SlideShare a Scribd company logo

Case Study of Django: Web Frameworks that are Secure by Default

Download as PPTX, PDF
Mohammed ALDOUB
Mohammed ALDOUB

A case study of security features inside the popular python-based web framework, Django. Made by Mohammed ALDOUB (@Voulnet)

Technology
1 of 34
A Case Study of Django Web Applications that are Secure by Default Mohammed ALDOUB @Voulnet
Web Security Essentials • The essentials of web application security are still not well understood. • Most developers have little to no idea about web security fundamentals. • Higher adoption to new web technologies, but no accompanying security awareness.
Web Security Essentials • The basic idea of web security: Never trust users, and never trust their data. No exceptions. • Many layers exist in web technologies, and therefore many attack vectors and possibilities. • Web developers must understand risks and mitigations for all web layers.
Problems in Applying Web Security • Web security cannot be achieved if developers are not well trained in security. Education is key. • Deadlines will almost always result in security vulnerabilities. Developers who are too busy and under pressure will not focus on security. • Security is not integrated early in the development process, so it gets delayed/forgotten.
Bad Practices in Web Security • Developers don’t validate user input. • Even if they validate it, they do it poorly or out of context. • Developers make wrong assumptions about security: – “It’s ok, we use SSL!” – “The Firewall will protect us” – “Who will think of attacking this function?” • Most developers copy/paste code from the internet. Admit it.
Bad Practices in Web Security • Session/password management is done poorly: – Sessions are easy to forge by attackers. – Passwords are stored as plaintext. • Server & Database configuration/security are not understood by web developers. • Developers don’t realize the threats on end users: – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF)
• Django is a Web Application Framework, written in Python • Allows rapid, secure and agile web development. • Write better web applications in less time & effort.
• Django is loaded with security features that are used by default. • Security by default provides great protection to developers with no security experience • Django makes it more difficult to write insecure code.
• Django is used by many popular websites/services:
Security Features of Django • Django provides many default protections against web threats, mainly against problems of: – User Management – Authorization – Cookies – SQL Injection – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF) – Clickjacking – Files – E-mail Header Injection – Cryptography – Directory Traversal
User Management • Developers make many mistakes in user management. • Passwords are stored/transferred as plaintext. • Users are exposed if databases get leaked. • Weak authentication methods are used by inexperienced developers.
User Management • Django provides a default User model that can be used in any website. It comes equipped with correct session management, permissions, registration and login. • Developers don’t need to re-invent the wheel and re- introduce user management risks. • Django provides strong password hashing methods (bcrypt, PBKDF2, SHA1), with increasing work factors. • • Django makes passwords very hard to crack.
User Management • Django provides easy methods for user management such as is_authenticated(), permission_required(), requires_login(), and more, offsetting difficult session and permission code away from the developer. • Django provides secure default password reset and login redirection functionality. Developers don’t need to create password reset forms and introduce risks. • By using Django’s user management module, developers will not make mistakes such as ‘admin=true’ in cookies!
Clickjacking • Clickjacking is an attack where an attackers loads an invisible page over a visible one. The user thinks he is clicking on the visible page, but he’s actually clicking on invisible buttons and links. • Can be used to trick users into buying items, deleting content or adding fake friends online. • Django provides direct protection against Clickjacking attacks using the X-Frame-Options header. Only one line of code!
Clickjacking Example Image taken from ‘Busting Frame Busting’ research paper (found in references)
Cross Site Scripting (XSS) • XSS is one of the most dangerous and popular attacks, where users instead of servers are targeted. • In an XSS attack, an attacker runs evil scripts on the user’s browser, through a vulnerable website. • It can be used to steal cookies, accounts, install malware, deface websites and many more uses.
Cross Site Scripting (XSS) • XSS is very easy to introduce by ignorant developers, example: <?php echo "Results for: " . $_GET["query"]; ?> • It’s okay if the search query was Car, but what if the attacker entered… <script>alert(document.cookie)</script>
