Uploaded bylevigross
PPTX, PDF6,785 views

Django Web Application Security

This document discusses security best practices for Django web applications. It begins by introducing the author and their background in Python, Django, and computer security. It then covers common web vulnerabilities and attacks like information disclosure, input validation issues, session hijacking, and denial of service. Throughout, it provides recommendations for how to configure Django and code defensively to mitigate these risks, such as using parameterized queries, input sanitization, secure sessions, and cross-site request forgery protection. It emphasizes adopting a layered security approach and being vigilant about updates and monitoring.

Technology
Related topics:
Web Application
In this document
Powered by AI

Overview of Django Security and speaker's credentials in Python and Django.

Identifies attackers, including bots and hackers, and stresses the challenge in achieving total security.

Discusses Django’s security mechanisms like SHA1 hashing, CSRF protection, and session security.

Highlights various web vulnerabilities such as CSRF, session hijacking, and denial of service.

Focus on the risks of information disclosure in web applications.

Details attack surfaces including admin site vulnerabilities and file location risks.

Guidelines on deploying secure applications, emphasizing custom settings and upload validations.

Discusses the importance and types of input validation to prevent attacks.

Django’s protections against XSS and showcasing secure versus insecure template code.

Recommends using ESAPI and sanitizers as strategies to enhance security.

Explains how Django implements parameterized queries to protect against SQL injection.

Discusses the risks of HTTP response splitting and Django's safeguards against it.

Addresses CRLF injection and Django's methods to prevent this vulnerability.

Highlights the dangers of directory traversal and measures to restrict access.

Explains use of X-FRAME-OPTIONS and framekillers to guard against clickjacking.

Focuses on session hijacking risks and emphasizing secure cookie practices.

Explains CSRF attacks and how Django provides protection against them.

Discusses DoS vulnerabilities and the importance of server hardening and rate limiting.

Highlights issues with password security and suggests best practices like 2FA.

Warns about zero-day vulnerabilities and emphasizes the importance of security layers.

Provides general security tips for managing web applications and monitoring.

Final slide open for audience questions, indicating readiness for discussion.

