DjangoMeetup Buenos Aires - Django Security Quick wins

Transcript

1. Django Security quick wins Andrés Riancho Django Meetup Buenos Aires

2. Quick wins disclaimer  No es todo lo que puedo

   hacer  En algunos casos, no es lo mejor que puedo hacer  Pero es mejor que nada!

3. Más allá de settings.py  Hoy  Django settings.py 

   SESSION_COOKIE_SECURE  CSRF_COOKIE_SECURE  ALLOWED_HOSTS  X_FRAME_OPTIONS  SECRET_KEY  django-secure  Algún futuro cercano  django-axes  Cross-Site Scripting  SQL injection
4. None

5. SESSION_COOKIE_SECURE  SESSION_COOKIE_SECURE  Default: False  Whether to use

   a secure cookie for the session cookie. If this is set to True, the cookie will be marked as “secure,” which means browsers may ensure that the cookie is only sent under an HTTPS connection.  Solo tiene sentido para sites con HTTPS!

6. CSRF_COOKIE_SECURE  CSRF_COOKIE_SECURE  Default: False  Whether to use

   a secure cookie for the CSRF cookie. If this is set to True, the cookie will be marked as “secure,” which means browsers may ensure that the cookie is only sent under an HTTPS connection.  Solo tiene sentido para sites con HTTPS!

7. SESSION_COOKIE_HTTPONLY  SESSION_COOKIE_HTTPONLY  Default: True  Whether to use

   HTTPOnly flag on the session cookie. If this is set to True, client-side JavaScript will not to be able to access the session cookie.  El default es seguro, verificá tu aplicacion. Entendé y documentá porque es necesario tenerlo en False.

8. ALLOWED_HOSTS  ALLOWED_HOSTS  Default: []  A list of

   strings representing the host/domain names that this Django site can serve. This is a security measure to prevent an attacker from poisoning caches and password reset emails with links to malicious hosts by submitting requests with a fake HTTP Host header.  Warning! ‘*’ en tu ALLOWED_HOSTS?

9. X_FRAME_OPTIONS  X_FRAME_OPTIONS  Default: 'SAMEORIGIN‘  Warning! El default

   en general es lo esperado en cuanto a seguridad, tenes otro valor? Porque?
10. None

11. SECRET_KEY  SECRET_KEY  Default: '' (Empty string)  A

    secret key for a particular Django installation. This is used to provide cryptographic signing, and should be set to a unique, unpredictable value.  django-admin.py startproject automatically adds a randomly-generated SECRET_KEY to each new project.

12. Remote code execution! >> import cPickle Expected use >> cPickle.dumps(

    ('a', 1) ) (S'a'\nI1\ntp1\n." >> cPickle.loads("(S'a'\nI1\ntp1\n.") 'a', 1) The vulnerability is here: >> cPickle.loads("cos\nsystem\n(S'ls'\ntR.'\ntR.") .. foo bar spam eggs >>

13. SECRET_KEY attack random Github projects ALLOWED_HOSTS

14. SECRET_KEY is known by devs!

15. django-secure

16. Django-secure in 1 slide  HTTP Strict Transport Security 

    SSL Redirect  X-Content-Type-Options: nosnif  X-XSS-Protection: 1; mode=block
17. None

18. 18 /me @w3af [email protected] https://www.tagcube.io/ Contact