Your SlideShare is downloading. ×
0
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Pony Pwning Djangocon 2010
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Pony Pwning Djangocon 2010

628

Published on

Pony Pwning Djangocon 2010

Pony Pwning Djangocon 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
628
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Pony Pwning Djangocon 2010 // Adam Baldwin Wednesday, September 8, 2010
  • 2. Hi, I’m not that Adam Baldwin. I’m this one: @adam_baldwin ngenuity-is.com evilpacket.net Wednesday, September 8, 2010
  • 3. I break stuff Wednesday, September 8, 2010
  • 4. Django = pile of awesome Wednesday, September 8, 2010
  • 5. Django isn’t perfect Wednesday, September 8, 2010
  • 6. Developers aren’t perfect Wednesday, September 8, 2010
  • 7. I WANT TO HELP YOU AVOID HUGE ASS MISTAKES Captain Howdy McAssumptions, the nGenuity Mascot Wednesday, September 8, 2010
  • 8. INTRODUCING! Completely made up statistics Wednesday, September 8, 2010
  • 9. 60% of security failures project constraints! Wednesday, September 8, 2010
  • 10. Wednesday, September 8, 2010
  • 11. 30% of security failures incompetence or ignorance Wednesday, September 8, 2010
  • 12. See http://evilpacket.net/2010/jan/14/mifi-geopwn/ Wednesday, September 8, 2010
  • 13. 9% of security failures needle in the haystack Wednesday, September 8, 2010
  • 14. See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/ and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/ Wednesday, September 8, 2010
  • 15. 1% of security failures 0 days Wednesday, September 8, 2010
  • 16. Let’s talk about the 90% Wednesday, September 8, 2010
  • 17. Sad Pony Warning Wednesday, September 8, 2010
  • 18. cross-site scripting Wednesday, September 8, 2010
  • 19. { the “ double quote Big ‘ single quote & ampersand Five < less than > greater than Wednesday, September 8, 2010
  • 20. {% autoescape off %} |safe filter mark_safe( ) Wednesday, September 8, 2010
  • 21. Context matters. <a href=”{{object.absolute_url}}” alt=”{{object.name}}”> {{object.name}}</a> <a href={{object.absolute_url}} alt={{object.name}}> {{object.name}}</a> Missing quotes in the second URL make it possible to inject malicious code. Which is bad. Wednesday, September 8, 2010
  • 22. swingset OWASP ESAPI Swingset by Craig Younkins http://www.owasp.org/index.php/ESAPI_Swingset Wednesday, September 8, 2010
  • 23. Browser behavior This works in IE8, without the “big five” and executes without user interaction. <style /><a href="[user provided data here]">click</a> <style /><a href="}@import/**/data:text/css %3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpf Q%3D%3D;">click</a> Wednesday, September 8, 2010
  • 24. Avoid • Consider OWASP ESAPI • Audit templates getting • Audit reusables and snippets burned • Educate designers Wednesday, September 8, 2010
  • 25. FILE UP LOADS Wednesday, September 8, 2010
  • 26. Evil Avatars Images can contain PHP. ImageField does not care. ImageField does not check extensions. File uploads often are put in unprotected directories. Wednesday, September 8, 2010
  • 27. Avoid • Check file extensions • Disable PHP getting burned Wednesday, September 8, 2010
  • 28. File upload TMI secret_report.pdf secret_report_1.pdf Wednesday, September 8, 2010
  • 29. Avoid • Put user content behind a file API • Obfuscate filenames of uploads getting burned Wednesday, September 8, 2010
  • 30. Direct Object Access Wednesday, September 8, 2010
  • 31. General TMI “Not Found” vs. “Forbidden” / “Access denied” Wednesday, September 8, 2010
  • 32. Avoid • Return consistent results (preferably “Not Found”) getting • Log security violations burned Wednesday, September 8, 2010
  • 33. Doing stupid things Privileged operations with HTTP GET eg /object/delete/2 Wednesday, September 8, 2010
  • 34. Avoid • Don’t do stupid things. • Consider Django-Piston for REST getting burned Wednesday, September 8, 2010
  • 35. Click Jacking What the hell is it? Wednesday, September 8, 2010
  • 36. Click jackets /admin/ is vulnerable. pre-filling forms removes most user interaction Wednesday, September 8, 2010
  • 37. Avoid • Set X-FRAME-OPTIONS DENY header getting • Use django-xframeoptions middleware burned • Implement frame breakout code Wednesday, September 8, 2010
  • 38. Abusing :( /admin/ Wednesday, September 8, 2010
  • 39. Wuh-oh, kids. [ REDACTED ] Wednesday, September 8, 2010
  • 40. Avoid • I HAVE NO IDEA. • security@djangoproject.com getting needs to check their email ;) burned Wednesday, September 8, 2010
  • 41. Wednesday, September 8, 2010
  • 42. I have a hard job Wednesday, September 8, 2010
  • 43. Your job is harder. Wednesday, September 8, 2010
  • 44. Questions? @adam_baldwin // ngenuity-is.com // evilpacket.net Wednesday, September 8, 2010

×