Cross Site Scripting (XSS) • Evidently XSS is a critical attack, so Django provides great default protections against it. • HTML output is always escaped by Django to ensure that user input cannot execute code. • Django’s templating engine provides autoescaping. • HTML Attributes must always be quoted so that Django’s protections can be activated. • For extra XSS protections, use ESAPI, lxml, html5lib, Bleach or Markdown
SQL Injection (SQLi) • SQL Injection is a dangerous attack in which evil data is sent to the database to be executed as destructive commands. • Developers write SQL queries in a wrong way, allowing attackers to inject SQL commands into the query, to be executed as SQL code. Example: string sql = “SELECT * FROM USERS WHERE name=‘” + Request[‘username’] + “’”; • Looks innocent, but what if the user entered ‘; DROP TABLE USERS;-- ?
SQL Injection (SQLi) • SQL injection attacks are used to read and corrupt databases, take complete control over servers as well as modify web pages (and therefore steal user sessions or install malware) • The good news is that Django provides excellent defense against SQL Injection! • Django uses ORM and query sets to make sure all input is escaped & validated. • Developers do not need to write any SQL. Just write Python classes and Django will convert them to SQL securely!
SQL Injection (SQLi) • No matter where input comes from (GET,POST,COOKIES), Django will escape all input that goes to the database. • Even if developers needed to write raw SQL, they can use placeholders like "Select * from users where id = %s ” which will safely validate input.
Cookies • Django sets cookies to HttpOnly by default, to prevent sessions from getting stolen in most browsers. • Session ID are never used in URLs even if cookies are disabled. • Django will always give a new session ID if a user tried a non- existent one, to protect against session fixation. • Cookies can be digitally signed and time-stamped, to protect against tampering of data.
Files • Django provides excellent protection to files. • No webroot concept in Django. Only the directories and files you allow are requested. Even if attackers upload a file, it is only downloaded if you allow it in URLConf. • Django executes Python code from the outside of the web root, so attackers cannot retrieve any files not explicitly allowed from the web root.
Cross Site Request Forgery (CSRF) • CSRF is an attack where an attacker can force users of a website to perform actions without their permission. • If a user is logged into website A, an attacker can let a user visit website B, which will perform actions on website A on behalf of the user. • This happens because the forms in website A are not protected against CSRF. • Basically CSRF means evil websites can let users of other websites perform actions without user permission.
Cross Site Request Forgery (CSRF) • Example: A form in website A allows a logged in user to delete his account. If there is no CSRF protection, website B can force visitors to delete their account on website A. • Example: Suppose website B has this HTML form in its code. What happens if a user of website A visits B? <form action="http://websiteA.com/deleteMyAccount.php” method=”post” > </form>
Cross Site Request Forgery (CSRF) • The effects of CSRF is that attackers can make users perform ANY action on the vulnerable website. • Django provides CSRF protections for all POST,PUT,DELETE requests (according to RFC2616). • If website A used Django CSRF protection, the form would be: <form action=”/deleteMyAccount.php” method=”post” > <input type='hidden' name='csrfmiddlewaretoken' value='Aes4YiAfBQwCS8d4T1ngDAa6jJQiYDFs' /> </form>
E-mail Header Injection • E-mail Header injection is a less popular attack that targets weak email-sending forms in websites. • By crafting a special string, attackers can use your email form to spend spam through your mail server, resulting in your domains/IPs getting blocked and possible worse effects. • Example email form: To: mycustomer@example.com Subject: Customer feedback <email content here>
E-mail Header Injection • What if the attacker supplies the following data as the email content? They will be able to use your website as a spam base. • “ncc: spamVictim@example.comn<spam content>” • It would be: To: mycustomer@example.com Subject: Customer feedback cc: spamVictim@example.com <spam message content, buy drugs, lose weight or something> • Django provides default protection by using the built-in email form.
Final Remarks • It must be understood that nothing can protect developers if they refuse to learn about web security and vulnerabilities. • The point of Django’s default security features is to make it very easy to add security, and very difficult to remove security. • However, developers still need to learn the basics of security and risk assessment. • Knowledge is the best defense against web attacks.
References • http://davidbliss.com/sites-built-using-django • https://docs.djangoproject.com/en/1.4/topics/security/ • http://www.djangobook.com/en/2.0/chapter20/ • http://seclab.stanford.edu/websec/framebusting/framebust.p df
Questions? • Do not hesitate to ask any question! • Do not hesitate to let your developers try Django in the workplace! It could be your road to increased productivity and security!

