SlideShare a Scribd company logo

Testing python security PyCon IE

Jose Manuel Ortega Candel
Jose Manuel Ortega Candel

Python is a language that in a easy way allows to scale up from starter projects to complex applications for data processing and serving dynamic web pages. But as you increase complexity in your applications, it can be easy to introduce potential problems and vulnerabilities. In this talk, I will highlight the biggest problems we can find in python functions, how to use then in a secure way and tools and services that help you identify vulnerabilities in the python source code. These could be the main talking points: -Introduction to secure programming in python. -Introduce dangerous functions for code inyection and how we can solve this issues from a security point of view. -Common attack vectors on Python applications like Remote Command Execution and SQL injection -Best practices for avoid execution of malicious commands -Tools that help us to protect and obfuscate our source code

Technology
1 of 54
Download to read offline
Testing python security PyconIE 2018 1 @jmortegac Testing Python Security José Manuel Ortega @jmortegac
Testing python security PyconIE 2018 2 @jmortegac ● Develop Python scripts for automating security and pentesting tasks ● Discover the Python standard library's main modules used for performing security-related tasks ● Automate analytical tasks and the extraction of information from servers ● Explore processes for detecting and exploiting vulnerabilities in servers ● Use network software for Python programming ● Perform server scripting and port scanning with Python ● Identify vulnerabilities in web applications with Python ● Use Python to extract metadata and forensics
Testing python security PyconIE 2018 3 @jmortegac jmortega.github.io
Testing python security PyconIE 2018 4 @jmortegac 1. Secure coding 2. Dangerous functions 3. Common attack vectors 4. Static analisys tools 5. Other security issues
Testing python security PyconIE 2018 5 @jmortegac Secure coding 1. Analysis of architectures involved 2. Review of implementation details 3. Verification of code logic and syntax 4. Operational testing (unit testing, white-box) 5. Functional testing (black-box)
Testing python security PyconIE 2018 6 @jmortegac Unsafe python components
Testing python security PyconIE 2018 7 @jmortegac Dangerous Python Functions
Testing python security PyconIE 2018 8 @jmortegac Security issues Here’s a list of handful of other potential issues to watch for: ● Dangerous python functions like eval() ● Serialization and deserialization objects with pickle ● SQL and JavaScript snippets ● API keys included in source code ● HTTP calls to internal or external web services
Testing python security PyconIE 2018 9 @jmortegac Improper input/output validation
Testing python security PyconIE 2018 10 @jmortegac eval() eval(expression[, globals[, locals]])
Testing python security PyconIE 2018 11 @jmortegac eval() No globals
Testing python security PyconIE 2018 12 @jmortegac eval() eval("__import__('os').system('clear') ", {}) eval("__import__('os').system('rm -rf')", {})
Testing python security PyconIE 2018 13 @jmortegac eval() Refuse access to the builtins
Testing python security PyconIE 2018 14 @jmortegac eval()
Testing python security PyconIE 2018 15 @jmortegac Serialization and Deserialization with Pickle WARNING: pickle or cPickle are NOT designed as safe/secure solution for serialization
Testing python security PyconIE 2018 16 @jmortegac Serialization and Deserialization with Pickle
Testing python security PyconIE 2018 17 @jmortegac Serialization and Deserialization with Pickle
Testing python security PyconIE 2018 18 @jmortegac Serialization and Deserialization with Pickle
Testing python security PyconIE 2018 19 @jmortegac Serialization and Deserialization with Pickle
Testing python security PyconIE 2018 20 @jmortegac Security issues Overflow errors ● The buffer overflow ● The integer or arithmetic overflow >> print xrange(2**63) Traceback (most recent call last): File "<stdin>", line 1, in <module> OverflowError: Python int too large to convert to C long >>> print range(2**63) Traceback (most recent call last): File "<stdin>", line 1, in <module> OverflowError: range() result has too many items
Testing python security PyconIE 2018 21 @jmortegac Input injection attacks
Testing python security PyconIE 2018 22 @jmortegac Command Injection @app.route('/menu',methods =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = True) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
Testing python security PyconIE 2018 23 @jmortegac Command Injection @app.route('/menu',methods =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = False) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