Downloaded 165 times
Django Web Application SecurityByLevi Gross
About MeBlog: http://www.levigross.com/Twitter:@levigrossEmail: levi@levigross.comPython for 5 yearsDjango for 2 ½Computer Security for 8 yearsPython and Django are amazing!
Who is attacking usBotsMalicious SEOSteal user infoHackersScriptKiddiesHackersÜberHackersWe will bankrupt ourselves in the vain search for absolute security. — Dwight D. Eisenhower
Django from a security standpoint Django Rocks!Salted SHA1 Hashes (Yummy)sha1 $ e3164 $ 9595556c4f693158c232f0885d266fe30671ca8aTake that Gawker!Secure session frameworkAutomatic variable escapingXXSSQL InjectionCSRF (Cross Site Request Forgery) ProtectionProtection against Email Header injectionProtection against Directory Traversal attacks“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”. — Bruce Schneier
Web VulnerabilitiesInformation DisclosureInput ValidationClick JackingSession HijackingCSRFPasswordsDenial of Service0 daysIn theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. — M. Dacier, Eurecom Institute
Information DisclosureYour Parts are showing
Attack SurfaceAdmin SiteDefaults to /adminViews & URLSCan give someone an intimate view of your application.File LocationsRESTUse PistonSentry
How to protect yourselfNever deploy with the default settingsLong URLS are the best (but your not out of the woods)Change the file name/location of user contentValidate uploadsRemove unneeded softwareif not chroot
Input ValidationXXSSQL InjectionHTTP Response SplittingDirectory TraversalCRLF Injection
Cross Site ScriptingDjango Protects us by autoescaping outputreturn mark_safe(force_unicode(html).replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace(' " ', '&quot;').replace(" ' ", '&#39;'))|safe/{% autoescape off %} is not Safe
Here comes the sleep deprivationMy Template CodeSecure:<span class={{value}}>{{ value }}</span>Not Secure:<span class="{{value|safe}}">{{value|safe}}</span> Using this value -> " onclick=alert(document.cookie) type="Secure: <span class=&quot; onclick=alert(document.cookie) type=&quot;>&quot; onclick=alert(document.cookie) type=&quot;</span>Not Secure:<span class="" onclick=alert(document.cookie) type="">" onclick=alert(document.cookie) type="</span>Oops…
How to protect yourself Use the ESAPI (Enterprise Security API)" onclick=alert(document.cookie) type="'&quot; onclick&#x3d;alert&#x28;document.cookie&#x29; type&#x3d;&quot;’http://code.google.com/p/owasp-esapi-python/Use QuotesUse Sanitizerslxmlhtml5libUse WhitelistsUse Markdown
SQL InjectionPython protects usParameterized queries according to PEP 249Django’s ORM Protects usparameterized queriesPerson.objects.filter(first_name__icontains=fname,last_name__icontains=lname)fname = % \ output -> \% \\SELECT "secpre_person"."id", "secpre_person"."first_name", "secpre_person"."last_name" FROM "secpre_person" WHERE ("secpre_person"."first_name" LIKE %\% \\% ESCAPE '\' AND "secpre_person"."last_name" LIKE %s% ESCAPE '\' )smart_unicode(x).replace("\\", "\\\\").replace("%", "\%").replace("_", "\_")NEVER BUILD QUERYIES USING STRING FORMATTINGquery = 'SELECT * FROM secpre_personWHERE last_name = %s' % lnamePerson.objects.raw(query) UseParameterizedqueriesPerson.objects.raw('SELECT * FROM secpre_personWHERE last_name = %s', [lname])
HTTP Response SplittingNew Lines in the HTTP HeadersHTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2003 15:26:41 GMT Location: http://10.1.1.1/someview/?lang=foobarContent-Length: 0 HTTP/1.1 200 OKContent-Type: text/htmlContent-Length: 19 <html>Control</html> Server: ApacheContent-Type: text/html This was just found on Reddit last weekKudos to Neal Poole from MatasanoDjango to the rescue Every HttpResponse object has this code if '\n' in value or '\r' in value: raise BadHeaderError("Header values can't contain newlines (got %r)" % (value))
CRLF InjectionHijack email formsto:”me@myaddress.com\ncc:bill.gates@microsoft.com\rcc:paul.allen@microsoft.com”Django to the rescue if '\n' in val or '\r' in val: raise BadHeaderError("Header values can't contain newlines (got %r for header %r)" % (val, name))
Directory Traversal../../../../../../../../../etc/passwdDjango should never serve static filesYour webserver should serve all static files and be locked into the web root directoryNever allow users to dictate what happendsDjango Static Serve isn’t powerlessdrive, part = os.path.splitdrive(part) head, part = os.path.split(part) if part in (os.curdir, os.pardir): # Strip '.' and '..' in path. continue
Click JackingUse X-FRAMEHTTP header X-FRAME-OPTIONS: DENYhttps://github.com/paulosman/django-xframeoptionsUse a Framekiller<script type="text/javascript"> if(top != self) top.location.replace(location); </script> Beware of sites that you visit
Session HijackingFireSheepCookie info not sent over HTTPSPass the hashSESSION_COOKIE_SECURE = TrueSESSION_COOKIE_HTTPONLY = TrueSessionsNever store private data in clear textNever display session data without escaping it
Cross Site Request Forgery<imgsrc="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">We are logged in so it worksDjango protects us (unless we are really stupid)HTTP/1.0 200 OKDate: Mon, 17 Jan 2011 21:55:14 GMTServer: WSGIServer/0.1 Python/2.7.1Expires: Mon, 17 Jan 2011 21:55:14 GMTVary: CookieLast-Modified: Mon, 17 Jan 2011 21:55:14 GMTETag: "4030d6e6a6c31292791e61e8bc58b6e8"Cache-Control: max-age=0Content-Type: text/html; charset=utf-8Set-Cookie: csrftoken=9260e87b366dd2be2515bffffec5a746; Max-Age=31449600; Path=/
Denial Of ServiceEverything is vulnerable Impossible to defend against every variantHarden your serverRate limitingDo this on a server levelIf you need to do this on a view levelhttps://gist.github.com/719502Fine tune access methods for your viewsrestrict the HTTP method to the appropriate view
PasswordsPasswords are your biggest nightmareDon’t trust themMake sure that you are using SHA1Even though it works md5 and crypt shouldn’t be used. crypt should NEVER be used!!! Rate limitingUse Django-axeshttp://code.google.com/p/django-axes/Never rely on just a passwordIf you can use 2 factor authentication do it.
0 Day ProtectionRun for the hillsGood security is like a big onionMany layersBitterLimit your exposureServer monitoringRemember a good programmer looks both ways before crossing a one way street.
Security TipsBe wary of updatesUpdate on security releasesBeware of 3rd party appsSeparate work from playDon’t rely on passwordsFail2BanStick with DjangoBe careful where you strayScan oftenSkipfish
Questions?