Recommended

Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaPrajal Kulkarni
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elkRushika Shah
 
Prometheus
PrometheusPrometheus
Prometheuswyukawa
 
Log management with ELK
Log management with ELKLog management with ELK
Log management with ELKGeert Pante
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 

Recommended

Reverse proxies & Inconsistency
Reverse proxies & InconsistencyReverse proxies & Inconsistency
Reverse proxies & InconsistencyGreenD0g
 
Attack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaAttack monitoring using ElasticSearch Logstash and Kibana
Attack monitoring using ElasticSearch Logstash and KibanaPrajal Kulkarni
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Log analysis using elk
Log analysis using elkLog analysis using elk
Log analysis using elkRushika Shah
 
Prometheus
PrometheusPrometheus
Prometheuswyukawa
 
Log management with ELK
Log management with ELKLog management with ELK
Log management with ELKGeert Pante
 
Linux Performance Tools
Linux Performance ToolsLinux Performance Tools
Linux Performance ToolsBrendan Gregg
 
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappsMikhail Egorov - Hunting for bugs in Adobe Experience Manager webapps
Mikhail Egorov - Hunting for bugs in Adobe Experience Manager webappshacktivity
 
Prometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemPrometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemFabian Reinartz
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScyllaDB
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Bug bounty
Bug bountyBug bounty
Bug bountyn|u - The Open Security Community
 
Log analytics with ELK stack
Log analytics with ELK stackLog analytics with ELK stack
Log analytics with ELK stackAWS User Group Bengaluru
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱
[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱
[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱PgDay.Seoul
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Prometheus (Prometheus London, 2016)
Prometheus (Prometheus London, 2016)Prometheus (Prometheus London, 2016)
Prometheus (Prometheus London, 2016)Brian Brazil
 
Graylog
GraylogGraylog
GraylogDiwakar Upadhyay
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack PresentationAmr Alaa Yassen
 
Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres MonitoringDenish Patel
 
Airflow Intro-1.pdf
Airflow Intro-1.pdfAirflow Intro-1.pdf
Airflow Intro-1.pdfBagustTriCahyo1
 
Performance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cPerformance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cAjith Narayanan
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSДмитрий Бумов
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performanceSteven Shim
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 
Introducing ELK
Introducing ELKIntroducing ELK
Introducing ELKAllBits BVBA (freelancer)
 
Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case StudiesLeo TechnoSoft
 

More Related Content

What's hot

Prometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemPrometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemFabian Reinartz
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking themMikhail Egorov
 
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScyllaDB
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016Frans Rosén
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahOWASP Delhi
 
[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱
[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱
[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱PgDay.Seoul
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMFrans Rosén
 
Prometheus (Prometheus London, 2016)
Prometheus (Prometheus London, 2016)Prometheus (Prometheus London, 2016)
Prometheus (Prometheus London, 2016)Brian Brazil
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and preventionhelloanand
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack PresentationAmr Alaa Yassen
 
Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres MonitoringDenish Patel
 
Performance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cPerformance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cAjith Narayanan
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performanceSteven Shim
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015CODE BLUE
 

What's hot (20)

Prometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring SystemPrometheus – a next-gen Monitoring System
Prometheus – a next-gen Monitoring System
 
Securing AEM webapps by hacking them
Securing AEM webapps by hacking themSecuring AEM webapps by hacking them
Securing AEM webapps by hacking them
 
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion RecordsScylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
Scylla Summit 2022: How to Migrate a Counter Table for 68 Billion Records
 
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
The Secret Life of a Bug Bounty Hunter – Frans Rosén @ Security Fest 2016
 
Bug bounty
Bug bountyBug bounty
Bug bounty
 
Log analytics with ELK stack
Log analytics with ELK stackLog analytics with ELK stack
Log analytics with ELK stack
 
