Sichere Web-Applikationen
am Beispiel von Django
Markus Zapke-Gründemann
LinuxTag 2014
Markus
Zapke-Gründemann
Softwareentwickler seit 2001
Python, Django und Mercurial
Inhaber von transcode
Vorstand des Deuts...
Einführung
Django
Python Web-Application Framework
Open Source (BSD-Lizenz)
Rapid Development
Model Template View (MTV)
Object Relati...
OWASP
Open Web Application Security Project
Non-Profit-Organisation
Alle Materialien unter freier Lizenz
www.owasp.org
OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP Top 10
OWASP Top 10
1. Injection
OWASP Top 10
1. Injection
2. Broken Authentication
and Session Management
OWASP Top 10
1. Injection
2. Broken Authentication
and Session Management
3. Cross-Site Scripting (XSS)
OWASP Top 10
1. Injection
2. Broken Authentication
and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct...
OWASP Top 10
1. Injection
2. Broken Authentication
and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct...
OWASP Top 10
1. Injection
2. Broken Authentication
and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct...
OWASP Top 10
1. Injection
2. Broken Authentication
and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct...
OWASP Top 10
1. Injection
2. Broken Authentication
and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct...
OWASP Top 10
1. Injection
2. Broken Authentication
and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct...
OWASP Top 10
1. Injection
2. Broken Authentication
and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct...
SQL Injection
>>> cmd = "UPDATE animals SET
name='%s' WHERE id='%s'" % (name, id)
>>> cursor.execute(cmd)
SQL Injection
Exploits of a Mom
by Randall Munroe (cc-by-nc)
SQL Injection
Exploits of a Mom
by Randall Munroe (cc-by-nc)
Datenbank-Eingaben bereinigen!
SQL Injection
>>> from animals.models import Animal
>>> Animal.objects.filter(id=id).update(name=name)
Broken Authentication
and Session Management
http://example.com/sale/saleitems;sessionid=
2P0OC2JSNDLPSKHCJUN2JV?dest=Hawa...
Cross-Site Scripting
(XSS)
<h3>Preparation</h3>	
{{ recipe.preparation }}	
!
<script>alert('The best recipe in the world!'...
Cross-Site Scripting
(XSS)
<h3>Preparation</h3>	
{{ recipe.preparation|safe }}	
!
<script>alert('The best recipe in the wo...
Security
Misconfiguration
DEBUG = True
Sensitive Data Exposure
>>> from django.contrib.auth.models import User	
>>> User.objects.get(pk=1).password	
u'pbkdf2_sha...
Cross-Site Request
Forgery (CSRF)
http://example.com/app/transferFunds?
amount=1500
&destinationAccount=4673243243
Cross-Site Request
Forgery (CSRF)
<form method="post" accept-charset="utf-8">	
{{ form.as_p }}	
{% csrf_token %}	
<input t...
Cross-Site Request
Forgery (CSRF)
<form method="post" accept-charset="utf-8">	
...	
<input type='hidden'
name='csrfmiddlew...
Clickjacking
X-Frame-Options Header aktivieren:
MIDDLEWARE_CLASSES = (	
...	
'django.middleware.clickjacking.XFrameOptions...
Information Leakage
Werkzeuge
OWASP Cheat Sheet Series
HackBar
Tamper Data
sqlmap
Scapy
dsniff
Django Apps
django-secure
django-configurations
Code sicher(er) machen
Code Review
Security Scanner
Security Audit
Danke!
!
www.transcode.de
@keimlink
Upcoming SlideShare
Loading in...5
×

Sichere Web-Applikationen am Beispiel von Django

308
-1

Published on

Durch die hohe Komplexität moderner Web-Applikationen gibt es immer mehr Möglichkeiten für Angreifer, den Benutzern zu schaden oder sogar in die Systeme einzudringen. Die OWASP Top 10 2013 des Open Web Application Security Project (OWASP) listen die zehn gefährlichsten Möglichkeiten auf, eine Web-Applikation anzugreifen.

In diesem Vortrag werden die wichtigsten Szenarien aus den OWASP Top 10 2013 detailliert diskutiert. Dabei wird jede Angriffsmöglichkeit zuerst an einem praktischem Beispiel erläutert, dass zeigt wie ein Angriff aussehen könnte. Danach wird am Beispiel des Python Web Frameworks Django demonstriert, wie eine sichere Implementation aussieht.

Jedes Beispiel sollte sich einfach auf andere Programmiersprachen und Frameworks übertragen lassen. Daher richtet sich der Vortrag nicht nur an Nutzer von Django, sondern an alle, die Web Applikationen entwickeln.