Testing python security PyconIE 2018 24 @jmortegac Command Injection
Testing python security PyconIE 2018 25 @jmortegac shlex module
Testing python security PyconIE 2018 26 @jmortegac PyExecCmd
Testing python security PyconIE 2018 27 @jmortegac Common attack vectors on web applications OWASP TOP 10: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
Testing python security PyconIE 2018 28 @jmortegac SQL Injection @app.route('/filtering') def filtering(): param = request.args.get('param', 'not set') Session = sessionmaker(bind = db.engine) session = Session() result = session.query(User).filter(" username ={} ".format(param)) for value in result: print(value.username , value.email) return ' Result is displayed in console.'
Testing python security PyconIE 2018 29 @jmortegac Prevent SQL injection attacks Prevent SQL injection attacks ● NEVER concatenate untrusted inputs in SQL code. ● Concatenate constant fragments of SQL (literals) with parameter placeholders. ● cur.execute("SELECT * FROM students WHERE name= '%s';" % name) ● c.execute("SELECT * from students WHERE name=(?)" , name)
Testing python security PyconIE 2018 30 @jmortegac Prevent SQL injection attacks
Testing python security PyconIE 2018 31 @jmortegac XSS from flask import Flask , request , make_response app = Flask(__name__) @app.route ('/XSS_param',methods =['GET ]) def XSS(): param = request.args.get('param','not set') html = open('templates/XSS_param.html ').read() resp = make_response(html.replace('{{ param}}',param)) return resp if __name__ == ' __main__ ': app.run(debug = True)
Testing python security PyconIE 2018 32 @jmortegac XSS Server Side Template Injection (SSTI)
Testing python security PyconIE 2018 33 @jmortegac XSS
Testing python security PyconIE 2018 34 @jmortegac XSS
Testing python security PyconIE 2018 35 @jmortegac Automated security testing Automatic Scanning tools: ● SQLMap: Sql injection ● XSScrapy: Sql injection and XSS Source Code Analysis tools: ● Bandit: Open Source and can be easily integrated with Jenkins CI/CD
Testing python security PyconIE 2018 36 @jmortegac XSScrapy https://github.com/DanMcInerney/xsscrapy
Testing python security PyconIE 2018 37 @jmortegac SQLMap
Testing python security PyconIE 2018 38 @jmortegac SQLMap
Testing python security PyconIE 2018 39 @jmortegac Bandit
Testing python security PyconIE 2018 40 @jmortegac Bandit
Testing python security PyconIE 2018 41 @jmortegac Bandit Test plugins
Testing python security PyconIE 2018 42 @jmortegac Bandit Test plugins
Testing python security PyconIE 2018 43 @jmortegac Bandit Test plugins
Testing python security PyconIE 2018 44 @jmortegac Bandit Test plugins
Testing python security PyconIE 2018 45 @jmortegac Bandit Test plugins
Testing python security PyconIE 2018 46 @jmortegac Bandit Test plugins
Testing python security PyconIE 2018 47 @jmortegac Bandit Test plugins SELECT %s FROM derp;” % var “SELECT thing FROM ” + tab “SELECT ” + val + ” FROM ” + tab + … “SELECT {} FROM derp;”.format(var)
Testing python security PyconIE 2018 48 @jmortegac Syntribos Buffer Overflow Command Injection CORS Wildcard Integer Overflow LDAP Injection SQL Injection String Validation XML External Entity Cross Site Scripting (XSS) Regex Denial of Service (ReDoS)
Testing python security PyconIE 2018 49 @jmortegac Other security issues CPython vulnerabilities
Testing python security PyconIE 2018 50 @jmortegac Other security issues Insecure packages – acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition) – apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms) – bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file) – crypt (uploaded 2017-06-03 08:03:14, impersonates crypto) – django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api) – pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash) – setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools) – telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib) – urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3) – urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)
Testing python security PyconIE 2018 51 @jmortegac Other security issues
Testing python security PyconIE 2018 52 @jmortegac Interesting links https://github.com/jmortega/testing_python_security
Testing python security PyconIE 2018 53 @jmortegac Interesting links https://security.openstack.org/#bandit-static-analysis-for-python https://security.openstack.org/guidelines/dg_use-subprocess-securely.html https://security.openstack.org/guidelines/dg_avoid-shell-true.html https://security.openstack.org/guidelines/dg_parameterize-database-querie s.html https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsin g-libraries.html
Testing python security PyconIE 2018 54 @jmortegac Q&A Q & A