Windows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv ShahWindows privilege escalation by Dhruv Shah
Windows privilege escalation by Dhruv Shah
 
[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱
[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱
[pgday.Seoul 2022] POSTGRES 테스트코드로 기여하기 - 이동욱
 
A story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEMA story of the passive aggressive sysadmin of AEM
A story of the passive aggressive sysadmin of AEM
 
Prometheus (Prometheus London, 2016)
Prometheus (Prometheus London, 2016)Prometheus (Prometheus London, 2016)
Prometheus (Prometheus London, 2016)
 
Graylog
GraylogGraylog
Graylog
 
Sql Injection attacks and prevention
Sql Injection attacks and preventionSql Injection attacks and prevention
Sql Injection attacks and prevention
 
Elastic stack Presentation
Elastic stack PresentationElastic stack Presentation
Elastic stack Presentation
 
Advanced Postgres Monitoring
Advanced Postgres MonitoringAdvanced Postgres Monitoring
Advanced Postgres Monitoring
 
Airflow Intro-1.pdf
Airflow Intro-1.pdfAirflow Intro-1.pdf
Airflow Intro-1.pdf
 
Performance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12cPerformance Tuning Oracle Weblogic Server 12c
Performance Tuning Oracle Weblogic Server 12c
 
ZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSSZeroNights 2018 | I <"3 XSS
ZeroNights 2018 | I <"3 XSS
 
How to improve ELK log pipeline performance
How to improve ELK log pipeline performanceHow to improve ELK log pipeline performance
How to improve ELK log pipeline performance
 
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
XSS Attacks Exploiting XSS Filter by Masato Kinugawa - CODE BLUE 2015
 
Introducing ELK
Introducing ELKIntroducing ELK
Introducing ELK
 

Viewers also liked

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Securitylevigross
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case StudiesLeo TechnoSoft
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Django book20 security
Django book20 securityDjango book20 security
Django book20 securityShih-yi Wei
 
Comparing web frameworks
Comparing web frameworksComparing web frameworks
Comparing web frameworksAditya Sengupta
 
Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012Matt Raible
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro servicesJordan Valdma
 
Evil Shell: Hacking Linux Users
Evil Shell: Hacking Linux UsersEvil Shell: Hacking Linux Users
Evil Shell: Hacking Linux UsersMohammed ALDOUB
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing3S Labs
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJSrobertjd
 
HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -Toshio Ehara
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorizationGiulio De Donato
 
Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!Chris Roberts
 
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針Nisei Kimura
 
[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledgeDeep Learning JP
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON
 
The Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital TransformationThe Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital TransformationKasun Indrasiri
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST securityIgor Bossenko
 

Viewers also liked (18)

Django Web Application Security
Django Web Application SecurityDjango Web Application Security
Django Web Application Security
 
Django & Python Case Studies
Django & Python Case Studies Django & Python Case Studies
Django & Python Case Studies
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Django book20 security
Django book20 securityDjango book20 security
Django book20 security
 
Comparing web frameworks
Comparing web frameworksComparing web frameworks
Comparing web frameworks
 
Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012Comparing JVM Web Frameworks - Spring I/O 2012
Comparing JVM Web Frameworks - Spring I/O 2012
 
Gateway and secure micro services
Gateway and secure micro servicesGateway and secure micro services
Gateway and secure micro services
 
Evil Shell: Hacking Linux Users
Evil Shell: Hacking Linux UsersEvil Shell: Hacking Linux Users
Evil Shell: Hacking Linux Users
 
Ruby on Rails Penetration Testing
Ruby on Rails Penetration TestingRuby on Rails Penetration Testing
Ruby on Rails Penetration Testing
 
JWT Authentication with AngularJS
JWT Authentication with AngularJSJWT Authentication with AngularJS
JWT Authentication with AngularJS
 
HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -HTML5のCanvas入門 - Img画像を編集してみよう -
HTML5のCanvas入門 - Img画像を編集してみよう -
 
Json web token api authorization
Json web token api authorizationJson web token api authorization
Json web token api authorization
 
Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!Laravel and Django and Rails, Oh My!
Laravel and Django and Rails, Oh My!
 
