SlideShare une entreprise Scribd logo

Case Study of Django: Web Frameworks that are Secure by Default

Télécharger en tant que PPTX, PDF
Mohammed ALDOUB
Mohammed ALDOUB

A case study of security features inside the popular python-based web framework, Django. Made by Mohammed ALDOUB (@Voulnet)

Technologie
1  sur  34
A Case Study of Django Web Applications that are Secure by Default Mohammed ALDOUB @Voulnet
Web Security Essentials • The essentials of web application security are still not well understood. • Most developers have little to no idea about web security fundamentals. • Higher adoption to new web technologies, but no accompanying security awareness.
Web Security Essentials • The basic idea of web security: Never trust users, and never trust their data. No exceptions. • Many layers exist in web technologies, and therefore many attack vectors and possibilities. • Web developers must understand risks and mitigations for all web layers.
Problems in Applying Web Security • Web security cannot be achieved if developers are not well trained in security. Education is key. • Deadlines will almost always result in security vulnerabilities. Developers who are too busy and under pressure will not focus on security. • Security is not integrated early in the development process, so it gets delayed/forgotten.
Bad Practices in Web Security • Developers don’t validate user input. • Even if they validate it, they do it poorly or out of context. • Developers make wrong assumptions about security: – “It’s ok, we use SSL!” – “The Firewall will protect us” – “Who will think of attacking this function?” • Most developers copy/paste code from the internet. Admit it.
Bad Practices in Web Security • Session/password management is done poorly: – Sessions are easy to forge by attackers. – Passwords are stored as plaintext. • Server & Database configuration/security are not understood by web developers. • Developers don’t realize the threats on end users: – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF)
• Django is a Web Application Framework, written in Python • Allows rapid, secure and agile web development. • Write better web applications in less time & effort.
• Django is loaded with security features that are used by default. • Security by default provides great protection to developers with no security experience • Django makes it more difficult to write insecure code.
• Django is used by many popular websites/services:
Security Features of Django • Django provides many default protections against web threats, mainly against problems of: – User Management – Authorization – Cookies – SQL Injection – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF) – Clickjacking – Files – E-mail Header Injection – Cryptography – Directory Traversal
User Management • Developers make many mistakes in user management. • Passwords are stored/transferred as plaintext. • Users are exposed if databases get leaked. • Weak authentication methods are used by inexperienced developers.
User Management • Django provides a default User model that can be used in any website. It comes equipped with correct session management, permissions, registration and login. • Developers don’t need to re-invent the wheel and re- introduce user management risks. • Django provides strong password hashing methods (bcrypt, PBKDF2, SHA1), with increasing work factors. • • Django makes passwords very hard to crack.
User Management • Django provides easy methods for user management such as is_authenticated(), permission_required(), requires_login(), and more, offsetting difficult session and permission code away from the developer. • Django provides secure default password reset and login redirection functionality. Developers don’t need to create password reset forms and introduce risks. • By using Django’s user management module, developers will not make mistakes such as ‘admin=true’ in cookies!
Clickjacking • Clickjacking is an attack where an attackers loads an invisible page over a visible one. The user thinks he is clicking on the visible page, but he’s actually clicking on invisible buttons and links. • Can be used to trick users into buying items, deleting content or adding fake friends online. • Django provides direct protection against Clickjacking attacks using the X-Frame-Options header. Only one line of code!
Clickjacking Example Image taken from ‘Busting Frame Busting’ research paper (found in references)
Cross Site Scripting (XSS) • XSS is one of the most dangerous and popular attacks, where users instead of servers are targeted. • In an XSS attack, an attacker runs evil scripts on the user’s browser, through a vulnerable website. • It can be used to steal cookies, accounts, install malware, deface websites and many more uses.
Cross Site Scripting (XSS) • XSS is very easy to introduce by ignorant developers, example: <?php echo "Results for: " . $_GET["query"]; ?> • It’s okay if the search query was Car, but what if the attacker entered… <script>alert(document.cookie)</script>