Recommended

DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)Patricia Aas
 
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.Ashley Wolf
 
Testing python security pyconweb
Testing python security pyconwebTesting python security pyconweb
Testing python security pyconwebJose Manuel Ortega Candel
 
Quality of life through Unit Testing
Quality of life through Unit TestingQuality of life through Unit Testing
Quality of life through Unit TestingSian Lerk Lau
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPiotr Dyba
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Jorge Hidalgo
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE - ATT&CKcon
 

Recommended

DevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartDevSecOps for Developers: How To Start
DevSecOps for Developers: How To StartPatricia Aas
 
6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)6 DevSecOps Hacks (femtech 2019)
6 DevSecOps Hacks (femtech 2019)Patricia Aas
 
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.
Don’t Ignore GitHub Security Alerts, Automate Them Into Your Workflow.Ashley Wolf
 
Testing python security pyconweb
Testing python security pyconwebTesting python security pyconweb
Testing python security pyconwebJose Manuel Ortega Candel
 
Quality of life through Unit Testing
Quality of life through Unit TestingQuality of life through Unit Testing
Quality of life through Unit TestingSian Lerk Lau
 
PyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPyConPL 2017 - with python: security
PyConPL 2017 - with python: securityPiotr Dyba
 
Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Open Source Power Tools - Opensouthcode 2018-06-02
Open Source Power Tools - Opensouthcode 2018-06-02Jorge Hidalgo
 
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...
MITRE ATT&CKcon 2.0: Ready to ATT&CK? Bring Your Own Data (BYOD) and Validate...MITRE - ATT&CKcon
 
Intro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoIntro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoChariza Pladin
 
Production Time Profiling and Diagnostics on the JVM
Production Time Profiling and Diagnostics on the JVMProduction Time Profiling and Diagnostics on the JVM
Production Time Profiling and Diagnostics on the JVMMarcus Hirt
 
Secure your Web Application With The New Python Audit Hooks
Secure your Web Application With The New Python Audit HooksSecure your Web Application With The New Python Audit Hooks
Secure your Web Application With The New Python Audit HooksNicolas Vivet
 
Testing in FrontEnd World by Nikita Galkin
Testing in FrontEnd World by Nikita GalkinTesting in FrontEnd World by Nikita Galkin
Testing in FrontEnd World by Nikita GalkinSigma Software
 
Generic Test Automation Architecture
Generic Test Automation ArchitectureGeneric Test Automation Architecture
Generic Test Automation ArchitectureTestingCR
 
Managing Egress with Istio
Managing Egress with IstioManaging Egress with Istio
Managing Egress with IstioSolo.io
 
Tooling around in the jdk
Tooling around in the jdkTooling around in the jdk
Tooling around in the jdkBrant Boehmann
 
Automated Low Level Requirements Testing for DO-178C
Automated Low Level Requirements Testing for DO-178CAutomated Low Level Requirements Testing for DO-178C
Automated Low Level Requirements Testing for DO-178CQA Systems
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Amélie Gyrard
 
Fut Lsi
Fut LsiFut Lsi
Fut Lsipralhad19
 
Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraStudy of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraLogilab
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Ukraine
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Amine Barrak
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersAll Things Open
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
Python Interview Questions And Answers 2019 | Edureka
Python Interview Questions And Answers 2019 | EdurekaPython Interview Questions And Answers 2019 | Edureka
Python Interview Questions And Answers 2019 | EdurekaEdureka!
 
Primers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code ReviewPrimers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code ReviewDelft University of Technology
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfJose Manuel Ortega Candel
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfJose Manuel Ortega Candel
 

More Related Content

Similar to Testing python security PyCon IE

Intro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoIntro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoChariza Pladin
 
Production Time Profiling and Diagnostics on the JVM
Production Time Profiling and Diagnostics on the JVMProduction Time Profiling and Diagnostics on the JVM
Production Time Profiling and Diagnostics on the JVMMarcus Hirt
 
Secure your Web Application With The New Python Audit Hooks
Secure your Web Application With The New Python Audit HooksSecure your Web Application With The New Python Audit Hooks
Secure your Web Application With The New Python Audit HooksNicolas Vivet
 
Testing in FrontEnd World by Nikita Galkin
Testing in FrontEnd World by Nikita GalkinTesting in FrontEnd World by Nikita Galkin
Testing in FrontEnd World by Nikita GalkinSigma Software
 
Generic Test Automation Architecture
Generic Test Automation ArchitectureGeneric Test Automation Architecture
Generic Test Automation ArchitectureTestingCR
 
Managing Egress with Istio
Managing Egress with IstioManaging Egress with Istio
Managing Egress with IstioSolo.io
 
Tooling around in the jdk
Tooling around in the jdkTooling around in the jdk
Tooling around in the jdkBrant Boehmann
 
Automated Low Level Requirements Testing for DO-178C
Automated Low Level Requirements Testing for DO-178CAutomated Low Level Requirements Testing for DO-178C
Automated Low Level Requirements Testing for DO-178CQA Systems
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Amélie Gyrard
 
Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraStudy of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraLogilab
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsGraham Dumpleton
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Ukraine
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Amine Barrak
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersAll Things Open
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security LintersEricBrown328
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesDaniel Bohannon
 
Python Interview Questions And Answers 2019 | Edureka
Python Interview Questions And Answers 2019 | EdurekaPython Interview Questions And Answers 2019 | Edureka
Python Interview Questions And Answers 2019 | EdurekaEdureka!
 
Primers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code ReviewPrimers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code ReviewDelft University of Technology
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)Patricia Aas
 

Similar to Testing python security PyCon IE (20)

Intro to Web Development Using Python and Django
Intro to Web Development Using Python and DjangoIntro to Web Development Using Python and Django
Intro to Web Development Using Python and Django
 
Production Time Profiling and Diagnostics on the JVM
Production Time Profiling and Diagnostics on the JVMProduction Time Profiling and Diagnostics on the JVM
Production Time Profiling and Diagnostics on the JVM
 
Secure your Web Application With The New Python Audit Hooks
Secure your Web Application With The New Python Audit HooksSecure your Web Application With The New Python Audit Hooks
Secure your Web Application With The New Python Audit Hooks
 
Testing in FrontEnd World by Nikita Galkin
Testing in FrontEnd World by Nikita GalkinTesting in FrontEnd World by Nikita Galkin
Testing in FrontEnd World by Nikita Galkin
 
Generic Test Automation Architecture
Generic Test Automation ArchitectureGeneric Test Automation Architecture
Generic Test Automation Architecture
 
Managing Egress with Istio
Managing Egress with IstioManaging Egress with Istio
Managing Egress with Istio
 
Tooling around in the jdk
Tooling around in the jdkTooling around in the jdk
Tooling around in the jdk
 
Automated Low Level Requirements Testing for DO-178C
Automated Low Level Requirements Testing for DO-178CAutomated Low Level Requirements Testing for DO-178C
Automated Low Level Requirements Testing for DO-178C
 
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
Keynote WFIoT2019 - Data Graph, Knowledge Graphs Ontologies, Internet of Thin...
 
Fut Lsi
Fut LsiFut Lsi
Fut Lsi
 
Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on SimulagoraStudy of the dynamic behavior of a pump with Code_ASTER on Simulagora
Study of the dynamic behavior of a pump with Code_ASTER on Simulagora
 
PyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web ApplicationsPyCon AU 2012 - Debugging Live Python Web Applications
PyCon AU 2012 - Debugging Live Python Web Applications
 
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
GlobalLogic Test Automation Online TechTalk “Test Driven Development as a Per...
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
 
Bandit and Gosec - Security Linters
Bandit and Gosec - Security LintersBandit and Gosec - Security Linters
Bandit and Gosec - Security Linters
 
SignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT SignaturesSignaturesAreDead Long Live RESILIENT Signatures
SignaturesAreDead Long Live RESILIENT Signatures
 
Python Interview Questions And Answers 2019 | Edureka
Python Interview Questions And Answers 2019 | EdurekaPython Interview Questions And Answers 2019 | Edureka
Python Interview Questions And Answers 2019 | Edureka
 
Primers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code ReviewPrimers or Reminders? The Effects of Existing Review Comments on Code Review
Primers or Reminders? The Effects of Existing Review Comments on Code Review
 
DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)DevSecOps for Developers, How To Start (ETC 2020)
DevSecOps for Developers, How To Start (ETC 2020)
 

