Pony Pwning
                               Djangocon 2010 // Adam Baldwin


Wednesday, September 8, 2010
Hi, I’m not that Adam Baldwin.




                               I’m this one:
                               @adam_baldw...
I break stuff

Wednesday, September 8, 2010
Django = pile
               of awesome

Wednesday, September 8, 2010
Django isn’t
                        perfect

Wednesday, September 8, 2010
Developers
               aren’t perfect

Wednesday, September 8, 2010
I WANT TO
                               HELP YOU
                                   AVOID
                               ...
INTRODUCING!


                               Completely
                               made up
                          ...
60%   of security
                                     failures


                         project
                       ...
Wednesday, September 8, 2010
30%   of security
                                     failures


          incompetence
           or ignorance
Wednesday...
See http://evilpacket.net/2010/jan/14/mifi-geopwn/
Wednesday, September 8, 2010
9%   of security
                                    failures


                   needle in
                 the haystack...
See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/
           and http://evilpacket.net/2009/jul/9/theft-racks...
1%   of security
                                    failures



                               0 days
Wednesday, Septembe...
Let’s talk
                  about the    90%
Wednesday, September 8, 2010
Sad Pony
                               Warning




Wednesday, September 8, 2010
cross-site scripting



Wednesday, September 8, 2010
{
                   the
                                   “    double quote


                   Big              ‘   si...
{% autoescape off %}

                               |safe filter

                               mark_safe( )
Wednesday, S...
Context matters.
                    <a href=”{{object.absolute_url}}” alt=”{{object.name}}”>
                    {{object...
swingset
                                      OWASP ESAPI Swingset by Craig Younkins
                               http:...
Browser behavior
                    This works in IE8, without the “big five” and executes
                    without use...
Avoid    • Consider OWASP ESAPI

                                         • Audit templates
                              ...
FILE UP
                               LOADS
Wednesday, September 8, 2010
Evil Avatars
                               Images can contain PHP.

                               ImageField does not ca...
Avoid    • Check file extensions

                                         • Disable PHP
                               get...
File upload TMI

                                  secret_report.pdf



                                  secret_report_1....
Avoid    • Put user content behind a file API

                                         • Obfuscate filenames of uploads
   ...
Direct
        Object
        Access

Wednesday, September 8, 2010
General TMI

                               “Not Found”

                                   vs.

                         ...
Avoid    • Return consistent results
                                           (preferably “Not Found”)

                ...
Doing stupid things

                               Privileged operations with HTTP GET

                               eg...
Avoid    • Don’t do stupid things.

                                         • Consider Django-Piston for REST
           ...
Click
                                Jacking
                                 What the hell is it?




Wednesday, Septemb...
Click jackets
                               /admin/ is vulnerable.

                               pre-filling forms remov...
Avoid    • Set X-FRAME-OPTIONS DENY
                                           header

                               gett...
Abusing
                               :(
                 /admin/
Wednesday, September 8, 2010
Wuh-oh, kids.

                               [ REDACTED ]




Wednesday, September 8, 2010
Avoid    • I HAVE NO IDEA.

                                         • security@djangoproject.com
                        ...
Wednesday, September 8, 2010
I have a
                               hard job
Wednesday, September 8, 2010
Your job
                               is harder.
Wednesday, September 8, 2010
Questions?
                @adam_baldwin // ngenuity-is.com // evilpacket.net
Wednesday, September 8, 2010
Upcoming SlideShare
Loading in …5
×

Pony Pwning Djangocon 2010

893 views

Published on

Pony Pwning Djangocon 2010

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
893
On SlideShare
0
From Embeds
0
Number of Embeds
6
Actions
Shares
0
Downloads
6
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Pony Pwning Djangocon 2010