Cross Site Scripting (XSS) • Evidently XSS is a critical attack, so Django provides great default protections against it. • HTML output is always escaped by Django to ensure that user input cannot execute code. • Django’s templating engine provides autoescaping. • HTML Attributes must always be quoted so that Django’s protections can be activated. • For extra XSS protections, use ESAPI, lxml, html5lib, Bleach or Markdown
SQL Injection (SQLi) • SQL Injection is a dangerous attack in which evil data is sent to the database to be executed as destructive commands. • Developers write SQL queries in a wrong way, allowing attackers to inject SQL commands into the query, to be executed as SQL code. Example: string sql = “SELECT * FROM USERS WHERE name=‘” + Request[‘username’] + “’”; • Looks innocent, but what if the user entered ‘; DROP TABLE USERS;-- ?
SQL Injection (SQLi) • SQL injection attacks are used to read and corrupt databases, take complete control over servers as well as modify web pages (and therefore steal user sessions or install malware) • The good news is that Django provides excellent defense against SQL Injection! • Django uses ORM and query sets to make sure all input is escaped & validated. • Developers do not need to write any SQL. Just write Python classes and Django will convert them to SQL securely!
SQL Injection (SQLi) • No matter where input comes from (GET,POST,COOKIES), Django will escape all input that goes to the database. • Even if developers needed to write raw SQL, they can use placeholders like "Select * from users where id = %s ” which will safely validate input.
Cookies • Django sets cookies to HttpOnly by default, to prevent sessions from getting stolen in most browsers. • Session ID are never used in URLs even if cookies are disabled. • Django will always give a new session ID if a user tried a non- existent one, to protect against session fixation. • Cookies can be digitally signed and time-stamped, to protect against tampering of data.
Files • Django provides excellent protection to files. • No webroot concept in Django. Only the directories and files you allow are requested. Even if attackers upload a file, it is only downloaded if you allow it in URLConf. • Django executes Python code from the outside of the web root, so attackers cannot retrieve any files not explicitly allowed from the web root.
Cross Site Request Forgery (CSRF) • CSRF is an attack where an attacker can force users of a website to perform actions without their permission. • If a user is logged into website A, an attacker can let a user visit website B, which will perform actions on website A on behalf of the user. • This happens because the forms in website A are not protected against CSRF. • Basically CSRF means evil websites can let users of other websites perform actions without user permission.
Cross Site Request Forgery (CSRF) • Example: A form in website A allows a logged in user to delete his account. If there is no CSRF protection, website B can force visitors to delete their account on website A. • Example: Suppose website B has this HTML form in its code. What happens if a user of website A visits B? <form action="http://websiteA.com/deleteMyAccount.php” method=”post” > </form>
Cross Site Request Forgery (CSRF) • The effects of CSRF is that attackers can make users perform ANY action on the vulnerable website. • Django provides CSRF protections for all POST,PUT,DELETE requests (according to RFC2616). • If website A used Django CSRF protection, the form would be: <form action=”/deleteMyAccount.php” method=”post” > <input type='hidden' name='csrfmiddlewaretoken' value='Aes4YiAfBQwCS8d4T1ngDAa6jJQiYDFs' /> </form>
E-mail Header Injection • E-mail Header injection is a less popular attack that targets weak email-sending forms in websites. • By crafting a special string, attackers can use your email form to spend spam through your mail server, resulting in your domains/IPs getting blocked and possible worse effects. • Example email form: To: mycustomer@example.com Subject: Customer feedback <email content here>
E-mail Header Injection • What if the attacker supplies the following data as the email content? They will be able to use your website as a spam base. • “ncc: spamVictim@example.comn<spam content>” • It would be: To: mycustomer@example.com Subject: Customer feedback cc: spamVictim@example.com <spam message content, buy drugs, lose weight or something> • Django provides default protection by using the built-in email form.
Final Remarks • It must be understood that nothing can protect developers if they refuse to learn about web security and vulnerabilities. • The point of Django’s default security features is to make it very easy to add security, and very difficult to remove security. • However, developers still need to learn the basics of security and risk assessment. • Knowledge is the best defense against web attacks.
References • http://davidbliss.com/sites-built-using-django • https://docs.djangoproject.com/en/1.4/topics/security/ • http://www.djangobook.com/en/2.0/chapter20/ • http://seclab.stanford.edu/websec/framebusting/framebust.p df
Questions? • Do not hesitate to ask any question! • Do not hesitate to let your developers try Django in the workplace! It could be your road to increased productivity and security!

