Python is a language that in a easy way allows to scale up from starter projects to complex applications for data processing and serving dynamic web pages. But as you increase complexity in your applications, it can be easy to introduce potential problems and vulnerabilities. In this talk José Manuel Ortega will talk about the common security problems in Python code, like remote command execution and SQL injections. Of course he'll show to to prevent against these and other types of vulnerabilities. https://pyconweb.com/talks/26-05-2019/testing-python-security

1. Testing python security
PyconWeb 2019 1 @jmortegac
Testing Python
Security
José Manuel Ortega
@jmortegac

2. Testing python security
PyconWeb 2019 2 @jmortegac
jmortega.github.io

3. Testing python security
PyconWeb 2019 3 @jmortegac
● Develop Python scripts for automating security and
pentesting tasks
● Discover the Python standard library's main modules
used for performing security-related tasks
● Automate analytical tasks and the extraction of
information from servers
● Explore processes for detecting and exploiting
vulnerabilities in servers
● Use network software for Python programming
● Perform server scripting and port scanning with Python
● Identify vulnerabilities in web applications with Python
● Use Python to extract metadata and forensics

4. Testing python security
PyconWeb 2019 4 @jmortegac

5. Testing python security
PyconWeb 2019 5 @jmortegac
1. Python dangerous functions
2. Common attack vectors
3. Static analisys tools
4. Other security issues

6. Testing python security
PyconWeb 2019 6 @jmortegac
Unsafe python components

7. Testing python security
PyconWeb 2019 7 @jmortegac
Dangerous Python Functions

8. Testing python security
PyconWeb 2019 8 @jmortegac
Security issues
Here’s a list of handful of other potential issues to
watch for:
● Dangerous python functions like eval()
● Serialization and deserialization objects with
pickle
● SQL and JavaScript snippets

9. Testing python security
PyconWeb 2019 9 @jmortegac
Improper input/output validation

10. Testing python security
PyconWeb 2019 10 @jmortegac
eval()
eval(expression[, globals[, locals]])

11. Testing python security
PyconWeb 2019 11 @jmortegac
eval()
No globals

12. Testing python security
PyconWeb 2019 12 @jmortegac
eval()
eval("__import__('os').system('clear')
", {})
eval("__import__('os').system('rm -rf')", {})

13. Testing python security
PyconWeb 2019 13 @jmortegac
eval()
Refuse access to the builtins

14. Testing python security
PyconWeb 2019 14 @jmortegac
eval()
https://docs.python.org/3/library/ast.html#ast.liter
al_eval

15. Testing python security
PyconWeb 2019 15 @jmortegac
Serialization and Deserialization with Pickle
WARNING: pickle or cPickle are NOT designed as
safe/secure solution for serialization

16. Testing python security
PyconWeb 2019 16 @jmortegac
Serialization and Deserialization with Pickle

17. Testing python security
PyconWeb 2019 17 @jmortegac
Serialization and Deserialization with Pickle

18. Testing python security
PyconWeb 2019 18 @jmortegac
Serialization and Deserialization with Pickle

19. Testing python security
PyconWeb 2019 19 @jmortegac
Serialization and Deserialization with Pickle

20. Testing python security
PyconWeb 2019 20 @jmortegac
Input injection attacks

21. Testing python security
PyconWeb 2019 21 @jmortegac
Command Injection
@app.route('/menu',methods =['POST'])
def menu():
param = request.form [ ' suggestion ']
command = ' echo ' + param + ' >> ' + ' menu.txt '
subprocess.call(command,shell = True)
with open('menu.txt','r') as f:
menu = f.read()
return render_template('command_injection.html',
menu = menu)

22. Testing python security
PyconWeb 2019 22 @jmortegac
Command Injection
@app.route('/menu',methods =['POST'])
def menu():
param = request.form [ ' suggestion ']
command = ' echo ' + param + ' >> ' + ' menu.txt '
subprocess.call(command,shell = False)
with open('menu.txt','r') as f:
menu = f.read()
return render_template('command_injection.html',
menu = menu)

23. Testing python security
PyconWeb 2019 23 @jmortegac
Command Injection

24. Testing python security
PyconWeb 2019 24 @jmortegac
Command Injection
>>> ping('8.8.8.8; rm -rf /')
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=6.32 ms
rm: cannot remove `/bin/dbus-daemon': Permission denied
rm: cannot remove `/bin/dbus-uuidgen': Permission denied
rm: cannot remove `/bin/dbus-cleanup-sockets': Permission denied
rm: cannot remove `/bin/cgroups-mount': Permission denied
rm: cannot remove `/bin/cgroups-umount': Permission denied
>>> ping('8.8.8.8; rm -rf /')
ping: unknown host 8.8.8.8; rm -rf /

