Python is a language that in a easy way allows to scale up from starter projects to complex applications for data processing and serving dynamic web pages. But as you increase complexity in your applications, it can be easy to introduce potential problems and vulnerabilities. In this talk, I will highlight the biggest problems we can find in python functions, how to use then in a secure way and tools and services that help you identify vulnerabilities in the python source code. These could be the main talking points:
-Introduction to secure programming in python.
-Introduce dangerous functions for code inyection and how we can solve this issues from a security point of view.
-Common attack vectors on Python applications like Remote Command Execution and SQL injection
-Best practices for avoid execution of malicious commands
-Tools that help us to protect and obfuscate our source code
2. Testing python security
PyconIE 2018 2 @jmortegac
● Develop Python scripts for automating security and
pentesting tasks
● Discover the Python standard library's main modules
used for performing security-related tasks
● Automate analytical tasks and the extraction of
information from servers
● Explore processes for detecting and exploiting
vulnerabilities in servers
● Use network software for Python programming
● Perform server scripting and port scanning with Python
● Identify vulnerabilities in web applications with Python
● Use Python to extract metadata and forensics
8. Testing python security
PyconIE 2018 8 @jmortegac
Security issues
Here’s a list of handful of other potential issues to
watch for:
● Dangerous python functions like eval()
● Serialization and deserialization objects with
pickle
● SQL and JavaScript snippets
● API keys included in source code
● HTTP calls to internal or external web services
15. Testing python security
PyconIE 2018 15 @jmortegac
Serialization and Deserialization with Pickle
WARNING: pickle or cPickle are NOT designed as
safe/secure solution for serialization
20. Testing python security
PyconIE 2018 20 @jmortegac
Security issues
Overflow errors
● The buffer overflow
● The integer or arithmetic overflow
>> print xrange(2**63)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: Python int too large to convert to C long
>>> print range(2**63)
Traceback (most recent call last):
File "<stdin>", line 1, in <module>
OverflowError: range() result has too many items
27. Testing python security
PyconIE 2018 27 @jmortegac
Common attack vectors on web applications
OWASP TOP 10:
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards
28. Testing python security
PyconIE 2018 28 @jmortegac
SQL Injection
@app.route('/filtering')
def filtering():
param = request.args.get('param', 'not set')
Session = sessionmaker(bind = db.engine)
session = Session()
result = session.query(User).filter(" username ={}
".format(param))
for value in result:
print(value.username , value.email)
return ' Result is displayed in console.'
29. Testing python security
PyconIE 2018 29 @jmortegac
Prevent SQL injection attacks
Prevent SQL injection attacks
● NEVER concatenate untrusted inputs in SQL
code.
● Concatenate constant fragments of SQL
(literals) with parameter placeholders.
● cur.execute("SELECT * FROM students
WHERE name= '%s';" % name)
● c.execute("SELECT * from students WHERE
name=(?)" , name)