Recommandé

Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 

Recommandé

Secrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamSecrets of Google VRP by: Krzysztof Kotowicz, Google Security Team
Secrets of Google VRP by: Krzysztof Kotowicz, Google Security TeamOWASP Delhi
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Secure Coding for Java
Secure Coding for JavaSecure Coding for Java
Secure Coding for JavaSébastien GIORIA
 
HTTP HOST header attacks
HTTP HOST header attacksHTTP HOST header attacks
HTTP HOST header attacksDefconRussia
 
Http security response headers
Http security response headers Http security response headers
Http security response headers mohammadhosseinrouha
 
Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Secure coding presentation Oct 3 2020
Secure coding presentation Oct 3 2020Moataz Kamel
 
Pentesting ReST API
Pentesting ReST APIPentesting ReST API
Pentesting ReST APINutan Kumar Panda
 
Pentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarPentesting Rest API's by :- Gaurang Bhatnagar
Pentesting Rest API's by :- Gaurang BhatnagarOWASP Delhi
 
Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web ApplicationPrecise Testing Solution
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP CodingNarudom Roongsiriwong, CISSP
 
Ethical hacking Presentation
Ethical hacking PresentationEthical hacking Presentation
Ethical hacking PresentationAmbikaMalgatti
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internalsMiroslav Stampar
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacksharshal kshatriya
 
SQL Injection
SQL Injection SQL Injection
SQL Injection Adhoura Academy
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache PoisoningKuldeepPandya5
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practicesMohammed Danish Amber
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case StudiesLeo TechnoSoft
 

Contenu connexe

Tendances

Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Codemotion
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Sam Bowne
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionMikhail Egorov
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and AwarenessAbdul Rahman Sherzad
 
Ethical hacking Presentation
Ethical hacking PresentationEthical hacking Presentation
Ethical hacking PresentationAmbikaMalgatti
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Hossam .M Hamed
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySandip Chaudhari
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scriptingkinish kumar
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Amit Tyagi
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing TechniquesAvinash Thapa
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksRaghav Bisht
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2Scott Sutherland
 

Tendances (20)

Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...Secure Coding principles by example: Build Security In from the start - Carlo...
Secure Coding principles by example: Build Security In from the start - Carlo...
 
Security Testing for Web Application
Security Testing for Web ApplicationSecurity Testing for Web Application
Security Testing for Web Application
 
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
Ch 1: Web Application (In)security & Ch 2: Core Defense Mechanisms
 
Neat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protectionNeat tricks to bypass CSRF-protection
Neat tricks to bypass CSRF-protection
 
Web Application Security and Awareness
Web Application Security and AwarenessWeb Application Security and Awareness
Web Application Security and Awareness
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 
Ethical hacking Presentation
Ethical hacking PresentationEthical hacking Presentation
Ethical hacking Presentation
 
Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop Privilege escalation from 1 to 0 Workshop
Privilege escalation from 1 to 0 Workshop
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Sql Injection - Vulnerability and Security
Sql Injection - Vulnerability and SecuritySql Injection - Vulnerability and Security
Sql Injection - Vulnerability and Security
 
Cross site scripting
Cross site scriptingCross site scripting
Cross site scripting
 
Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)Cross Site Scripting ( XSS)
Cross Site Scripting ( XSS)
 
sqlmap internals
sqlmap internalssqlmap internals
sqlmap internals
 
Buffer Overflow Attacks
Buffer Overflow AttacksBuffer Overflow Attacks
Buffer Overflow Attacks
 