Abschließend werden Werkzeuge vorgestellt, die zur Suche nach Schwachstellen in Web-Applikationen genutzt werden können.

Published in: Internet, Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
308
On Slideshare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
2
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Sichere Web-Applikationen am Beispiel von Django

  1. 1. Sichere Web-Applikationen am Beispiel von Django Markus Zapke-Gründemann LinuxTag 2014
  2. 2. Markus Zapke-Gründemann Softwareentwickler seit 2001 Python, Django und Mercurial Inhaber von transcode Vorstand des Deutschen Django-Vereins keimlink.de // @keimlink
  3. 3. Einführung
  4. 4. Django Python Web-Application Framework Open Source (BSD-Lizenz) Rapid Development Model Template View (MTV) Object Relational Mapper (ORM) www.djangoproject.com
  5. 5. OWASP Open Web Application Security Project Non-Profit-Organisation Alle Materialien unter freier Lizenz www.owasp.org
  6. 6. OWASP Top 10 https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
  7. 7. OWASP Top 10
  8. 8. OWASP Top 10 1. Injection
  9. 9. OWASP Top 10 1. Injection 2. Broken Authentication and Session Management
  10. 10. OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS)
  11. 11. OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References
  12. 12. OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration

  13. 13. OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure
  14. 14. OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control
  15. 15. OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF)
  16. 16. OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities
  17. 17. OWASP Top 10 1. Injection 2. Broken Authentication and Session Management 3. Cross-Site Scripting (XSS) 4. Insecure Direct Object References 5. Security Misconfiguration
 6. Sensitive Data Exposure 7. Missing Function Level Access Control 8. Cross-Site Request Forgery (CSRF) 9. Using Components with Known Vulnerabilities 10.Unvalidated Redirects and Forwards
  18. 18. SQL Injection >>> cmd = "UPDATE animals SET name='%s' WHERE id='%s'" % (name, id) >>> cursor.execute(cmd)
  19. 19. SQL Injection Exploits of a Mom by Randall Munroe (cc-by-nc)
  20. 20. SQL Injection Exploits of a Mom by Randall Munroe (cc-by-nc) Datenbank-Eingaben bereinigen!
  21. 21. SQL Injection >>> from animals.models import Animal >>> Animal.objects.filter(id=id).update(name=name)
  22. 22. Broken Authentication and Session Management http://example.com/sale/saleitems;sessionid= 2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii
  23. 23. Cross-Site Scripting (XSS) <h3>Preparation</h3> {{ recipe.preparation }} ! <script>alert('The best recipe in the world!')</script> Heat the water in the pot to 100 °C. ! <p>&lt;script&gt;alert('The best recipe in the <world!')&lt;/script&gt;</p> <p>Heat the water in the pot to 100 °C.</p>
  24. 24. Cross-Site Scripting (XSS) <h3>Preparation</h3> {{ recipe.preparation|safe }} ! <script>alert('The best recipe in the world!')</script> Heat the water in the pot to 100 °C. ! <p><script>alert('The best recipe in the world!')</ script></p> <p>Heat the water in the pot to 100 °C.</p>
  25. 25. Security Misconfiguration DEBUG = True
  26. 26. Sensitive Data Exposure >>> from django.contrib.auth.models import User >>> User.objects.get(pk=1).password u'pbkdf2_sha256$10000$sDN75YuuoUWi$Ua/ H364jPAPTPBiAyJ1fc0uB4ClzQD5yGFisYrxCo40='
  27. 27. Cross-Site Request Forgery (CSRF) http://example.com/app/transferFunds? amount=1500 &destinationAccount=4673243243
  28. 28. Cross-Site Request Forgery (CSRF) <form method="post" accept-charset="utf-8"> {{ form.as_p }} {% csrf_token %} <input type="submit" value="Submit"/> </form>
  29. 29. Cross-Site Request Forgery (CSRF) <form method="post" accept-charset="utf-8"> ... <input type='hidden' name='csrfmiddlewaretoken' value='gB3bL3MU2fr8BCQXXrNV6pfS7GJYBdU0' /> <p><input type="submit" value="Submit" / ></p> </form>
  30. 30. Clickjacking X-Frame-Options Header aktivieren: MIDDLEWARE_CLASSES = ( ... 'django.middleware.clickjacking.XFrameOptionsMiddleware', ... )
  31. 31. Information Leakage
  32. 32. Werkzeuge OWASP Cheat Sheet Series HackBar Tamper Data sqlmap Scapy dsniff
  33. 33. Django Apps django-secure django-configurations
  34. 34. Code sicher(er) machen Code Review Security Scanner Security Audit
  35. 35. Danke! ! www.transcode.de @keimlink
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×