More Related Content

PPTX
Attacking thru HTTP Host header
bySergey Belov
 
PPTX
Ruby on Rails Penetration Testing
by3S Labs
 
PDF
RESTful API 설계
byJinho Yoo
 
PPTX
Ssrf
byIlan Mindel
 
PPT
DDoS Attacks
byJignesh Patel
 
PPTX
Denial of service attack
byAhmed Ghazey
 
PDF
Es6 to es5
byShakhzod Tojiyev
 
PDF
Securing AEM webapps by hacking them
byMikhail Egorov
 
Attacking thru HTTP Host header
bySergey Belov
 
Ruby on Rails Penetration Testing
by3S Labs
 
RESTful API 설계
byJinho Yoo
 
Ssrf
byIlan Mindel
 
DDoS Attacks
byJignesh Patel
 
Denial of service attack
byAhmed Ghazey
 
Es6 to es5
byShakhzod Tojiyev
 
Securing AEM webapps by hacking them
byMikhail Egorov
 

What's hot

PDF
Android Hacking
byantitree
 
PDF
Digital Threat Landscape
byQuick Heal Technologies Ltd.
 
PDF
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
PDF
Twitter의 snowflake 소개 및 활용
by흥배 최
 
PDF
JavaScript - Chapter 11 - Events
byWebStackAcademy
 
PPTX
Malware analysis
byPrakashchand Suthar
 
PDF
Login and Registration form using oop in php
byherat university
 
ODP
An Introduction to WebAssembly
byDaniel Budden
 
PPTX
Intro to Node.js (v1)
byChris Cowan
 
PDF
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
PDF
Malicious Payloads vs Deep Visibility: A PowerShell Story
byDaniel Bohannon
 
PDF
[NDC08] 최적화와 프로파일링 - 송창규
byChangKyu Song
 
PDF
Version control system
byAndrew Liu
 
PDF
Racing The Web - Hackfest 2016
byAaron Hnatiw
 
PDF
초보자를 위한 정규 표현식 가이드 (자바스크립트 기준)
by민태 김
 
PDF
Web develop in flask
byJim Yeh
 
PPTX
SSRF For Bug Bounties
byOWASP Nagpur
 
PPTX
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
byCODE BLUE
 
PDF
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
PPTX
Html
byLincoln School
 
Android Hacking
byantitree
 
Digital Threat Landscape
byQuick Heal Technologies Ltd.
 
CSRF, ClickJacking & Open Redirect
byBlueinfy Solutions
 
Twitter의 snowflake 소개 및 활용
by흥배 최
 
JavaScript - Chapter 11 - Events
byWebStackAcademy
 
Malware analysis
byPrakashchand Suthar
 
Login and Registration form using oop in php
byherat university
 
An Introduction to WebAssembly
byDaniel Budden
 
Intro to Node.js (v1)
byChris Cowan
 
Introduction to Cross Site Scripting ( XSS )
byIrfad Imtiaz
 
Malicious Payloads vs Deep Visibility: A PowerShell Story
byDaniel Bohannon
 
[NDC08] 최적화와 프로파일링 - 송창규
byChangKyu Song
 
Version control system
byAndrew Liu
 
Racing The Web - Hackfest 2016
byAaron Hnatiw
 
초보자를 위한 정규 표현식 가이드 (자바스크립트 기준)
by민태 김
 
Web develop in flask
byJim Yeh
 
SSRF For Bug Bounties
byOWASP Nagpur
 
[CB16] Invoke-Obfuscation: PowerShell obFUsk8tion Techniques & How To (Try To...
byCODE BLUE
 
Hunting for Privilege Escalation in Windows Environment
byTeymur Kheirkhabarov
 
Html
byLincoln School
 

Similar to Django Web Application Security

PPTX
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
ODP
dJango
byBob Chao
 
PPT
Xss is more than a simple threat
byAvădănei Andrei
 
PPT
Xss is more than a simple threat
byRomanian Cyber Conference
 
PPTX
Pentesting for startups
bylevigross
 
PPT
PHP Security
byMindfire Solutions
 
PDF
You wanna crypto in AEM
byDamien Antipa
 
PPT
Ajax to the Moon
bydavejohnson
 
PPTX
Cqcon2015
byAntonio Sanso
 
PPT
Spyware
bynayakslideshare
 
PPT
Spyware
byguest6fde72
 
PPTX
Javascript Security
byjgrahamc
 
PPT
Top Ten Tips For Tenacious Defense In Asp.Net
byalsmola
 
PPT
Fav
byhelloppt
 
PPT
&lt;img src="xss.com">
by"&lt;u>aaa&lt;/u>
 
PPT
Teflon - Anti Stick for the browser attack surface
bySaumil Shah
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PPTX
Roberto Bicchierai - Defending web applications from attacks
byPietro Polsinelli
 
