Upcoming SlideShare
×

# Django book20 security

1,174 views
1,018 views

Published on

A brief introduction of Django Book ch 20.
With basic network security knowledge.

Published in: Technology
3 Likes
Statistics
Notes
• Full Name
Comment goes here.

Are you sure you want to Yes No
• Be the first to comment

Views
Total views
1,174
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
9
0
Likes
3
Embeds 0
No embeds

No notes for slide

### Django book20 security

1. 1. Django book Chapter 20 - Security Alfred 113年10月1⽇日星期⼆二
2. 2. Never - under any circumstances - trust data from browser! 213年10月1⽇日星期⼆二
3. 3. A simple theory of security (based on 質餘) ‣ choose 2 prime p, q ‣ n = p, q ‣ based on Euler Function, phi(n) = (p-1)(q-1) ‣ 1 < e, public key <= phi(n) ‣ let d 是 e 的modulo reverse, d。e 同餘 1 mod phi(n) 313年10月1⽇日星期⼆二
4. 4. A simple theory of security (based on 質餘) cont. 413年10月1⽇日星期⼆二
5. 5. Number example (from wiki) 1. Choose two distinct prime numbers, such as and . 2. Compute n = p。q giving 3. Compute the totient of the product as φ(n) = (p − 1)(q − 1) giving. 4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for e leaves us only to check that e is not a divisor of 3120.Let 5. Compute d, the modular multiplicative inverse of e (mod φ(n)) yielding The public key is (n = 3233, e = 17). For a padded plaintext message m, the encryption function is The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the decryption function is c2753(mod 3233). 513年10月1⽇日星期⼆二
7. 7. Cross-Site Request Forgery , CSRF Attack • Malicious Client request a fake link. • Solution is mentioned by CSRF token, chapter 16. 713年10月1⽇日星期⼆二
8. 8. Session Forging/Hijacking • man-in-the-middle (男⼈人 在中間) • session forging • cookie forging • session ﬁxation • session poisoning wiki:session ﬁxation 813年10月1⽇日星期⼆二
9. 9. Solutions • Never allow session information to be contained in the URL. Django bless you. • Don’t store data in cookies directly. request.session bless you. • Prevent attackers from spooﬁng session IDs whenever possible. Django use hash function to protect you session ID. (As I know, some hash function is not safe, ex. SHA-1) • Sensitive Data? use Https:// SESSION_COOKIE_SECURE  =  TRUE 913年10月1⽇日星期⼆二
10. 10. Break.... 1013年10月1⽇日星期⼆二
11. 11. Code Injection Code Injection is a type of system bugs that is caused by processing invalid data. 既然稱為Bug, 那當然就是你的問題阿 1113年10月1⽇日星期⼆二
12. 12. SQL Injection How a username could become invalid data? • Escape char ‘’ • SQL reserved word • SQL logic 1213年10月1⽇日星期⼆二
13. 13. SQL Injection (Cont.) Tears In Heaven... 1313年10月1⽇日星期⼆二
14. 14. SQL Injection Solution 1. Use Django API, please. 2. Exception Person.objects.raw('SELECT * FROM foo') django.db.connection.ops.quote_name(user) 1413年10月1⽇日星期⼆二
15. 15. Cross Site Script, XSS XSS enables attackers to inject client-side script into Web pages viewed by other users. xss, xsstc(css javascript) 1513年10月1⽇日星期⼆二
16. 16. Cross Site Script, XSS Q. How it works? A. 攻擊者利⽤用Client Browser可以動態執⾏行語法的特性，或可從 其他Server讀取程式碼的⽅方式，設計⼀一組簡易的link提供victims。 1. Find a Web Page who contains leak of any kind of XSS. 2. Design the XSS script, stolen cookies, do sth., etc 3. Send a link toVictims. (By mail or anything.) 再好的網站設計也不能阻擋清純的使⽤用者 1613年10月1⽇日星期⼆二
17. 17. Example of XSS http://example.com/hello/?name=Jacob http://example.com/hello/?name=<i>Jacob</i> http://redirect.example.com/hello/?name=jacob Malicious Link 1713年10月1⽇日星期⼆二
18. 18. Solution of XSS 1813年10月1⽇日星期⼆二
19. 19. Email Header Injection • A ﬁeld of E-Mail form would provide another Injection method. "helloncc:spamvictim@example.com" (where "n” is a newline character) solution:  django.core.mail.send_mail 1913年10月1⽇日星期⼆二
20. 20. Filename Injection • A ﬁeld to let user ﬁll the ﬁle name... • how about ../../../../../etc/passwd. • Needless to say, you should never write code that can read from any area of the disk! 2013年10月1⽇日星期⼆二
21. 21. Filename Injection (cont.) 2113年10月1⽇日星期⼆二
22. 22. • 破解密碼 (暴⼒力法、字典、Birthday Attack) • 偽裝( 男⼈人在中間, xx forging... ) • Code Injection (SQL, XSS, email header,...) • 破壞 (DDOS, explode request) • Zero-Day Attack + Service Scan • Social-Engineering (information gathering) 2213年10月1⽇日星期⼆二
23. 23. Thanks Alfred 2313年10月1⽇日星期⼆二