Pony Pwning Djangocon 2010

Pony PwningDjangocon 2010 // Adam Baldwin

Wednesday, September 8, 2010

Hi, I’m not that Adam Baldwin.

I’m this one:

@adam_baldwin

ngenuity-is.com

evilpacket.net

Wednesday, September 8, 2010

I break stuff

Wednesday, September 8, 2010

Django = pile of awesome

Wednesday, September 8, 2010

Django isn’tperfect

Wednesday, September 8, 2010

Developers aren’t perfect

Wednesday, September 8, 2010

I WANT TOHELP YOU

AVOID HUGE ASSMISTAKES

Captain Howdy McAssumptions,the nGenuity Mascot

Wednesday, September 8, 2010

★ ★ ★ ★

Completely

made upstatistics

★ ★ ★ ★

INTRODUCING!

Wednesday, September 8, 2010

of securityfailures60%

projectconstraints!

★ ★ ★ ★

Wednesday, September 8, 2010

Wednesday, September 8, 2010

of securityfailures30%

incompetenceor ignorance

★ ★ ★ ★

Wednesday, September 8, 2010

See http://evilpacket.net/2010/jan/14/mifi-geopwn/

Wednesday, September 8, 2010

of securityfailures9%

needle inthe haystack

★ ★ ★ ★

Wednesday, September 8, 2010

See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/

Wednesday, September 8, 2010

of securityfailures1%

0 days

★ ★ ★ ★

Wednesday, September 8, 2010

90%Let’s talkabout the

Wednesday, September 8, 2010

Sad PonyWarning

Wednesday, September 8, 2010

cross-site scripting

Wednesday, September 8, 2010

the

BigFive

double quote

single quote

ampersand

less than

greater than

“‘

&<>{

Wednesday, September 8, 2010

{% autoescape off %}

|safe filter

mark_safe( )

Wednesday, September 8, 2010

Context matters.

<a href=”{{object.absolute_url}}” alt=”{{object.name}}”>{{object.name}}</a>

<a href={{object.absolute_url}} alt={{object.name}}>{{object.name}}</a>

Missing quotes in the second URL make it possible to inject malicious code.

Which is bad.

Wednesday, September 8, 2010

swingsetOWASP ESAPI Swingset by Craig Younkins

http://www.owasp.org/index.php/ESAPI_Swingset

Wednesday, September 8, 2010

Browser behavior

<style /><a href="[user provided data here]">click</a>

This works in IE8, without the “big five” and executeswithout user interaction.

<style /><a href="}@import/**/data:text/css%3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpfQ%3D%3D;">click</a>

Wednesday, September 8, 2010

Avoid getting burned

• Consider OWASP ESAPI

• Audit templates

• Audit reusables and snippets

• Educate designers

Wednesday, September 8, 2010

FILE UPLOADS

Wednesday, September 8, 2010

Evil Avatars

Images can contain PHP.

ImageField does not care.

ImageField does not check extensions.

File uploads often are put inunprotected directories.

Wednesday, September 8, 2010

Avoid getting burned

• Check file extensions

• Disable PHP

Wednesday, September 8, 2010

secret_report.pdf

File upload TMI

secret_report_1.pdf

Wednesday, September 8, 2010

Avoid getting burned

• Put user content behind a file API

• Obfuscate filenames of uploads

Wednesday, September 8, 2010

DirectObject Access

Wednesday, September 8, 2010

“Not Found”

General TMI

“Forbidden” / “Access denied”

vs.

Wednesday, September 8, 2010

Avoid getting burned

• Return consistent results (preferably “Not Found”)

• Log security violations

Wednesday, September 8, 2010

eg /object/delete/2

Doing stupid things

Privileged operations with HTTP GET

Wednesday, September 8, 2010

Avoid getting burned

• Don’t do stupid things.

• Consider Django-Piston for REST

Wednesday, September 8, 2010

ClickJacking

What the hell is it?

Wednesday, September 8, 2010

Click jackets

/admin/ is vulnerable.

pre-filling forms removes most user interaction

Wednesday, September 8, 2010

Avoid getting burned

• Set X-FRAME-OPTIONS DENY header

• Use django-xframeoptions middleware

• Implement frame breakout code

Wednesday, September 8, 2010

Abusing /admin/

:(

Wednesday, September 8, 2010

Wuh-oh, kids.

[ REDACTED ]

Wednesday, September 8, 2010

Avoid getting burned

• I HAVE NO IDEA.

• security@djangoproject.com needs to check their email ;)

Wednesday, September 8, 2010

Wednesday, September 8, 2010

I have ahard job

Wednesday, September 8, 2010

Your jobis harder.

Wednesday, September 8, 2010

Questions?

@adam_baldwin // ngenuity-is.com // evilpacket.net

Wednesday, September 8, 2010