PyCon Canada 2015 - Is your python application secure

Is your Python application
secure?
Frédéric Harper
@fharper
http://immun.io
Sr. Technical Evangelist @ IMMUNIO
Pycon Canada – 2015-11-07
CreativeCommons:https://flic.kr/p/34T4Z

is security important?
Creative Commons: https://flic.kr/p/s8hvJo

do you have time?
CreativeCommons:https://flic.kr/p/b7wRTX

do you have the expertise?
Creative Commons: https://flic.kr/p/n7qDvJ

do you have the money?
Creative Commons: https://flic.kr/p/rAG5dm

is your app that secure?
CreativeCommons:https://flic.kr/p/bY6uU7

what about legacy apps?
Creative Commons: https://flic.kr/p/7fFQug

it’s probably happening, now
Creative Commons: https://flic.kr/p/acnkbU

warning
Creative Commons: https://flic.kr/p/oosB

I succeed if…
Creative Commons: https://flic.kr/p/ehZRGj

mess
with the best
die like the rest

SQL injection vulnerabilities allow attackers to modify the structure of SQL
queries in ways that allow for data exfiltration or manipulation of existing data.
SQL Injection (SQLi)

MIT: http://j.mp/1kKuced
no
password
require

Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on
your pages in your customers' browsers.
 Hijack of legitimate user sessions
 Disclosure of sensitive information
 Access to privileged services and functionality
 Delivery of malware and browser exploits from our trusted domain
Cross-Site Scripting

Search
or not

Remote Command Execution vulnerabilities allow attackers to run arbitrary code
on your servers.
There are two classes of Remote Command Execution:
1. Shell Command Execution
2. Eval Execution.
Remote Command Execution

• Brute force
• Common username
• Cookie tampering
• CSRF tampering
• Excessive 4XX & 5XX
• HTTP method tampering
• HTTP response splitting
• Redirect
• Session farming
• Session hijack
• Stolen account
• