Download as PDF, PPTX
![Browser behavior
This works in IE8, without the “big five” and executes
without user interaction.
<style /><a href="[user provided data here]">click</a>
<style /><a href="}@import/**/data:text/css
%3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpf
Q%3D%3D;">click</a>
Wednesday, September 8, 2010](https://image.slidesharecdn.com/ngenuitydjangocon2010ponypwning-100908154406-phpapp01/75/Pony-Pwning-Djangocon-2010-23-2048.jpg)
![Wuh-oh, kids.
[ REDACTED ]
Wednesday, September 8, 2010](https://image.slidesharecdn.com/ngenuitydjangocon2010ponypwning-100908154406-phpapp01/75/Pony-Pwning-Djangocon-2010-39-2048.jpg)
Uploaded byAdam Baldwin
Pony Pwning Djangocon 2010
This document summarizes a presentation on Django web application security given by Adam Baldwin. The presentation covered common security failures in Django projects including cross-site scripting due to improper validation of user input in templates, file uploads that do not check extensions or store files in protected directories, direct access to objects without authorization checks, and other issues. Baldwin emphasized avoiding security problems by following best practices like input validation, using middleware to set security headers, and not allowing privileged operations with HTTP GET.
![[BDD 2025 - Full-Stack Development] PHP in AI Age: The Laravel Way. (Rizqy Hi...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-phpinaiagethelaravelway-251125012602-ef9d330e-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] Building AI Systems That Users (and Comp...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-buildingaisystemsthatusersandcompanieslove-251124030845-038f7732-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] The Modern Stack: Building Web & AI Appli...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-themodernstackbuildingwebaiapplicationswithserverless-251124030844-388cf04f-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] Digital Accessibility: Why Developers nee...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-digitalaccessibilitywhydevelopersneedtoknowandcarein2025-251127011019-0674441d-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Artificial Intelligence] AI for the Underdogs: Innovation for Sma...](https://cdn.slidesharecdn.com/ss_thumbnails/ai-aifortheunderdogsinnovationforsmallbusinesses-251124030839-72a599a4-thumbnail.jpg?width=640&height=640&fit=bounds)
![[BDD 2025 - Full-Stack Development] Agentic AI Architecture: Redefining Syste...](https://cdn.slidesharecdn.com/ss_thumbnails/fs-agenticaiarchitectureredefiningsystemcommunication-251124030838-e6c70cc2-thumbnail.jpg?width=640&height=640&fit=bounds)
Pony Pwning Djangocon 2010
- 1. Pony Pwning Djangocon 2010 // Adam Baldwin Wednesday, September 8, 2010
- 2. Hi, I’m notthat Adam Baldwin. I’m this one: @adam_baldwin ngenuity-is.com evilpacket.net Wednesday, September 8, 2010
- 3. I break stuff Wednesday,September 8, 2010
- 4. Django = pile of awesome Wednesday, September 8, 2010
- 5. Django isn’t perfect Wednesday, September 8, 2010
- 6. Developers aren’t perfect Wednesday, September 8, 2010
- 7. I WANT TO HELP YOU AVOID HUGE ASS MISTAKES Captain Howdy McAssumptions, the nGenuity Mascot Wednesday, September 8, 2010
- 8. INTRODUCING! Completely made up statistics Wednesday, September 8, 2010
- 9. 60% of security failures project constraints! Wednesday, September 8, 2010
- 10.
- 11. 30% of security failures incompetence or ignorance Wednesday, September 8, 2010
- 12.
- 13. 9% of security failures needle in the haystack Wednesday, September 8, 2010
- 14. See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/ and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/ Wednesday, September 8, 2010
- 15. 1% of security failures 0 days Wednesday, September 8, 2010
- 16. Let’s talk about the 90% Wednesday, September 8, 2010
- 17. Sad Pony Warning Wednesday, September 8, 2010
- 18.
- 19. { the “ double quote Big ‘ single quote & ampersand Five < less than > greater than Wednesday, September 8, 2010
- 20. {% autoescape off%} |safe filter mark_safe( ) Wednesday, September 8, 2010
- 21. Context matters. <a href=”{{object.absolute_url}}” alt=”{{object.name}}”> {{object.name}}</a> <a href={{object.absolute_url}} alt={{object.name}}> {{object.name}}</a> Missing quotes in the second URL make it possible to inject malicious code. Which is bad. Wednesday, September 8, 2010
- 22. swingset OWASP ESAPI Swingset by Craig Younkins http://www.owasp.org/index.php/ESAPI_Swingset Wednesday, September 8, 2010
- 23. Browser behavior This works in IE8, without the “big five” and executes without user interaction. <style /><a href="[user provided data here]">click</a> <style /><a href="}@import/**/data:text/css %3Bbase64,Knt4OmV4cHJlc3Npb24oYWxlcnQoMSkpf Q%3D%3D;">click</a> Wednesday, September 8, 2010
- 24. Avoid • Consider OWASP ESAPI • Audit templates getting • Audit reusables and snippets burned • Educate designers Wednesday, September 8, 2010
- 25. FILE UP LOADS Wednesday, September 8, 2010
- 26. Evil Avatars Images can contain PHP. ImageField does not care. ImageField does not check extensions. File uploads often are put in unprotected directories. Wednesday, September 8, 2010
- 27. Avoid • Check file extensions • Disable PHP getting burned Wednesday, September 8, 2010
- 28. File upload TMI secret_report.pdf secret_report_1.pdf Wednesday, September 8, 2010
- 29. Avoid • Put user content behind a file API • Obfuscate filenames of uploads getting burned Wednesday, September 8, 2010
- 30. Direct Object Access Wednesday, September 8, 2010
- 31. General TMI “Not Found” vs. “Forbidden” / “Access denied” Wednesday, September 8, 2010
- 32. Avoid • Return consistent results (preferably “Not Found”) getting • Log security violations burned Wednesday, September 8, 2010
- 33. Doing stupid things Privileged operations with HTTP GET eg /object/delete/2 Wednesday, September 8, 2010
- 34. Avoid • Don’t do stupid things. • Consider Django-Piston for REST getting burned Wednesday, September 8, 2010
- 35. Click Jacking What the hell is it? Wednesday, September 8, 2010
- 36. Click jackets /admin/ is vulnerable. pre-filling forms removes most user interaction Wednesday, September 8, 2010
- 37. Avoid • Set X-FRAME-OPTIONS DENY header getting • Use django-xframeoptions middleware burned • Implement frame breakout code Wednesday, September 8, 2010
- 38. Abusing :( /admin/ Wednesday, September 8, 2010
- 39. Wuh-oh, kids. [ REDACTED ] Wednesday, September 8, 2010
- 40. Avoid • I HAVE NO IDEA. • security@djangoproject.com getting needs to check their email ;) burned Wednesday, September 8, 2010
- 41.
- 42. I have a hard job Wednesday, September 8, 2010
- 43. Your job is harder. Wednesday, September 8, 2010
- 44. Questions? @adam_baldwin // ngenuity-is.com // evilpacket.net Wednesday, September 8, 2010