the net is dark and full of terrors - james bennett
TRANSCRIPT
![Page 1: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/1.jpg)
T H E N E T I S D A R K A N D F U L L O F T E R R O R S
J A M E S B E N N E T T · D J A N G O C O N E U R O P E · 3 R D J U N E 2 0 1 5
![Page 2: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/2.jpg)
W H O I A M
Working with Django 9 years, 5 at Lawrence Journal-World
Commit bit since 2007
Involved in Django’s release and security process ~8 years
![Page 3: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/3.jpg)
W H AT T H I S I S
History of Django and security
How Django tries to protect you
Some ways we’ve screwed up and what you can learn from that
![Page 4: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/4.jpg)
S E C U R I T Y I S H A R D
![Page 5: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/5.jpg)
I N T H E B E G I N N I N G …
![Page 6: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/6.jpg)
D J A N G O ’ S F I R S T V U L N E R A B I L I T Y
1 6 T H A U G U S T 2 0 0 6 C V E - 2 0 0 7 - 0 4 0 4
![Page 7: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/7.jpg)
N I N E Y E A R S A N D 4 8 M O R E S E C U R I T Y I S S U E S L AT E R …
![Page 8: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/8.jpg)
D J A N G O ’ S L AT E S T V U L N E R A B I L I T Y
2 0 T H M A Y 2 0 1 5 C V E - 2 0 1 5 - 3 9 8 2
![Page 9: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/9.jpg)
Security issues are archived in the documentation: https://docs.djangoproject.com/en/dev/
releases/security/
![Page 10: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/10.jpg)
2 0 0 7 · P R E - 1 . 0
I N F O R M A L S E C U R I T Y P R O C E S S2 0 0 8 · D J A N G O 1 . 0
T E M P L AT E A U T O E S C A P I N G2 0 1 0 · D J A N G O 1 . 2
M O D E R N C S R F P R O T E C T I O N2 0 1 2 · D J A N G O 1 . 4
H A S H I N G , C R Y P T O , S I G N E D C O O K I E S , C L I C K J A C K I N G , S E N S I T I V E E R R O R S , F O R M A L S E C U R I T Y P R O C E S S
![Page 11: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/11.jpg)
2 0 1 3 · D J A N G O 1 . 5 · D J A N G O 1 . 6
H O S T H E A D E R H A R D E N I N G , I N C R E A S E D H A S H I T E R AT I O N S , H A S H T R U N C AT I O N2 0 1 4 · D J A N G O 1 . 7
S Y S T E M C H E C K F R A M E W O R K2 0 1 5 · D J A N G O 1 . 8
S E C U R I T Y M I D D L E W A R E , D E P L O Y M E N T C H E C K
![Page 12: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/12.jpg)
D J A N G O ’ S S E C U R I T Y P R O C E S S
![Page 13: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/13.jpg)
TL;DR: email [email protected] if you think you’ve found a security issue in Django.
Full security policy always accessible at https://www.djangoproject.com/security/
![Page 14: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/14.jpg)
S E C U R I T Y I S S U E V E R I F I C AT I O N
Try out a proof-of-concept, if provided
Coordinate with reporter for more info if needed
Once verified, begin tracking issue (privately)
![Page 15: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/15.jpg)
S E C U R I T Y PAT C H I N G P R O C E S S
Patches submitted in private tracker (only core team has access)
Reviewed and, if needed, ported to multiple versions of Django
![Page 16: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/16.jpg)
S E C U R I T Y N O T I F I C AT I O N P R O C E S S
Request a CVE identifier for the issue
One week prior to release, send to our security notification list
Pre-notification can be abbreviated for issues already public/exploited
![Page 17: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/17.jpg)
S E C U R I T Y R E L E A S E P R O C E S S
Patches merged from private security branches to public GitHub repository
Releases issued with blog post containing details of issue(s) and CVE identifier(s)
Spam ALL the social media sites!
![Page 18: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/18.jpg)
The goals of our process are to ensure responsible reporting and disclosure of security issues.