More from Jose Manuel Ortega Candel

Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfJose Manuel Ortega Candel
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfJose Manuel Ortega Candel
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Jose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Jose Manuel Ortega Candel
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfJose Manuel Ortega Candel
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfJose Manuel Ortega Candel
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudJose Manuel Ortega Candel
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Jose Manuel Ortega Candel
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Jose Manuel Ortega Candel
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sJose Manuel Ortega Candel
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Jose Manuel Ortega Candel
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanJose Manuel Ortega Candel
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamJose Manuel Ortega Candel
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsJose Manuel Ortega Candel
 
Python memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collectorPython memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collectorJose Manuel Ortega Candel
 

More from Jose Manuel Ortega Candel (20)

Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdfAsegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
Asegurando tus APIs Explorando el OWASP Top 10 de Seguridad en APIs.pdf
 
PyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdfPyGoat Analizando la seguridad en aplicaciones Django.pdf
PyGoat Analizando la seguridad en aplicaciones Django.pdf
 
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
Ciberseguridad en Blockchain y Smart Contracts: Explorando los Desafíos y Sol...
 
Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops Evolution of security strategies in K8s environments- All day devops
Evolution of security strategies in K8s environments- All day devops
 
Evolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdfEvolution of security strategies in K8s environments.pdf
Evolution of security strategies in K8s environments.pdf
 
Implementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdfImplementing Observability for Kubernetes.pdf
Implementing Observability for Kubernetes.pdf
 
Computación distribuida usando Python
Computación distribuida usando PythonComputación distribuida usando Python
Computación distribuida usando Python
 
Seguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloudSeguridad en arquitecturas serverless y entornos cloud
Seguridad en arquitecturas serverless y entornos cloud
 
Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud Construyendo arquitecturas zero trust sobre entornos cloud
Construyendo arquitecturas zero trust sobre entornos cloud
 
Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python Tips and tricks for data science projects with Python
Tips and tricks for data science projects with Python
 
Sharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8sSharing secret keys in Docker containers and K8s
Sharing secret keys in Docker containers and K8s
 
Implementing cert-manager in K8s
Implementing cert-manager in K8sImplementing cert-manager in K8s
Implementing cert-manager in K8s
 
Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)Python para equipos de ciberseguridad(pycones)
Python para equipos de ciberseguridad(pycones)
 
Python para equipos de ciberseguridad
Python para equipos de ciberseguridad Python para equipos de ciberseguridad
Python para equipos de ciberseguridad
 
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodanShodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
Shodan Tips and tricks. Automatiza y maximiza las búsquedas shodan
 
ELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue TeamELK para analistas de seguridad y equipos Blue Team
ELK para analistas de seguridad y equipos Blue Team
 
Monitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source toolsMonitoring and managing Containers using Open Source tools
Monitoring and managing Containers using Open Source tools
 
Python Memory Management 101(Europython)
Python Memory Management 101(Europython)Python Memory Management 101(Europython)
Python Memory Management 101(Europython)
 
SecDevOps containers
SecDevOps containersSecDevOps containers
SecDevOps containers
 
Python memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collectorPython memory managment. Deeping in Garbage collector
Python memory managment. Deeping in Garbage collector
 

Recently uploaded

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilV3cube
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 

Recently uploaded (20)