SQL Injection
SQL Injection SQL Injection
SQL Injection
 
Waf bypassing Techniques
Waf bypassing TechniquesWaf bypassing Techniques
Waf bypassing Techniques
 
Directory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion AttacksDirectory Traversal & File Inclusion Attacks
Directory Traversal & File Inclusion Attacks
 
Web Cache Poisoning
Web Cache PoisoningWeb Cache Poisoning
Web Cache Poisoning
 
WTF is Penetration Testing v.2
WTF is Penetration Testing v.2WTF is Penetration Testing v.2
WTF is Penetration Testing v.2
 
Secure coding practices
Secure coding practicesSecure coding practices
Secure coding practices
 

En vedette

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case StudiesLeo TechnoSoft
 
Django book20 security
Django book20 securityDjango book20 security
Django book20 securityShih-yi Wei
 
Comparing web frameworks
Comparing web frameworksComparing web frameworks
Comparing web frameworksAditya Sengupta
 
Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012Matt Raible
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro servicesJordan Valdma
 
Evil Shell: Hacking Linux Users
Evil Shell: Hacking Linux UsersEvil Shell: Hacking Linux Users
Evil Shell: Hacking Linux UsersMohammed ALDOUB
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -Toshio Ehara
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!Chris Roberts
 
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針Nisei Kimura
 
[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledgeDeep Learning JP
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
The Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital TransformationThe Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital TransformationKasun Indrasiri
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 

En vedette (17)

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case Studies
 
Django book20 security
Django book20 securityDjango book20 security
Django book20 security
 
Comparing web frameworks
Comparing web frameworksComparing web frameworks
Comparing web frameworks
 
Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro services
 
Evil Shell: Hacking Linux Users
Evil Shell: Hacking Linux UsersEvil Shell: Hacking Linux Users
Evil Shell: Hacking Linux Users
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!
 
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
 
[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
The Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital TransformationThe Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital Transformation
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 

Similaire à Case Study of Django: Web Frameworks that are Secure by Default

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4Aditya Kamat
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSSam Bowne
 

Similaire à Case Study of Django: Web Frameworks that are Secure by Default (20)

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Security testing
Security testingSecurity testing
Security testing
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
 

Dernier

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditSkynet Technologies
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfNeo4j
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Strongerpanagenda
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...Wes McKinney
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Scott Andery
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Farhan Tariq
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxLoriGlavin3
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI AgeCprime
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 

Dernier (20)

Manual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance AuditManual 508 Accessibility Compliance Audit
Manual 508 Accessibility Compliance Audit
 
Connecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdfConnecting the Dots for Information Discovery.pdf
Connecting the Dots for Information Discovery.pdf
 
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better StrongerModern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
Modern Roaming for Notes and Nomad – Cheaper Faster Better Stronger
 
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
The Future Roadmap for the Composable Data Stack - Wes McKinney - Data Counci...
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
Enhancing User Experience - Exploring the Latest Features of Tallyman Axis Lo...
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...Genislab builds better products and faster go-to-market with Lean project man...
Genislab builds better products and faster go-to-market with Lean project man...
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptxUse of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
Use of FIDO in the Payments and Identity Landscape: FIDO Paris Seminar.pptx
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
A Framework for Development in the AI Age
A Framework for Development in the AI AgeA Framework for Development in the AI Age
A Framework for Development in the AI Age
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 