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
HTML5 Canvasを学びたい人に送る Canvasの超基本とその後の学習方針
 
[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge[Dl輪読会]bayesian dark knowledge
[Dl輪読会]bayesian dark knowledge
 
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
44CON London 2015 - Stegosploit - Drive-by Browser Exploits using only Images
 
The Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital TransformationThe Role of Enterprise Integration in Digital Transformation
The Role of Enterprise Integration in Digital Transformation
 
Single-Page-Application & REST security
Single-Page-Application & REST securitySingle-Page-Application & REST security
Single-Page-Application & REST security
 

Similar to Case Study of Django: Web Frameworks that are Secure by Default

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)Kishor Kumar
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10bilcorry
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelinesZakaria SMAHI
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...IBM Security
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationMd Mahfuzur Rahman
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top TenSecurity Innovation
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4Aditya Kamat
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFBrian Huff
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security NinjaPaul Gilzow
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingSam Bowne
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSSam Bowne
 

Similar to Case Study of Django: Web Frameworks that are Secure by Default (20)

Django (Web Applications that are Secure by Default)
Django �(Web Applications that are Secure by Default�)Django �(Web Applications that are Secure by Default�)
Django (Web Applications that are Secure by Default)
 
Security testing
Security testingSecurity testing
Security testing
 
2013 OWASP Top 10
2013 OWASP Top 102013 OWASP Top 10
2013 OWASP Top 10
 
Secure coding guidelines
Secure coding guidelinesSecure coding guidelines
Secure coding guidelines
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
Avoiding Application Attacks: A Guide to Preventing the OWASP Top 10 from Hap...
 
Owasp top 10 2017
Owasp top 10 2017Owasp top 10 2017
Owasp top 10 2017
 
Presentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web ApplicationPresentation on Top 10 Vulnerabilities in Web Application
Presentation on Top 10 Vulnerabilities in Web Application
 
Joomla web application development vulnerabilities
Joomla web application development vulnerabilitiesJoomla web application development vulnerabilities
Joomla web application development vulnerabilities
 
How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten How to Test for The OWASP Top Ten
How to Test for The OWASP Top Ten
 
Web Hacking Series Part 4
Web Hacking Series Part 4Web Hacking Series Part 4
Web Hacking Series Part 4
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
Web Application Security
Web Application SecurityWeb Application Security
Web Application Security
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADFOWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
OWASP Top 10 Security Vulnerabilities, and Securing them with Oracle ADF
 
Become a Security Ninja
Become a Security NinjaBecome a Security Ninja
Become a Security Ninja
 
Xss talk, attack and defense
Xss talk, attack and defenseXss talk, attack and defense
Xss talk, attack and defense
 
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site ScriptingCNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
CNIT 129S: Ch 12: Attacking Users: Cross-Site Scripting
 
Ch 12 Attacking Users - XSS
Ch 12 Attacking Users - XSSCh 12 Attacking Users - XSS
Ch 12 Attacking Users - XSS
 

Recently uploaded

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfSeasiaInfotech2
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfRankYa
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embeddingZilliz
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 

Recently uploaded (20)

Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
The Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdfThe Future of Software Development - Devin AI Innovative Approach.pdf
The Future of Software Development - Devin AI Innovative Approach.pdf
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Search Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdfSearch Engine Optimization SEO PDF for 2024.pdf
Search Engine Optimization SEO PDF for 2024.pdf
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Training state-of-the-art general text embedding
Training state-of-the-art general text embeddingTraining state-of-the-art general text embedding
Training state-of-the-art general text embedding
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 