![Page 19: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/19.jpg)
D J A N G O V S . T H E O W A S P T O P T E N
![Page 20: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/20.jpg)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
![Page 21: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/21.jpg)
Injection attacks ✅
Authentication and session management ✅
Cross-site scripting (XSS) ✅
Direct object references ✅
Misconfiguration ✅
![Page 22: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/22.jpg)
Sensitive data exposure ✅
Function level access control ✅
Cross-site request forgery (CSRF) ✅
Components with known vulnerabilities ✅
Unvalidated redirects and forwards ✅
![Page 23: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/23.jpg)
A B O V E A N D B E Y O N D
![Page 24: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/24.jpg)
Django tries very hard to be secure-by-default, and to offer the tools you need to harden your applications beyond the common cases.
![Page 25: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/25.jpg)
However…
![Page 26: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/26.jpg)
![Page 27: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/27.jpg)
W H Y D O W E FA L L ?
![Page 28: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/28.jpg)
W H Y D O W E FA L L ?
![Page 29: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/29.jpg)
W H Y D O W E FA I L ?
![Page 30: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/30.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 0 7
“Parsing the Accept-Language header is expensive to do every time, let’s do it once per
unique value and cache the results!”
![Page 31: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/31.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 0
“Let’s use a one-time base36 token to do password resets!”
![Page 32: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/32.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 3
“Formsets need to dynamically grow the number of forms they use!”
![Page 33: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/33.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 3
“Restrictions on password length are dumb! Long passwords are better!”
![Page 34: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/34.jpg)
CVE-2007-5712
Denial-of-service via arbitrarily-large Accept-Language header
CVE-2010-4535
Denial-of-service in password-reset mechanism
CVE-2013-0306
Denial-of-service via formset max_num bypass
CVE-2013-1443
Denial-of-service via large passwords
![Page 35: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/35.jpg)
![Page 36: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/36.jpg)
CVE-2007-5712
Denial-of-service via arbitrarily-large Accept-Language header
CVE-2010-4535
Denial-of-service in password-reset mechanism
CVE-2013-0306
Denial-of-service via formset max_num bypass
CVE-2013-1443
Denial-of-service via large passwords
![Page 37: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/37.jpg)
P Y T H O N I S G R E AT
No buffer overflows
But you can still DoS yourself if you’re not careful
We learned this the hard way so you shouldn’t have to
![Page 38: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/38.jpg)
S T O P D O S ’ I N G Y O U R S E L F
Sanity-check your inputs for length before you start processing them
Yes, even passwords (when appropriate)!
Configure your web server to cap the length of HTTP headers and request bodies
![Page 39: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/39.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 0 6
“URLField should really check whether the URL exists before accepting the value!”
![Page 40: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/40.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 0 6
“URLField should accept anything that matches the format of a valid URL!”
![Page 41: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/41.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 0 6
“EmailField should accept anything that matches the format of a valid email address!”
![Page 42: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/42.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 2
“Checking for corrupt image files is easy, we can just use PIL’s routines for that!”
![Page 43: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/43.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 2
“Most image formats store metadata in a header, let’s find it by only reading a few bytes at a time!”
![Page 44: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/44.jpg)
CVE-2011-4137
Denial-of-service via URLField.verify_exists
CVE-2009-3965
Denial-of-service via pathological regular-expression performance
CVE-2012-3443
Denial-of-service via compressed image files
CVE-2012-3444
Denial-of-service via large image files
![Page 45: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/45.jpg)
![Page 46: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/46.jpg)
CVE-2011-4137
Denial-of-service via URLField.verify_exists
CVE-2009-3965
Denial-of-service via pathological regular-expression performance
CVE-2012-3443
Denial-of-service via compressed image files
CVE-2012-3444
Denial-of-service via large image files
![Page 47: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/47.jpg)
T H E B I G O
Expresses upper bound on your algorithm
Also, apparently, an anime
But more important is the “upper bound” bit
![Page 48: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/48.jpg)
– A C T U A L LY A V E R Y U S E F U L Q U E S T I O N
“What’s the worst that could happen?”