Case Study of Django: Web Frameworks that are Secure by Default

  • 1. A Case Study of Django Web Applications that are Secure by Default Mohammed ALDOUB @Voulnet
  • 2. Web Security Essentials • The essentials of web application security are still not well understood. • Most developers have little to no idea about web security fundamentals. • Higher adoption to new web technologies, but no accompanying security awareness.
  • 3. Web Security Essentials • The basic idea of web security: Never trust users, and never trust their data. No exceptions. • Many layers exist in web technologies, and therefore many attack vectors and possibilities. • Web developers must understand risks and mitigations for all web layers.
  • 4. Problems in Applying Web Security • Web security cannot be achieved if developers are not well trained in security. Education is key. • Deadlines will almost always result in security vulnerabilities. Developers who are too busy and under pressure will not focus on security. • Security is not integrated early in the development process, so it gets delayed/forgotten.
  • 5. Bad Practices in Web Security • Developers don’t validate user input. • Even if they validate it, they do it poorly or out of context. • Developers make wrong assumptions about security: – “It’s ok, we use SSL!” – “The Firewall will protect us” – “Who will think of attacking this function?” • Most developers copy/paste code from the internet. Admit it.
  • 6. Bad Practices in Web Security • Session/password management is done poorly: – Sessions are easy to forge by attackers. – Passwords are stored as plaintext. • Server & Database configuration/security are not understood by web developers. • Developers don’t realize the threats on end users: – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF)
  • 7. • Django is a Web Application Framework, written in Python • Allows rapid, secure and agile web development. • Write better web applications in less time & effort.
  • 8. • Django is loaded with security features that are used by default. • Security by default provides great protection to developers with no security experience • Django makes it more difficult to write insecure code.
  • 9. • Django is used by many popular websites/services:
  • 10. Security Features of Django • Django provides many default protections against web threats, mainly against problems of: – User Management – Authorization – Cookies – SQL Injection – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF) – Clickjacking – Files – E-mail Header Injection – Cryptography – Directory Traversal
  • 11. User Management • Developers make many mistakes in user management. • Passwords are stored/transferred as plaintext. • Users are exposed if databases get leaked. • Weak authentication methods are used by inexperienced developers.
  • 12. User Management • Django provides a default User model that can be used in any website. It comes equipped with correct session management, permissions, registration and login. • Developers don’t need to re-invent the wheel and re- introduce user management risks. • Django provides strong password hashing methods (bcrypt, PBKDF2, SHA1), with increasing work factors. • • Django makes passwords very hard to crack.
  • 13. User Management • Django provides easy methods for user management such as is_authenticated(), permission_required(), requires_login(), and more, offsetting difficult session and permission code away from the developer. • Django provides secure default password reset and login redirection functionality. Developers don’t need to create password reset forms and introduce risks. • By using Django’s user management module, developers will not make mistakes such as ‘admin=true’ in cookies!
  • 14. Clickjacking • Clickjacking is an attack where an attackers loads an invisible page over a visible one. The user thinks he is clicking on the visible page, but he’s actually clicking on invisible buttons and links. • Can be used to trick users into buying items, deleting content or adding fake friends online. • Django provides direct protection against Clickjacking attacks using the X-Frame-Options header. Only one line of code!
  • 15. Clickjacking Example Image taken from ‘Busting Frame Busting’ research paper (found in references)
  • 16. Cross Site Scripting (XSS) • XSS is one of the most dangerous and popular attacks, where users instead of servers are targeted. • In an XSS attack, an attacker runs evil scripts on the user’s browser, through a vulnerable website. • It can be used to steal cookies, accounts, install malware, deface websites and many more uses.
  • 17. Cross Site Scripting (XSS) • XSS is very easy to introduce by ignorant developers, example: <?php echo "Results for: " . $_GET["query"]; ?> • It’s okay if the search query was Car, but what if the attacker entered… <script>alert(document.cookie)</script>
  • 18.
  • 19. Cross Site Scripting (XSS) • Evidently XSS is a critical attack, so Django provides great default protections against it. • HTML output is always escaped by Django to ensure that user input cannot execute code. • Django’s templating engine provides autoescaping. • HTML Attributes must always be quoted so that Django’s protections can be activated. • For extra XSS protections, use ESAPI, lxml, html5lib, Bleach or Markdown
