19. {
the
“ double quote
Big ‘ single quote
& ampersand
Five < less than
> greater than
Wednesday, September 8, 2010
20. {% autoescape off %}
|safe filter
mark_safe( )
Wednesday, September 8, 2010
21. Context matters.
<a href=”{{object.absolute_url}}” alt=”{{object.name}}”>
{{object.name}}</a>
<a href={{object.absolute_url}} alt={{object.name}}>
{{object.name}}</a>
Missing quotes in the second URL make it possible
to inject malicious code.
Which is bad.
Wednesday, September 8, 2010
22. swingset
OWASP ESAPI Swingset by Craig Younkins
http://www.owasp.org/index.php/ESAPI_Swingset
Wednesday, September 8, 2010
23. Browser behavior
This works in IE8, without the “big five” and executes
without user interaction.
<style /><a href="[user provided data here]">click</a>
<style /><a href="}@import/**/data:text/css
%3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpf
Q%3D%3D;">click</a>
Wednesday, September 8, 2010
26. Evil Avatars
Images can contain PHP.
ImageField does not care.
ImageField does not check extensions.
File uploads often are put in
unprotected directories.
Wednesday, September 8, 2010