Case Study of Django: Web Frameworks that are Secure by Default

  • 1. A Case Study of Django Web Applications that are Secure by Default Mohammed ALDOUB @Voulnet
  • 2. Web Security Essentials • The essentials of web application security are still not well understood. • Most developers have little to no idea about web security fundamentals. • Higher adoption to new web technologies, but no accompanying security awareness.
  • 3. Web Security Essentials • The basic idea of web security: Never trust users, and never trust their data. No exceptions. • Many layers exist in web technologies, and therefore many attack vectors and possibilities. • Web developers must understand risks and mitigations for all web layers.
  • 4. Problems in Applying Web Security • Web security cannot be achieved if developers are not well trained in security. Education is key. • Deadlines will almost always result in security vulnerabilities. Developers who are too busy and under pressure will not focus on security. • Security is not integrated early in the development process, so it gets delayed/forgotten.
  • 5. Bad Practices in Web Security • Developers don’t validate user input. • Even if they validate it, they do it poorly or out of context. • Developers make wrong assumptions about security: – “It’s ok, we use SSL!” – “The Firewall will protect us” – “Who will think of attacking this function?” • Most developers copy/paste code from the internet. Admit it.
  • 6. Bad Practices in Web Security • Session/password management is done poorly: – Sessions are easy to forge by attackers. – Passwords are stored as plaintext. • Server & Database configuration/security are not understood by web developers. • Developers don’t realize the threats on end users: – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF)
  • 7. • Django is a Web Application Framework, written in Python • Allows rapid, secure and agile web development. • Write better web applications in less time & effort.
  • 8. • Django is loaded with security features that are used by default. • Security by default provides great protection to developers with no security experience • Django makes it more difficult to write insecure code.
  • 9. • Django is used by many popular websites/services:
  • 10. Security Features of Django • Django provides many default protections against web threats, mainly against problems of: – User Management – Authorization – Cookies – SQL Injection – Cross Site Scripting (XSS) – Cross Site Request Forgery (CSRF) – Clickjacking – Files – E-mail Header Injection – Cryptography – Directory Traversal
  • 11. User Management • Developers make many mistakes in user management. • Passwords are stored/transferred as plaintext. • Users are exposed if databases get leaked. • Weak authentication methods are used by inexperienced developers.
  • 12. User Management • Django provides a default User model that can be used in any website. It comes equipped with correct session management, permissions, registration and login. • Developers don’t need to re-invent the wheel and re- introduce user management risks. • Django provides strong password hashing methods (bcrypt, PBKDF2, SHA1), with increasing work factors. • • Django makes passwords very hard to crack.
  • 13. User Management • Django provides easy methods for user management such as is_authenticated(), permission_required(), requires_login(), and more, offsetting difficult session and permission code away from the developer. • Django provides secure default password reset and login redirection functionality. Developers don’t need to create password reset forms and introduce risks. • By using Django’s user management module, developers will not make mistakes such as ‘admin=true’ in cookies!
  • 14. Clickjacking • Clickjacking is an attack where an attackers loads an invisible page over a visible one. The user thinks he is clicking on the visible page, but he’s actually clicking on invisible buttons and links. • Can be used to trick users into buying items, deleting content or adding fake friends online. • Django provides direct protection against Clickjacking attacks using the X-Frame-Options header. Only one line of code!
  • 15. Clickjacking Example Image taken from ‘Busting Frame Busting’ research paper (found in references)
  • 16. Cross Site Scripting (XSS) • XSS is one of the most dangerous and popular attacks, where users instead of servers are targeted. • In an XSS attack, an attacker runs evil scripts on the user’s browser, through a vulnerable website. • It can be used to steal cookies, accounts, install malware, deface websites and many more uses.
  • 17. Cross Site Scripting (XSS) • XSS is very easy to introduce by ignorant developers, example: <?php echo "Results for: " . $_GET["query"]; ?> • It’s okay if the search query was Car, but what if the attacker entered… <script>alert(document.cookie)</script>
  • 18.
  • 19. Cross Site Scripting (XSS) • Evidently XSS is a critical attack, so Django provides great default protections against it. • HTML output is always escaped by Django to ensure that user input cannot execute code. • Django’s templating engine provides autoescaping. • HTML Attributes must always be quoted so that Django’s protections can be activated. • For extra XSS protections, use ESAPI, lxml, html5lib, Bleach or Markdown
