Your SlideShare is downloading. ×
0
Django book
Chapter 20 - Security
Alfred
113年10月1⽇日星期⼆二
Never - under any
circumstances - trust
data from browser!
213年10月1⽇日星期⼆二
A simple theory of security
(based on 質餘)
‣ choose 2 prime p, q
‣ n = p, q
‣ based on Euler Function, phi(n) = (p-1)(q-1)
...
A simple theory of security
(based on 質餘) cont.
413年10月1⽇日星期⼆二
Number example (from wiki)
1. Choose two distinct prime numbers, such as and .
2. Compute n = p。q giving
3. Compute the to...
IdentifyYour Identity
613年10月1⽇日星期⼆二
Cross-Site Request Forgery
, CSRF Attack
• Malicious Client request a fake link.
• Solution is mentioned by CSRF token,
ch...
Session Forging/Hijacking
• man-in-the-middle (男⼈人
在中間)
• session forging
• cookie forging
• session fixation
• session poi...
Solutions
• Never allow session information to be contained in the URL.
Django bless you.
• Don’t store data in cookies di...
Break....
1013年10月1⽇日星期⼆二
Code Injection
Code Injection is a type of system bugs that
is caused by processing invalid data.
既然稱為Bug, 那當然就是你的問題阿
1113...
SQL Injection
How a username could become invalid data?
• Escape char ‘’
• SQL reserved word
• SQL logic
1213年10月1⽇日星期⼆二
SQL Injection (Cont.)
Tears In Heaven...
1313年10月1⽇日星期⼆二
SQL Injection Solution
1. Use Django API, please.
2. Exception Person.objects.raw('SELECT * FROM foo')
django.db.connectio...
Cross Site Script, XSS
XSS enables attackers to inject client-side
script into Web pages viewed by other users.
xss, xsstc...
Cross Site Script, XSS
Q. How it works?
A. 攻擊者利⽤用Client Browser可以動態執⾏行語法的特性,或可從
其他Server讀取程式碼的⽅方式,設計⼀一組簡易的link提供victims。
1...
Example of XSS
http://example.com/hello/?name=Jacob
http://example.com/hello/?name=<i>Jacob</i>
http://redirect.example.co...
Solution of XSS
1813年10月1⽇日星期⼆二
Email Header Injection
• A field of E-Mail form would provide another
Injection method.
"helloncc:spamvictim@example.com" (...
Filename Injection
• A field to let user fill the file name...
• how about ../../../../../etc/passwd.
• Needless to say, you ...
Filename Injection
(cont.)
2113年10月1⽇日星期⼆二
• 破解密碼 (暴⼒力法、字典、Birthday Attack)
• 偽裝( 男⼈人在中間, xx forging... )
• Code Injection (SQL, XSS, email header,...)
• 破壞 (DDOS, e...
Thanks
Alfred
2313年10月1⽇日星期⼆二
Upcoming SlideShare
Loading in...5
×

Django book20 security

897

Published on

A brief introduction of Django Book ch 20.
With basic network security knowledge.

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
897
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
7
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Django book20 security"