PDF
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
PPT
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
byStart Pad
 
Avoiding Cross Site Scripting - Not as easy as you might think
byErlend Oftedal
 
dJango
byBob Chao
 
Xss is more than a simple threat
byAvădănei Andrei
 
Xss is more than a simple threat
byRomanian Cyber Conference
 
Pentesting for startups
bylevigross
 
PHP Security
byMindfire Solutions
 
You wanna crypto in AEM
byDamien Antipa
 
Ajax to the Moon
bydavejohnson
 
Cqcon2015
byAntonio Sanso
 
Spyware
bynayakslideshare
 
Spyware
byguest6fde72
 
Javascript Security
byjgrahamc
 
Top Ten Tips For Tenacious Defense In Asp.Net
byalsmola
 
Fav
byhelloppt
 
&lt;img src="xss.com">
by"&lt;u>aaa&lt;/u>
 
Teflon - Anti Stick for the browser attack surface
bySaumil Shah
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
Roberto Bicchierai - Defending web applications from attacks
byPietro Polsinelli
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
byFrancois Marier
 
StartPad Countdown 2 - Startup Security: Hacking and Compliance in a Web 2.0 ...
byStart Pad
 

Recently uploaded

PPTX
This Could Have Been a Slack Message: Diagnosing and Treating Bad Meetings
byMike Clement
 
PPTX
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
PDF
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
PDF
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
PDF
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
PDF
How computers tell who they are using TPM2.pdf
byMindtrek
 
PDF
Dream Companion Reviews, Pricing, & Alternatives
byDream Companion
 
PPTX
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
PPTX
Building Europe with Open LLMs - Manu Setälä.pptx
byMindtrek
 
PDF
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
PPTX
Momentum Developer Con 2025 - How To Better Developer Estimates
byBrian McKeiver
 
PDF
AI assisted software — Cathedral or Bazaar?.pdf
byMindtrek
 
PDF
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
PDF
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
PDF
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
PPTX
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
PDF
Using Copilot with Microsoft Office Apps
byDeb Walther
 
PDF
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
PDF
“Introduction to Depth Sensing: Technologies, Trade-offs and Applications,” a...
byEdge AI and Vision Alliance
 
PDF
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 
This Could Have Been a Slack Message: Diagnosing and Treating Bad Meetings
byMike Clement
 
CLOUD STUDY JAM 2025 GOOGLE DEVELOPER GROUPS ON CAMPUS NSEC
byasutoshkumar560
 
Session 4 - Specialized AI Associate Series: UiPath Document Understanding O...
byDianaGray10
 
Cassandra vs. ScyllaDB: Evolutionary Differences
byScyllaDB
 
Atlantix is an AI-first venture studio, building companies with AI at the core
byadmin625551
 
How computers tell who they are using TPM2.pdf
byMindtrek
 
Dream Companion Reviews, Pricing, & Alternatives
byDream Companion
 
UiPath Automation Suite Installation (Hands-On) [2/3]
bysuhanisingh58689
 
Building Europe with Open LLMs - Manu Setälä.pptx
byMindtrek
 
What's New? ThousandEyes Features and Highlights: October 2025
byThousandEyes
 
Momentum Developer Con 2025 - How To Better Developer Estimates
byBrian McKeiver
 
AI assisted software — Cathedral or Bazaar?.pdf
byMindtrek
 
AGV PROTOCOL BRAND KIT COMPLETE VIEW.pdf
byfagbolade
 
Manage VMs on Kubernetes - Introduction to KubeVirt - Meetup MUC 10.2025
byTobias Schneck
 
A fool with a tool is still a fool - Plone Conference 2025
byAndreas Jung
 
WUG-DMV: Workfront Wizards: Tips & Tricks Exchange (Sept 2025)
byWUG-DC MARYLAND VIRGINIA
 
Using Copilot with Microsoft Office Apps
byDeb Walther
 
The invisible key: Securing the new attack vector of OAuth tokens
byGianluca Varisco
 