08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

Testing python security PyCon IE

  • 1. Testing python security PyconIE 2018 1 @jmortegac Testing Python Security José Manuel Ortega @jmortegac
  • 2. Testing python security PyconIE 2018 2 @jmortegac ● Develop Python scripts for automating security and pentesting tasks ● Discover the Python standard library's main modules used for performing security-related tasks ● Automate analytical tasks and the extraction of information from servers ● Explore processes for detecting and exploiting vulnerabilities in servers ● Use network software for Python programming ● Perform server scripting and port scanning with Python ● Identify vulnerabilities in web applications with Python ● Use Python to extract metadata and forensics
  • 3. Testing python security PyconIE 2018 3 @jmortegac jmortega.github.io
  • 4. Testing python security PyconIE 2018 4 @jmortegac 1. Secure coding 2. Dangerous functions 3. Common attack vectors 4. Static analisys tools 5. Other security issues
  • 5. Testing python security PyconIE 2018 5 @jmortegac Secure coding 1. Analysis of architectures involved 2. Review of implementation details 3. Verification of code logic and syntax 4. Operational testing (unit testing, white-box) 5. Functional testing (black-box)
  • 6. Testing python security PyconIE 2018 6 @jmortegac Unsafe python components
  • 7. Testing python security PyconIE 2018 7 @jmortegac Dangerous Python Functions
  • 8. Testing python security PyconIE 2018 8 @jmortegac Security issues Here’s a list of handful of other potential issues to watch for: ● Dangerous python functions like eval() ● Serialization and deserialization objects with pickle ● SQL and JavaScript snippets ● API keys included in source code ● HTTP calls to internal or external web services
  • 9. Testing python security PyconIE 2018 9 @jmortegac Improper input/output validation
  • 10. Testing python security PyconIE 2018 10 @jmortegac eval() eval(expression[, globals[, locals]])
  • 11. Testing python security PyconIE 2018 11 @jmortegac eval() No globals
  • 12. Testing python security PyconIE 2018 12 @jmortegac eval() eval("__import__('os').system('clear') ", {}) eval("__import__('os').system('rm -rf')", {})
  • 13. Testing python security PyconIE 2018 13 @jmortegac eval() Refuse access to the builtins
  • 14. Testing python security PyconIE 2018 14 @jmortegac eval()
  • 15. Testing python security PyconIE 2018 15 @jmortegac Serialization and Deserialization with Pickle WARNING: pickle or cPickle are NOT designed as safe/secure solution for serialization
  • 16. Testing python security PyconIE 2018 16 @jmortegac Serialization and Deserialization with Pickle
  • 17. Testing python security PyconIE 2018 17 @jmortegac Serialization and Deserialization with Pickle
  • 18. Testing python security PyconIE 2018 18 @jmortegac Serialization and Deserialization with Pickle
  • 19. Testing python security PyconIE 2018 19 @jmortegac Serialization and Deserialization with Pickle
  • 20. Testing python security PyconIE 2018 20 @jmortegac Security issues Overflow errors ● The buffer overflow ● The integer or arithmetic overflow >> print xrange(2**63) Traceback (most recent call last): File "<stdin>", line 1, in <module> OverflowError: Python int too large to convert to C long >>> print range(2**63) Traceback (most recent call last): File "<stdin>", line 1, in <module> OverflowError: range() result has too many items
  • 21. Testing python security PyconIE 2018 21 @jmortegac Input injection attacks
  • 22. Testing python security PyconIE 2018 22 @jmortegac Command Injection @app.route('/menu',methods =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = True) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
  • 23. Testing python security PyconIE 2018 23 @jmortegac Command Injection @app.route('/menu',methods =['POST']) def menu(): param = request.form [ ' suggestion '] command = ' echo ' + param + ' >> ' + ' menu.txt ' subprocess.call(command,shell = False) with open('menu.txt','r') as f: menu = f.read() return render_template('command_injection.html', menu = menu)
  • 24. Testing python security PyconIE 2018 24 @jmortegac Command Injection
  • 25. Testing python security PyconIE 2018 25 @jmortegac shlex module
  • 26. Testing python security PyconIE 2018 26 @jmortegac PyExecCmd
  • 27. Testing python security PyconIE 2018 27 @jmortegac Common attack vectors on web applications OWASP TOP 10: A1 Injection A2 Broken Authentication and Session Management A3 Cross-Site Scripting (XSS) A4 Insecure Direct Object References A5 Security Misconfiguration A6 Sensitive Data Exposure A7 Missing Function Level Access Control A8 Cross-Site Request Forgery (CSRF) A9 Using Components with Known Vulnerabilities A10 Unvalidated Redirects and Forwards