![Page 49: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/49.jpg)
N O R E A L LY, S T O P D O S ’ I N G Y O U R S E L F !
Figure out how much work your code should do
Then figure out whether you can make it do more
Then figure out ways to ensure it does less
Some issues (compressed formats, incremental reads, pathological regex, etc.) have been around forever — read up on them!
![Page 50: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/50.jpg)
(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*:(?:(?:\r\n)?[ \t])*(?:(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*)(?:,\s*(?:(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*|(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)*\<(?:(?:\r\n)?[ \t])*(?:@(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*(?:,@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*)*:(?:(?:\r\n)?[ \t])*)?(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|"(?:[^\"\r\\]|\\.|(?:(?:\r\n)?[ \t]))*"(?:(?:\r\n)?[ \t])*))*@(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*)(?:\.(?:(?:\r\n)?[ \t])*(?:[^()<>@,;:\\".\[\] \000-\031]+(?:(?:(?:\r\n)?[ \t])+|\Z|(?=[\["()<>@,;:\\".\[\]]))|\[([^\[\]\r\\]|\\.)*\](?:(?:\r\n)?[ \t])*))*\>(?:(?:\r\n)?[ \t])*))*)?;\s*)
![Page 51: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/51.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 0
“Values of cookies we’ve set can be trusted!”
![Page 52: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/52.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 0
“Admin users can be trusted with a bit of the lookup API!”
![Page 53: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/53.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 1
“We can trust the browser same-origin sandbox!”
![Page 54: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/54.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 3
“We can trust admin users with the history log!”
![Page 55: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/55.jpg)
– T H E D J A N G O T E A M , C I R C A 2 0 1 3
“Once we’ve validated a value and stored it, we can trust it!”
![Page 56: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/56.jpg)
CVE-2010-3082
XSS via trusting unsafe cookie value
CVE-2010-4534
Information leakage in administrative interface
CVE-2011-0696
CSRF via forged HTTP headers
CVE-2013-0305
Information leakage via admin history log
NO CVE, DISCLOSED 2013-08-13
XSS via admin trusting URLField values
![Page 57: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/57.jpg)
– T H E D J A N G O T E A M , O V E R A N D O V E R A G A I N …
“We can trust the HTTP Host header now!”
![Page 58: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/58.jpg)
CVE-2011-4139
Host header cache poisoning
CVE-2011-4140
Potential CSRF via Host header
CVE-2012-4520
Host header poisoning
ADVISORY, 2012-12-10
Additional hardening of Host header handling
ADVISORY, 2013-02-19
Additional hardening of Host header handling
![Page 59: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/59.jpg)
“I did warn you not to trust me.”
![Page 60: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/60.jpg)
![Page 61: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/61.jpg)
T H E R E I S N O S U C H T H I N G A S “ S E C U R E ”
![Page 62: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/62.jpg)
W H Y D O W E FA L L ?
![Page 63: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/63.jpg)
![Page 64: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/64.jpg)
❓
![Page 65: The net is dark and full of terrors - James Bennett](https://reader034.vdocument.in/reader034/viewer/2022042618/589ceada1a28abf86d8b6f65/html5/thumbnails/65.jpg)
Q U O T E S / I M A G E S
http://www.marriedtothesea.com/index.php?date=012710
http://en.wikipedia.org/wiki/File:Selfmade_Big_O.png
http://www.ex-parrot.com/pdw/Mail-RFC822-Address.html
http://highlighthollywood.com/2015/02/game-of-thrones-actor-aidan-gillen-lord-petyr-baelish-talks-season-5-sansa-and-little-finger-highlight-hollywood-news/
http://x-files.wikia.com/wiki/File:Trust_No_One_tagline.jpg
http://www.slideshare.net/ChristofHammel/process-iceberg-21703547