“Introduction to Depth Sensing: Technologies, Trade-offs and Applications,” a...
byEdge AI and Vision Alliance
 
UiPath DevConnect 2025: Introduction to Agentic Automation
byDianaGray10
 

Django Web Application Security

  • 1.
    Django Web ApplicationSecurityByLevi Gross
  • 2.
    About MeBlog: http://www.levigross.com/Twitter:@levigrossEmail:levi@levigross.comPython for 5 yearsDjango for 2 ½Computer Security for 8 yearsPython and Django are amazing!
  • 3.
    Who is attackingusBotsMalicious SEOSteal user infoHackersScriptKiddiesHackersÜberHackersWe will bankrupt ourselves in the vain search for absolute security. — Dwight D. Eisenhower
  • 4.
    Django from asecurity standpoint Django Rocks!Salted SHA1 Hashes (Yummy)sha1 $ e3164 $ 9595556c4f693158c232f0885d266fe30671ca8aTake that Gawker!Secure session frameworkAutomatic variable escapingXXSSQL InjectionCSRF (Cross Site Request Forgery) ProtectionProtection against Email Header injectionProtection against Directory Traversal attacks“If you think technology can solve your security problems, then you don’t understand the problems and you don’t understand the technology”. — Bruce Schneier
  • 5.
    Web VulnerabilitiesInformation DisclosureInputValidationClick JackingSession HijackingCSRFPasswordsDenial of Service0 daysIn theory, one can build provably secure systems. In theory, theory can be applied to practice but in practice, it can't. — M. Dacier, Eurecom Institute
  • 6.
  • 7.
    Attack SurfaceAdmin SiteDefaultsto /adminViews & URLSCan give someone an intimate view of your application.File LocationsRESTUse PistonSentry
  • 8.
    How to protectyourselfNever deploy with the default settingsLong URLS are the best (but your not out of the woods)Change the file name/location of user contentValidate uploadsRemove unneeded softwareif not chroot
  • 9.
    Input ValidationXXSSQL InjectionHTTPResponse SplittingDirectory TraversalCRLF Injection
  • 10.
    Cross Site ScriptingDjangoProtects us by autoescaping outputreturn mark_safe(force_unicode(html).replace('&', '&amp;').replace('<', '&lt;').replace('>', '&gt;').replace(' " ', '&quot;').replace(" ' ", '&#39;'))|safe/{% autoescape off %} is not Safe
  • 11.
    Here comes thesleep deprivationMy Template CodeSecure:<span class={{value}}>{{ value }}</span>Not Secure:<span class="{{value|safe}}">{{value|safe}}</span> Using this value -> " onclick=alert(document.cookie) type="Secure: <span class=&quot; onclick=alert(document.cookie) type=&quot;>&quot; onclick=alert(document.cookie) type=&quot;</span>Not Secure:<span class="" onclick=alert(document.cookie) type="">" onclick=alert(document.cookie) type="</span>Oops…
  • 12.
    How to protectyourself Use the ESAPI (Enterprise Security API)" onclick=alert(document.cookie) type="'&quot; onclick&#x3d;alert&#x28;document.cookie&#x29; type&#x3d;&quot;’http://code.google.com/p/owasp-esapi-python/Use QuotesUse Sanitizerslxmlhtml5libUse WhitelistsUse Markdown
  • 13.
    SQL InjectionPython protectsusParameterized queries according to PEP 249Django’s ORM Protects usparameterized queriesPerson.objects.filter(first_name__icontains=fname,last_name__icontains=lname)fname = % \ output -> \% \\SELECT "secpre_person"."id", "secpre_person"."first_name", "secpre_person"."last_name" FROM "secpre_person" WHERE ("secpre_person"."first_name" LIKE %\% \\% ESCAPE '\' AND "secpre_person"."last_name" LIKE %s% ESCAPE '\' )smart_unicode(x).replace("\\", "\\\\").replace("%", "\%").replace("_", "\_")NEVER BUILD QUERYIES USING STRING FORMATTINGquery = 'SELECT * FROM secpre_personWHERE last_name = %s' % lnamePerson.objects.raw(query) UseParameterizedqueriesPerson.objects.raw('SELECT * FROM secpre_personWHERE last_name = %s', [lname])
  • 14.
    HTTP Response SplittingNewLines in the HTTP HeadersHTTP/1.1 302 Moved TemporarilyDate: Wed, 24 Dec 2003 15:26:41 GMT Location: http://10.1.1.1/someview/?lang=foobarContent-Length: 0 HTTP/1.1 200 OKContent-Type: text/htmlContent-Length: 19 <html>Control</html> Server: ApacheContent-Type: text/html This was just found on Reddit last weekKudos to Neal Poole from MatasanoDjango to the rescue Every HttpResponse object has this code if '\n' in value or '\r' in value: raise BadHeaderError("Header values can't contain newlines (got %r)" % (value))