25. Testing python security
PyconWeb 2019 25 @jmortegac
shlex module

26. Testing python security
PyconWeb 2019 26 @jmortegac
Common attack vectors
OWASP TOP 10:
A1 Injection
A2 Broken Authentication and Session Management
A3 Cross-Site Scripting (XSS)
A4 Insecure Direct Object References
A5 Security Misconfiguration
A6 Sensitive Data Exposure
A7 Missing Function Level Access Control
A8 Cross-Site Request Forgery (CSRF)
A9 Using Components with Known Vulnerabilities
A10 Unvalidated Redirects and Forwards

27. Testing python security
PyconWeb 2019 27 @jmortegac
SQL Injection
@app.route('/filtering')
def filtering():
param = request.args.get('param', 'not set')
Session = sessionmaker(bind = db.engine)
session = Session()
result = session.query(User).filter(" username ={}
".format(param))
for value in result:
print(value.username , value.email)
return ' Result is displayed in console.'

28. Testing python security
PyconWeb 2019 28 @jmortegac
Prevent SQL injection attacks
Prevent SQL injection attacks
● NEVER concatenate untrusted inputs in SQL
code.
● Concatenate constant fragments of SQL
(literals) with parameter placeholders.
● cur.execute("SELECT * FROM students
WHERE name= '%s';" % name)
● c.execute("SELECT * from students WHERE
name=(?)" , name)

29. Testing python security
PyconWeb 2019 29 @jmortegac
XSS
from flask import Flask , request , make_response
app = Flask(__name__)
@app.route ('/XSS_param',methods =['GET ])
def XSS():
param = request.args.get('param','not set')
html = open('templates/XSS_param.html ').read()
resp = make_response(html.replace('{{ param}}',param))
return resp
if __name__ == ' __main__ ':
app.run(debug = True)

30. Testing python security
PyconWeb 2019 30 @jmortegac
XSS
Server Side Template Injection (SSTI)

31. Testing python security
PyconWeb 2019 31 @jmortegac
XSS

32. Testing python security
PyconWeb 2019 32 @jmortegac
XSS

33. Testing python security
PyconWeb 2019 33 @jmortegac
Automated security testing
Automatic Scanning tools:
● SQLMap: Sql injection
● XSScrapy: Sql injection and XSS
Source Code Analysis tools:
● Bandit: Open Source and can be
easily integrated with Jenkins CI/CD

34. Testing python security
PyconWeb 2019 34 @jmortegac
SQLMap

35. Testing python security
PyconWeb 2019 35 @jmortegac
SQLMap

36. Testing python security
PyconWeb 2019 36 @jmortegac
Bandit

37. Testing python security
PyconWeb 2019 37 @jmortegac
Bandit

38. Testing python security
PyconWeb 2019 38 @jmortegac
Bandit Test plugins

39. Testing python security
PyconWeb 2019 39 @jmortegac
Bandit Test plugins

40. Testing python security
PyconWeb 2019 40 @jmortegac
Bandit Test plugins

41. Testing python security
PyconWeb 2019 41 @jmortegac
Bandit Test plugins

42. Testing python security
PyconWeb 2019 42 @jmortegac
Bandit Test plugins

43. Testing python security
PyconWeb 2019 43 @jmortegac
Bandit Test plugins
SELECT %s FROM derp;” % var
“SELECT thing FROM ” + tab
“SELECT ” + val + ” FROM ” + tab + …
“SELECT {} FROM derp;”.format(var)

44. Testing python security
PyconWeb 2019 44 @jmortegac
Tools

45. Testing python security
PyconWeb 2019 45 @jmortegac
Tools

46. Testing python security
PyconWeb 2019 46 @jmortegac
Other security issues
Insecure packages

47. Testing python security
PyconWeb 2019 47 @jmortegac
Interesting links
https://github.com/jmortega/testing_python_security

48. Testing python security
PyconWeb 2019 48 @jmortegac
Interesting links
https://security.openstack.org/#bandit-static-analysis-for-python
https://security.openstack.org/guidelines/dg_use-subprocess-securely.html
https://security.openstack.org/guidelines/dg_avoid-shell-true.html
https://security.openstack.org/guidelines/dg_parameterize-database-querie
s.html
https://security.openstack.org/guidelines/dg_cross-site-scripting-xss.html
https://security.openstack.org/guidelines/dg_avoid-dangerous-input-parsin
g-libraries.html

49. Testing python security
PyconWeb 2019 49 @jmortegac