ngenuity djangocon2010 pony pwning

8/8/2019 nGenuity Djangocon2010 Pony Pwning

1/44

Pony PwningDjangocon 2010 // Adam Baldwin

Wednesday, September 8, 2010


2/44

Hi, Im not thatAdam Baldwin.

Im this one:

@adam_baldwin

ngenuity-is.com

evilpacket.net



3/44

I break stuff



4/44

Django = pile

ofawesome



5/44

Django isnt

perfect



6/44

Developers

arent perfect



7/44

I WANT TOHELP YOU

AVOIDHUGE ASSMISTAKES

Captain Howdy McAssumptions,the nGenuity Mascot



8/44

Completely

made upstatistics

INTRODUCING!



9/44

of security

failures60%

project

constraints!



10/44Wednesday, September 8, 2010


11/44

of security

failures30%

incompetence

or ignorance



12/44

See http://evilpacket.net/2010/jan/14/mifi-geopwn/

http://evilpacket.net/2010/jan/14/mifi-geopwn/http://evilpacket.net/2010/jan/14/mifi-geopwn/http://evilpacket.net/2010/jan/14/mifi-geopwn/


13/44

of security

failures9%

needle in

the haystack



14/44

See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/

and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/

http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/


15/44

of security

failures1%

0 days



16/44

90%Lets talk

about the



17/44

Sad PonyWarning



18/44

cross-site scripting



19/44

the

BigFive

double quote

single quote

ampersand

less than

greater than

&{



20/44

{% autoescape off %}

|safe filter

mark_safe( )



21/44

Context matters.{{object.name}}

{{object.name}}

Missing quotes in the second URL make it possibleto inject malicious code.

Which is bad.



22/44

swingsetOWASP ESAPI Swingset by Craig Younkins

http://www.owasp.org/index.php/ESAPI_Swingset



23/44

Browser behavior

click

This works in IE8, without the big five and executeswithout user interaction.

click



24/44

Avoid

gettingburned

Consider OWASP ESAPI

Audit templates

Audit reusables and snippets

Educate designers



25/44

FILE UP

LOADS



26/44


27/44

Avoid

gettingburned

Check file extensions

Disable PHP



28/44

secret_report.pdf

File upload TMI

secret_report_1.pdf



29/44

Avoid

gettingburned

Put user content behind a file API

Obfuscate filenames of uploads



30/44

Direct

ObjectAccess



31/44

Not Found

General TMI

Forbidden / Access denied

vs.



32/44

Avoid

gettingburned

Return consistent results(preferably Not Found)

Log security violations



33/44

eg /object/delete/2

Doing stupid things

Privileged operations with HTTP GET



34/44

Avoid

gettingburned

Dont do stupid things.

Consider Django-Piston for REST



35/44

ClickJacking

What the hell is it?



36/44

Click jackets

/admin/ is vulnerable.

pre-filling forms removesmost user interaction



37/44

Avoid

gettingburned

Set X-FRAME-OPTIONS DENYheader

Use django-xframeoptionsmiddleware

Implement frame breakout code



38/44

Abusing

/admin/

:(



39/44

Wuh-oh, kids.

[ REDACTED ]



40/44

Avoid

gettingburned

I HAVE NO IDEA.

[email protected] to check their email ;)

mailto:[email protected]:[email protected]


41/44



42/44

I have a

hard job



43/44

Your job

is harder.



44/44

Questions?

@adam_baldwin // ngenuity-is.com // evilpacket.net

ngenuity djangocon2010 pony pwning

Documents