  • 20. SQL Injection (SQLi) • SQL Injection is a dangerous attack in which evil data is sent to the database to be executed as destructive commands. • Developers write SQL queries in a wrong way, allowing attackers to inject SQL commands into the query, to be executed as SQL code. Example: string sql = “SELECT * FROM USERS WHERE name=‘” + Request[‘username’] + “’”; • Looks innocent, but what if the user entered ‘; DROP TABLE USERS;-- ?
  • 21.
  • 22. SQL Injection (SQLi) • SQL injection attacks are used to read and corrupt databases, take complete control over servers as well as modify web pages (and therefore steal user sessions or install malware) • The good news is that Django provides excellent defense against SQL Injection! • Django uses ORM and query sets to make sure all input is escaped & validated. • Developers do not need to write any SQL. Just write Python classes and Django will convert them to SQL securely!
  • 23. SQL Injection (SQLi) • No matter where input comes from (GET,POST,COOKIES), Django will escape all input that goes to the database. • Even if developers needed to write raw SQL, they can use placeholders like "Select * from users where id = %s ” which will safely validate input.
  • 24. Cookies • Django sets cookies to HttpOnly by default, to prevent sessions from getting stolen in most browsers. • Session ID are never used in URLs even if cookies are disabled. • Django will always give a new session ID if a user tried a non- existent one, to protect against session fixation. • Cookies can be digitally signed and time-stamped, to protect against tampering of data.
  • 25. Files • Django provides excellent protection to files. • No webroot concept in Django. Only the directories and files you allow are requested. Even if attackers upload a file, it is only downloaded if you allow it in URLConf. • Django executes Python code from the outside of the web root, so attackers cannot retrieve any files not explicitly allowed from the web root.
  • 26. Cross Site Request Forgery (CSRF) • CSRF is an attack where an attacker can force users of a website to perform actions without their permission. • If a user is logged into website A, an attacker can let a user visit website B, which will perform actions on website A on behalf of the user. • This happens because the forms in website A are not protected against CSRF. • Basically CSRF means evil websites can let users of other websites perform actions without user permission.
  • 27. Cross Site Request Forgery (CSRF) • Example: A form in website A allows a logged in user to delete his account. If there is no CSRF protection, website B can force visitors to delete their account on website A. • Example: Suppose website B has this HTML form in its code. What happens if a user of website A visits B? <form action="http://websiteA.com/deleteMyAccount.php” method=”post” > </form>
  • 28.
  • 29. Cross Site Request Forgery (CSRF) • The effects of CSRF is that attackers can make users perform ANY action on the vulnerable website. • Django provides CSRF protections for all POST,PUT,DELETE requests (according to RFC2616). • If website A used Django CSRF protection, the form would be: <form action=”/deleteMyAccount.php” method=”post” > <input type='hidden' name='csrfmiddlewaretoken' value='Aes4YiAfBQwCS8d4T1ngDAa6jJQiYDFs' /> </form>
  • 30. E-mail Header Injection • E-mail Header injection is a less popular attack that targets weak email-sending forms in websites. • By crafting a special string, attackers can use your email form to spend spam through your mail server, resulting in your domains/IPs getting blocked and possible worse effects. • Example email form: To: mycustomer@example.com Subject: Customer feedback <email content here>
  • 31. E-mail Header Injection • What if the attacker supplies the following data as the email content? They will be able to use your website as a spam base. • “ncc: spamVictim@example.comn<spam content>” • It would be: To: mycustomer@example.com Subject: Customer feedback cc: spamVictim@example.com <spam message content, buy drugs, lose weight or something> • Django provides default protection by using the built-in email form.
  • 32. Final Remarks • It must be understood that nothing can protect developers if they refuse to learn about web security and vulnerabilities. • The point of Django’s default security features is to make it very easy to add security, and very difficult to remove security. • However, developers still need to learn the basics of security and risk assessment. • Knowledge is the best defense against web attacks.
  • 33. References • http://davidbliss.com/sites-built-using-django • https://docs.djangoproject.com/en/1.4/topics/security/ • http://www.djangobook.com/en/2.0/chapter20/ • http://seclab.stanford.edu/websec/framebusting/framebust.p df
  • 34. Questions? • Do not hesitate to ask any question! • Do not hesitate to let your developers try Django in the workplace! It could be your road to increased productivity and security!