Recommended
More Related Content
Similar to Pony Pwning Djangocon 2010
Similar to Pony Pwning Djangocon 2010 (20)
More from Adam Baldwin
More from Adam Baldwin (14)
Recently uploaded
Recently uploaded (20)
Pony Pwning Djangocon 2010
- 1. Pony Pwning Djangocon 2010 // Adam Baldwin Wednesday, September 8, 2010
- 2. Hi, I’m not that Adam Baldwin. I’m this one: @adam_baldwin ngenuity-is.com evilpacket.net Wednesday, September 8, 2010
- 3. I break stuff Wednesday, September 8, 2010
- 4. Django = pile of awesome Wednesday, September 8, 2010
- 5. Django isn’t perfect Wednesday, September 8, 2010
- 6. Developers aren’t perfect Wednesday, September 8, 2010
- 7. I WANT TO HELP YOU AVOID HUGE ASS MISTAKES Captain Howdy McAssumptions, the nGenuity Mascot Wednesday, September 8, 2010
- 8. INTRODUCING! Completely made up statistics Wednesday, September 8, 2010
- 9. 60% of security failures project constraints! Wednesday, September 8, 2010
- 10. Wednesday, September 8, 2010
- 11. 30% of security failures incompetence or ignorance Wednesday, September 8, 2010
- 13. 9% of security failures needle in the haystack Wednesday, September 8, 2010
- 14. See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/ and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/ Wednesday, September 8, 2010
- 15. 1% of security failures 0 days Wednesday, September 8, 2010
- 16. Let’s talk about the 90% Wednesday, September 8, 2010
- 17. Sad Pony Warning Wednesday, September 8, 2010
- 18. cross-site scripting Wednesday, September 8, 2010
- 19. { the “ double quote Big ‘ single quote & ampersand Five < less than > greater than Wednesday, September 8, 2010
- 20. {% autoescape off %} |safe filter mark_safe( ) Wednesday, September 8, 2010
- 21. Context matters. <a href=”{{object.absolute_url}}” alt=”{{object.name}}”> {{object.name}}</a> <a href={{object.absolute_url}} alt={{object.name}}> {{object.name}}</a> Missing quotes in the second URL make it possible to inject malicious code. Which is bad. Wednesday, September 8, 2010
- 22. swingset OWASP ESAPI Swingset by Craig Younkins http://www.owasp.org/index.php/ESAPI_Swingset Wednesday, September 8, 2010
- 23. Browser behavior This works in IE8, without the “big five” and executes without user interaction. <style /><a href="[user provided data here]">click</a> <style /><a href="}@import/**/data:text/css %3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpf Q%3D%3D;">click</a> Wednesday, September 8, 2010
- 24. Avoid • Consider OWASP ESAPI • Audit templates getting • Audit reusables and snippets burned • Educate designers Wednesday, September 8, 2010
- 25. FILE UP LOADS Wednesday, September 8, 2010
- 26. Evil Avatars Images can contain PHP. ImageField does not care. ImageField does not check extensions. File uploads often are put in unprotected directories. Wednesday, September 8, 2010
- 27. Avoid • Check file extensions • Disable PHP getting burned Wednesday, September 8, 2010
- 28. File upload TMI secret_report.pdf secret_report_1.pdf Wednesday, September 8, 2010
- 29. Avoid • Put user content behind a file API • Obfuscate filenames of uploads getting burned Wednesday, September 8, 2010
- 30. Direct Object Access Wednesday, September 8, 2010
- 31. General TMI “Not Found” vs. “Forbidden” / “Access denied” Wednesday, September 8, 2010
- 32. Avoid • Return consistent results (preferably “Not Found”) getting • Log security violations burned Wednesday, September 8, 2010
- 33. Doing stupid things Privileged operations with HTTP GET eg /object/delete/2 Wednesday, September 8, 2010
- 34. Avoid • Don’t do stupid things. • Consider Django-Piston for REST getting burned Wednesday, September 8, 2010
- 35. Click Jacking What the hell is it? Wednesday, September 8, 2010
- 36. Click jackets /admin/ is vulnerable. pre-filling forms removes most user interaction Wednesday, September 8, 2010
- 37. Avoid • Set X-FRAME-OPTIONS DENY header getting • Use django-xframeoptions middleware burned • Implement frame breakout code Wednesday, September 8, 2010
- 38. Abusing :( /admin/ Wednesday, September 8, 2010
- 39. Wuh-oh, kids. [ REDACTED ] Wednesday, September 8, 2010
- 40. Avoid • I HAVE NO IDEA. • security@djangoproject.com getting needs to check their email ;) burned Wednesday, September 8, 2010
- 41. Wednesday, September 8, 2010
- 42. I have a hard job Wednesday, September 8, 2010
- 43. Your job is harder. Wednesday, September 8, 2010
- 44. Questions? @adam_baldwin // ngenuity-is.com // evilpacket.net Wednesday, September 8, 2010