  • 15.
    CRLF InjectionHijack emailformsto:”me@myaddress.com\ncc:bill.gates@microsoft.com\rcc:paul.allen@microsoft.com”Django to the rescue if '\n' in val or '\r' in val: raise BadHeaderError("Header values can't contain newlines (got %r for header %r)" % (val, name))
  • 16.
    Directory Traversal../../../../../../../../../etc/passwdDjango shouldnever serve static filesYour webserver should serve all static files and be locked into the web root directoryNever allow users to dictate what happendsDjango Static Serve isn’t powerlessdrive, part = os.path.splitdrive(part) head, part = os.path.split(part) if part in (os.curdir, os.pardir): # Strip '.' and '..' in path. continue
  • 17.
    Click JackingUse X-FRAMEHTTPheader X-FRAME-OPTIONS: DENYhttps://github.com/paulosman/django-xframeoptionsUse a Framekiller<script type="text/javascript"> if(top != self) top.location.replace(location); </script> Beware of sites that you visit
  • 18.
    Session HijackingFireSheepCookie infonot sent over HTTPSPass the hashSESSION_COOKIE_SECURE = TrueSESSION_COOKIE_HTTPONLY = TrueSessionsNever store private data in clear textNever display session data without escaping it
  • 19.
    Cross Site RequestForgery<imgsrc="http://bank.example.com/withdraw?account=bob&amount=1000000&for=mallory">We are logged in so it worksDjango protects us (unless we are really stupid)HTTP/1.0 200 OKDate: Mon, 17 Jan 2011 21:55:14 GMTServer: WSGIServer/0.1 Python/2.7.1Expires: Mon, 17 Jan 2011 21:55:14 GMTVary: CookieLast-Modified: Mon, 17 Jan 2011 21:55:14 GMTETag: "4030d6e6a6c31292791e61e8bc58b6e8"Cache-Control: max-age=0Content-Type: text/html; charset=utf-8Set-Cookie: csrftoken=9260e87b366dd2be2515bffffec5a746; Max-Age=31449600; Path=/
  • 20.
    Denial Of ServiceEverythingis vulnerable Impossible to defend against every variantHarden your serverRate limitingDo this on a server levelIf you need to do this on a view levelhttps://gist.github.com/719502Fine tune access methods for your viewsrestrict the HTTP method to the appropriate view
  • 21.
    PasswordsPasswords are yourbiggest nightmareDon’t trust themMake sure that you are using SHA1Even though it works md5 and crypt shouldn’t be used. crypt should NEVER be used!!! Rate limitingUse Django-axeshttp://code.google.com/p/django-axes/Never rely on just a passwordIf you can use 2 factor authentication do it.
  • 22.
    0 Day ProtectionRunfor the hillsGood security is like a big onionMany layersBitterLimit your exposureServer monitoringRemember a good programmer looks both ways before crossing a one way street.
  • 23.
    Security TipsBe waryof updatesUpdate on security releasesBeware of 3rd party appsSeparate work from playDon’t rely on passwordsFail2BanStick with DjangoBe careful where you strayScan oftenSkipfish
  • 24.

Editor's Notes

  • #5 Salted hashes make it harder to guess the password by making each password unique. They are immune to rainbow table (pre-generated hashes) attacks.
  • #8 Don’t try to create your own version of REST. Use something like Django-Piston which has a proven track record. Also never use your object ID’s in urls. If needed use UUID’s
  • #13 The regular Django auto escape helps in almost every case. However you need to protect yourself in every case. That’s why using the ESAPI is one of the best solutions to the overall problem.
  • #14 The Django ORM is escaping my LIKE query using the function on the bottom. All other queries are parameterized.
  • #19 SESSION_COOKIE_HTTPONLY should be set if you don’t want JavaScript to touch your cookie.
  • #20 Without that cookie you get a 403 if you want to post to that form.
  • #22 Easy 2 factor auth is sending a SMS to a persons cellphone. If your going to use OAUTH then remember to send everything secure (HTTPS).
  • #24 Django has a lot of security built in so if you ever replace any part of it make sure it’s secure enough to be on your website.