  1. 1. Pony Pwning Djangocon 2010 // Adam Baldwin Wednesday, September 8, 2010
  2. 2. Hi, I’m not that Adam Baldwin. I’m this one: @adam_baldwin ngenuity-is.com evilpacket.net Wednesday, September 8, 2010
  3. 3. I break stuff Wednesday, September 8, 2010
  4. 4. Django = pile of awesome Wednesday, September 8, 2010
  5. 5. Django isn’t perfect Wednesday, September 8, 2010
  6. 6. Developers aren’t perfect Wednesday, September 8, 2010
  7. 7. I WANT TO HELP YOU AVOID HUGE ASS MISTAKES Captain Howdy McAssumptions, the nGenuity Mascot Wednesday, September 8, 2010
  8. 8. INTRODUCING! Completely made up statistics Wednesday, September 8, 2010
  9. 9. 60% of security failures project constraints! Wednesday, September 8, 2010
  10. 10. Wednesday, September 8, 2010
  11. 11. 30% of security failures incompetence or ignorance Wednesday, September 8, 2010
  12. 12. See http://evilpacket.net/2010/jan/14/mifi-geopwn/ Wednesday, September 8, 2010
  13. 13. 9% of security failures needle in the haystack Wednesday, September 8, 2010
  14. 14. See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/ and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/ Wednesday, September 8, 2010
  15. 15. 1% of security failures 0 days Wednesday, September 8, 2010
  16. 16. Let’s talk about the 90% Wednesday, September 8, 2010
  17. 17. Sad Pony Warning Wednesday, September 8, 2010
  18. 18. cross-site scripting Wednesday, September 8, 2010
  19. 19. { the “ double quote Big ‘ single quote & ampersand Five < less than > greater than Wednesday, September 8, 2010
  20. 20. {% autoescape off %} |safe filter mark_safe( ) Wednesday, September 8, 2010
  21. 21. Context matters. <a href=”{{object.absolute_url}}” alt=”{{object.name}}”> {{object.name}}</a> <a href={{object.absolute_url}} alt={{object.name}}> {{object.name}}</a> Missing quotes in the second URL make it possible to inject malicious code. Which is bad. Wednesday, September 8, 2010
  22. 22. swingset OWASP ESAPI Swingset by Craig Younkins http://www.owasp.org/index.php/ESAPI_Swingset Wednesday, September 8, 2010
  23. 23. Browser behavior This works in IE8, without the “big five” and executes without user interaction. <style /><a href="[user provided data here]">click</a> <style /><a href="}@import/**/data:text/css %3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpf Q%3D%3D;">click</a> Wednesday, September 8, 2010
  24. 24. Avoid • Consider OWASP ESAPI • Audit templates getting • Audit reusables and snippets burned • Educate designers Wednesday, September 8, 2010
  25. 25. FILE UP LOADS Wednesday, September 8, 2010
  26. 26. Evil Avatars Images can contain PHP. ImageField does not care. ImageField does not check extensions. File uploads often are put in unprotected directories. Wednesday, September 8, 2010
  27. 27. Avoid • Check file extensions • Disable PHP getting burned Wednesday, September 8, 2010
  28. 28. File upload TMI secret_report.pdf secret_report_1.pdf Wednesday, September 8, 2010
  29. 29. Avoid • Put user content behind a file API • Obfuscate filenames of uploads getting burned Wednesday, September 8, 2010
  30. 30. Direct Object Access Wednesday, September 8, 2010
  31. 31. General TMI “Not Found” vs. “Forbidden” / “Access denied” Wednesday, September 8, 2010
  32. 32. Avoid • Return consistent results (preferably “Not Found”) getting • Log security violations burned Wednesday, September 8, 2010
  33. 33. Doing stupid things Privileged operations with HTTP GET eg /object/delete/2 Wednesday, September 8, 2010
  34. 34. Avoid • Don’t do stupid things. • Consider Django-Piston for REST getting burned Wednesday, September 8, 2010
  35. 35. Click Jacking What the hell is it? Wednesday, September 8, 2010
  36. 36. Click jackets /admin/ is vulnerable. pre-filling forms removes most user interaction Wednesday, September 8, 2010
  37. 37. Avoid • Set X-FRAME-OPTIONS DENY header getting • Use django-xframeoptions middleware burned • Implement frame breakout code Wednesday, September 8, 2010
  38. 38. Abusing :( /admin/ Wednesday, September 8, 2010
  39. 39. Wuh-oh, kids. [ REDACTED ] Wednesday, September 8, 2010
  40. 40. Avoid • I HAVE NO IDEA. • security@djangoproject.com getting needs to check their email ;) burned Wednesday, September 8, 2010
  41. 41. Wednesday, September 8, 2010
  42. 42. I have a hard job Wednesday, September 8, 2010
  43. 43. Your job is harder. Wednesday, September 8, 2010
  44. 44. Questions? @adam_baldwin // ngenuity-is.com // evilpacket.net Wednesday, September 8, 2010

×