  • 28. Testing python security PyconIE 2018 28 @jmortegac SQL Injection @app.route('/filtering') def filtering(): param = request.args.get('param', 'not set') Session = sessionmaker(bind = db.engine) session = Session() result = session.query(User).filter(" username ={} ".format(param)) for value in result: print(value.username , value.email) return ' Result is displayed in console.'
  • 29. Testing python security PyconIE 2018 29 @jmortegac Prevent SQL injection attacks Prevent SQL injection attacks ● NEVER concatenate untrusted inputs in SQL code. ● Concatenate constant fragments of SQL (literals) with parameter placeholders. ● cur.execute("SELECT * FROM students WHERE name= '%s';" % name) ● c.execute("SELECT * from students WHERE name=(?)" , name)
  • 30. Testing python security PyconIE 2018 30 @jmortegac Prevent SQL injection attacks
  • 31. Testing python security PyconIE 2018 31 @jmortegac XSS from flask import Flask , request , make_response app = Flask(__name__) @app.route ('/XSS_param',methods =['GET ]) def XSS(): param = request.args.get('param','not set') html = open('templates/XSS_param.html ').read() resp = make_response(html.replace('{{ param}}',param)) return resp if __name__ == ' __main__ ': app.run(debug = True)
  • 32. Testing python security PyconIE 2018 32 @jmortegac XSS Server Side Template Injection (SSTI)
  • 33. Testing python security PyconIE 2018 33 @jmortegac XSS
  • 34. Testing python security PyconIE 2018 34 @jmortegac XSS
  • 35. Testing python security PyconIE 2018 35 @jmortegac Automated security testing Automatic Scanning tools: ● SQLMap: Sql injection ● XSScrapy: Sql injection and XSS Source Code Analysis tools: ● Bandit: Open Source and can be easily integrated with Jenkins CI/CD
  • 36. Testing python security PyconIE 2018 36 @jmortegac XSScrapy https://github.com/DanMcInerney/xsscrapy
  • 37. Testing python security PyconIE 2018 37 @jmortegac SQLMap
  • 38. Testing python security PyconIE 2018 38 @jmortegac SQLMap
  • 39. Testing python security PyconIE 2018 39 @jmortegac Bandit
  • 40. Testing python security PyconIE 2018 40 @jmortegac Bandit
  • 41. Testing python security PyconIE 2018 41 @jmortegac Bandit Test plugins
  • 42. Testing python security PyconIE 2018 42 @jmortegac Bandit Test plugins
  • 43. Testing python security PyconIE 2018 43 @jmortegac Bandit Test plugins
  • 44. Testing python security PyconIE 2018 44 @jmortegac Bandit Test plugins
  • 45. Testing python security PyconIE 2018 45 @jmortegac Bandit Test plugins
  • 46. Testing python security PyconIE 2018 46 @jmortegac Bandit Test plugins
  • 47. Testing python security PyconIE 2018 47 @jmortegac Bandit Test plugins SELECT %s FROM derp;” % var “SELECT thing FROM ” + tab “SELECT ” + val + ” FROM ” + tab + … “SELECT {} FROM derp;”.format(var)
  • 48. Testing python security PyconIE 2018 48 @jmortegac Syntribos Buffer Overflow Command Injection CORS Wildcard Integer Overflow LDAP Injection SQL Injection String Validation XML External Entity Cross Site Scripting (XSS) Regex Denial of Service (ReDoS)
  • 49. Testing python security PyconIE 2018 49 @jmortegac Other security issues CPython vulnerabilities
  • 50. Testing python security PyconIE 2018 50 @jmortegac Other security issues Insecure packages – acqusition (uploaded 2017-06-03 01:58:01, impersonates acquisition) – apidev-coop (uploaded 2017-06-03 05:16:08, impersonates apidev-coop_cms) – bzip (uploaded 2017-06-04 07:08:05, impersonates bz2file) – crypt (uploaded 2017-06-03 08:03:14, impersonates crypto) – django-server (uploaded 2017-06-02 08:22:23, impersonates django-server-guardian-api) – pwd (uploaded 2017-06-02 13:12:33, impersonates pwdhash) – setup-tools (uploaded 2017-06-02 08:54:44, impersonates setuptools) – telnet (uploaded 2017-06-02 15:35:05, impersonates telnetsrvlib) – urlib3 (uploaded 2017-06-02 07:09:29, impersonates urllib3) – urllib (uploaded 2017-06-02 07:03:37, impersonates urllib3)
  • 51. Testing python security PyconIE 2018 51 @jmortegac Other security issues
  • 52. Testing python security PyconIE 2018 52 @jmortegac Interesting links https://github.com/jmortega/testing_python_security
  • 53. Testing python security PyconIE 2018 53 @jmortegac Interesting links https://security.openstack.org/#bandit-static-analysis-for-python https://security.openstack.org/guidelines/dg_use-subprocess-securely.html https://security.openstack.org/guidelines/dg_avoid-shell-true.html https://security.openstack.org/guidelines/dg_parameterize-database-querie s.html https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsin g-libraries.html
  • 54. Testing python security PyconIE 2018 54 @jmortegac Q&A Q & A