  1. 1. Django book Chapter 20 - Security Alfred 113年10月1⽇日星期⼆二
  2. 2. Never - under any circumstances - trust data from browser! 213年10月1⽇日星期⼆二
  3. 3. A simple theory of security (based on 質餘) ‣ choose 2 prime p, q ‣ n = p, q ‣ based on Euler Function, phi(n) = (p-1)(q-1) ‣ 1 < e, public key <= phi(n) ‣ let d 是 e 的modulo reverse, d。e 同餘 1 mod phi(n) 313年10月1⽇日星期⼆二
  4. 4. A simple theory of security (based on 質餘) cont. 413年10月1⽇日星期⼆二
  5. 5. Number example (from wiki) 1. Choose two distinct prime numbers, such as and . 2. Compute n = p。q giving 3. Compute the totient of the product as φ(n) = (p − 1)(q − 1) giving. 4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for e leaves us only to check that e is not a divisor of 3120.Let 5. Compute d, the modular multiplicative inverse of e (mod φ(n)) yielding The public key is (n = 3233, e = 17). For a padded plaintext message m, the encryption function is The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the decryption function is c2753(mod 3233). 513年10月1⽇日星期⼆二
  6. 6. IdentifyYour Identity 613年10月1⽇日星期⼆二
  7. 7. Cross-Site Request Forgery , CSRF Attack • Malicious Client request a fake link. • Solution is mentioned by CSRF token, chapter 16. 713年10月1⽇日星期⼆二
  8. 8. Session Forging/Hijacking • man-in-the-middle (男⼈人 在中間) • session forging • cookie forging • session fixation • session poisoning wiki:session fixation 813年10月1⽇日星期⼆二
  9. 9. Solutions • Never allow session information to be contained in the URL. Django bless you. • Don’t store data in cookies directly. request.session bless you. • Prevent attackers from spoofing session IDs whenever possible. Django use hash function to protect you session ID. (As I know, some hash function is not safe, ex. SHA-1) • Sensitive Data? use Https:// SESSION_COOKIE_SECURE  =  TRUE 913年10月1⽇日星期⼆二
  10. 10. Break.... 1013年10月1⽇日星期⼆二
  11. 11. Code Injection Code Injection is a type of system bugs that is caused by processing invalid data. 既然稱為Bug, 那當然就是你的問題阿 1113年10月1⽇日星期⼆二
  12. 12. SQL Injection How a username could become invalid data? • Escape char ‘’ • SQL reserved word • SQL logic 1213年10月1⽇日星期⼆二
  13. 13. SQL Injection (Cont.) Tears In Heaven... 1313年10月1⽇日星期⼆二
  14. 14. SQL Injection Solution 1. Use Django API, please. 2. Exception Person.objects.raw('SELECT * FROM foo') django.db.connection.ops.quote_name(user) 1413年10月1⽇日星期⼆二
  15. 15. Cross Site Script, XSS XSS enables attackers to inject client-side script into Web pages viewed by other users. xss, xsstc(css javascript) 1513年10月1⽇日星期⼆二
  16. 16. Cross Site Script, XSS Q. How it works? A. 攻擊者利⽤用Client Browser可以動態執⾏行語法的特性,或可從 其他Server讀取程式碼的⽅方式,設計⼀一組簡易的link提供victims。 1. Find a Web Page who contains leak of any kind of XSS. 2. Design the XSS script, stolen cookies, do sth., etc 3. Send a link toVictims. (By mail or anything.) 再好的網站設計也不能阻擋清純的使⽤用者 1613年10月1⽇日星期⼆二
  17. 17. Example of XSS http://example.com/hello/?name=Jacob http://example.com/hello/?name=<i>Jacob</i> http://redirect.example.com/hello/?name=jacob Malicious Link 1713年10月1⽇日星期⼆二
  18. 18. Solution of XSS 1813年10月1⽇日星期⼆二
  19. 19. Email Header Injection • A field of E-Mail form would provide another Injection method. "helloncc:spamvictim@example.com" (where "n” is a newline character) solution:  django.core.mail.send_mail 1913年10月1⽇日星期⼆二
  20. 20. Filename Injection • A field to let user fill the file name... • how about ../../../../../etc/passwd. • Needless to say, you should never write code that can read from any area of the disk! 2013年10月1⽇日星期⼆二
  21. 21. Filename Injection (cont.) 2113年10月1⽇日星期⼆二
  22. 22. • 破解密碼 (暴⼒力法、字典、Birthday Attack) • 偽裝( 男⼈人在中間, xx forging... ) • Code Injection (SQL, XSS, email header,...) • 破壞 (DDOS, explode request) • Zero-Day Attack + Service Scan • Social-Engineering (information gathering) 2213年10月1⽇日星期⼆二
  23. 23. Thanks Alfred 2313年10月1⽇日星期⼆二
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×