT!!
Q&A