is your python application secure? - pycon canada - 2015-11-07
TRANSCRIPT
![Page 1: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/1.jpg)
Is your Python application secure?
Frédéric Harper
@fharper
http://immun.io
Sr. Technical Evangelist @ IMMUNIO
Pycon Canada – 2015-11-07
Crea
tive
Com
mon
s: h
ttps
://f
lic.k
r/p/
34T4
Z
![Page 2: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/2.jpg)
is security important?
Creative Commons: https://flic.kr/p/s8hvJo
![Page 3: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/3.jpg)
do you have time?
Crea
tive
Com
mon
s: h
ttps
://f
lic.k
r/p/
b7w
RTX
![Page 4: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/4.jpg)
do you have the expertise?
Creative Commons: https://flic.kr/p/n7qDvJ
![Page 5: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/5.jpg)
do you have the money?
Creative Commons: https://flic.kr/p/rAG5dm
![Page 6: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/6.jpg)
is your app that secure?
Crea
tive
Com
mon
s: h
ttps
://f
lic.k
r/p/
bY6u
U7
![Page 7: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/7.jpg)
what about legacy apps?
Creative Commons: https://flic.kr/p/7fFQug
![Page 8: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/8.jpg)
it’s probably happening, now
Creative Commons: https://flic.kr/p/acnkbU
![Page 9: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/9.jpg)
...
![Page 10: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/10.jpg)
warning
Creative Commons: https://flic.kr/p/oosB
![Page 11: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/11.jpg)
I succeed if…
Creative Commons: https://flic.kr/p/ehZRGj
![Page 12: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/12.jpg)
mess with the best
die like the rest
![Page 13: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/13.jpg)
SQL injection vulnerabilities allow attackers to modify the structure of SQL
queries in ways that allow for data exfiltration or manipulation of existing data.
SQL Injection (SQLi)
![Page 14: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/14.jpg)
MIT: http://j.mp/1kKuced
no password
require
![Page 15: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/15.jpg)
Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on
your pages in your customers' browsers.
§ Hijack of legitimate user sessions
§ Disclosure of sensitive information
§ Access to privileged services and functionality
§ Delivery of malware and browser exploits from our trusted domain
Cross-Site Scripting
![Page 16: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/16.jpg)
MIT: http://j.mp/1kKuced
Search or not
![Page 17: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/17.jpg)
Remote Command Execution vulnerabilities allow attackers to run arbitrary code
on your servers.
There are two classes of Remote Command Execution:
1. Shell Command Execution
2. Eval Execution.
Remote Command Execution
![Page 18: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/18.jpg)
• Brute force
• Common username
• Cookie tampering
• CSRF tampering
• Excessive 4XX & 5XX
• HTTP method tampering
• HTTP response splitting
• Redirect
• Session farming
• Session hijack
• Stolen account
• Shellshock
• Suspicious Exception
• Suspicious HTTP header
• Unauthorized file access
• Username hijack
…
![Page 19: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/19.jpg)
follow the
white rabbit
![Page 20: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/20.jpg)
anything from users is unsafe
Creative Commons: https://flic.kr/p/m2BKPn
![Page 21: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/21.jpg)
cp = subprocess.Popen(['ls', '-l'], shell=True) # disables shell based features (like no pipe) cp= subprocess.Popen(['ls', '-l’) filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(filename) print(command) # noooooooooo >>> ls -l somefile; rm -rf ~
filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(quote(filename)) print(command) # better luck next time >>> ls -l 'somefile; rm -rf ~’
shell & quote
![Page 22: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/22.jpg)
# unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name
# using escape function from flask import escape @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % escape(name)
escape
![Page 23: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/23.jpg)
use a framework
Creative Commons: https://flic.kr/p/cHto9S
![Page 24: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/24.jpg)
# unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name
# using template @app.route("/") def hello(): name = request.args.get('name') return render('hello.html', name=name) # where hello.html is: # <html>Hello {{ name }}</html>
templates
![Page 25: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/25.jpg)
# Unsafe example using the Python DB API cmd = "update people set name='%s' where id='%s'" % (name, id) curs.execute(cmd) # Sanitize your parameters cmd = "update people set name=%s where id=%s" curs.execute(cmd, (name, id)) # Placeholder syntax depends on the database
sanitize
![Page 26: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/26.jpg)
# Unsafe example using the Python DB API cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode) curs.execute(cmd) # Using Django ORM, we assign the data to users variable users = Users.objects.filter(zip_code=zipcode)
object-relational mapper
![Page 27: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/27.jpg)
# My awesome Python skills s = "print(\"Hello, World!\")" exec s
# Refactor using function def print_hello_world(): print("Hello, World!") print_hello_world()
avoid exec (if possible)
![Page 28: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/28.jpg)
ORM libraries
Source: http://www.fullstackpython.com/object-relational-mappers-orms.html
![Page 29: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/29.jpg)
OWASP XSS Cheat Sheet
![Page 30: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/30.jpg)
Strengths
• Scales Well
• Find issues like buffer overflows, SQL Injection Flaws with high confidence
Weaknesses
• Many types of security vulnerabilities are very difficult to find automatically, such as
authentication problems, access control issues, insecure use of cryptography, etc.
• High numbers of false positives.
• Frequently can't find configuration issues, since they are not represented in the code.
• Difficulty analyzing code that can't be compiled (using librairies as an example).
static code analysis
![Page 31: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/31.jpg)
MIT: http://j.mp/1kKuced
XSScrapy
![Page 32: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/32.jpg)
Runtime application self-protection (RASP) is a security technology that is built or
linked into an application or application runtime environment, and is capable of
controlling application execution and detecting and preventing real-time attacks.
RASP
![Page 33: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/33.jpg)
IMMUNIO
![Page 34: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/34.jpg)
Developers
§ Use a cryptographically slow hash function
(bcrypt & PBKDF2) to store password
§ Stored procedures if possible
§ Up-to-date frameworks & libraries
Devops
§ HTTPS
§ Web Application Firewall (WAF)
§ Intrusion prevention systems (IPS)
§ Up-to-date platform & infrastructure
truist… or not
![Page 35: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/35.jpg)
to infinity... and beyond!
Creative Commons: https://flic.kr/p/8Z1Cxm
![Page 36: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/36.jpg)
thanks but
no thanks
![Page 37: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/37.jpg)
stop
Creative Commons: https://flic.kr/p/gpVdD
![Page 38: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/38.jpg)
I’m serious!
Crea
tive
Com
mon
s: h
ttps
://f
lic.k
r/p/
9CG
51N
![Page 39: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/39.jpg)
plan for it
Creative Commons: https://flic.kr/p/5bn2nD
![Page 40: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/40.jpg)
now.
Creative Commons: https://flic.kr/p/fA6vnM
![Page 41: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/41.jpg)
nothing is 100% bulletproof
Creative Commons: https://flic.kr/p/hpE97
![Page 42: Is your python application secure? - PyCon Canada - 2015-11-07](https://reader035.vdocuments.us/reader035/viewer/2022070600/589d76001a28ab69538b4d87/html5/thumbnails/42.jpg)
IMMUNIO – Real-time web application security - https://www.immun.io/
OWASP (Open Web Application Security Project) - https://www.owasp.org/
Security in Django - http://j.mp/1Q8VMBP
Security system in Pyramid - http://j.mp/1Q8VHxT
Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/
XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW
XSScrapy - https://github.com/DanMcInerney/xsscrapy
www