  • 20. SQL Injection (SQLi) • SQL Injection is a dangerous attack in which evil data is sent to the database to be executed as destructive commands. • Developers write SQL queries in a wrong way, allowing attackers to inject SQL commands into the query, to be executed as SQL code. Example: string sql = “SELECT * FROM USERS WHERE name=‘” + Request[‘username’] + “’”; • Looks innocent, but what if the user entered ‘; DROP TABLE USERS;-- ?
  • 21.
  • 22. SQL Injection (SQLi) • SQL injection attacks are used to read and corrupt databases, take complete control over servers as well as modify web pages (and therefore steal user sessions or install malware) • The good news is that Django provides excellent defense against SQL Injection! • Django uses ORM and query sets to make sure all input is escaped & validated. • Developers do not need to write any SQL. Just write Python classes and Django will convert them to SQL securely!
  • 23. SQL Injection (SQLi) • No matter where input comes from (GET,POST,COOKIES), Django will escape all input that goes to the database. • Even if developers needed to write raw SQL, they can use placeholders like "Select * from users where id = %s ” which will safely validate input.
  • 24. Cookies • Django sets cookies to HttpOnly by default, to prevent sessions from getting stolen in most browsers. • Session ID are never used in URLs even if cookies are disabled. • Django will always give a new session ID if a user tried a non- existent one, to protect against session fixation. • Cookies can be digitally signed and time-stamped, to protect against tampering of data.
  • 25. Files • Django provides excellent protection to files. • No webroot concept in Django. Only the directories and files you allow are requested. Even if attackers upload a file, it is only downloaded if you allow it in URLConf. • Django executes Python code from the outside of the web root, so attackers cannot retrieve any files not explicitly allowed from the web root.
  • 26. Cross Site Request Forgery (CSRF) • CSRF is an attack where an attacker can force users of a website to perform actions without their permission. • If a user is logged into website A, an attacker can let a user visit website B, which will perform actions on website A on behalf of the user. • This happens because the forms in website A are not protected against CSRF. • Basically CSRF means evil websites can let users of other websites perform actions without user permission.
  • 27. Cross Site Request Forgery (CSRF) • Example: A form in website A allows a logged in user to delete his account. If there is no CSRF protection, website B can force visitors to delete their account on website A. • Example: Suppose website B has this HTML form in its code. What happens if a user of website A visits B? <form action="http://websiteA.com/deleteMyAccount.php” method=”post” > </form>
  • 28.
  • 29. Cross Site Request Forgery (CSRF) • The effects of CSRF is that attackers can make users perform ANY action on the vulnerable website. • Django provides CSRF protections for all POST,PUT,DELETE requests (according to RFC2616). • If website A used Django CSRF protection, the form would be: <form action=”/deleteMyAccount.php” method=”post” > <input type='hidden' name='csrfmiddlewaretoken' value='Aes4YiAfBQwCS8d4T1ngDAa6jJQiYDFs' /> </form>
  • 30. E-mail Header Injection • E-mail Header injection is a less popular attack that targets weak email-sending forms in websites. • By crafting a special string, attackers can use your email form to spend spam through your mail server, resulting in your domains/IPs getting blocked and possible worse effects. • Example email form: To: mycustomer@example.com Subject: Customer feedback <email content here>
  • 31. E-mail Header Injection • What if the attacker supplies the following data as the email content? They will be able to use your website as a spam base. • “ncc: spamVictim@example.comn<spam content>” • It would be: To: mycustomer@example.com Subject: Customer feedback cc: spamVictim@example.com <spam message content, buy drugs, lose weight or something> • Django provides default protection by using the built-in email form.
  • 32. Final Remarks • It must be understood that nothing can protect developers if they refuse to learn about web security and vulnerabilities. • The point of Django’s default security features is to make it very easy to add security, and very difficult to remove security. • However, developers still need to learn the basics of security and risk assessment. • Knowledge is the best defense against web attacks.
  • 33. References • http://davidbliss.com/sites-built-using-django • https://docs.djangoproject.com/en/1.4/topics/security/ • http://www.djangobook.com/en/2.0/chapter20/ • http://seclab.stanford.edu/websec/framebusting/framebust.p df
  • 34. Questions? • Do not hesitate to ask any question! • Do not hesitate to let your developers try Django in the workplace! It could be your road to increased productivity and security!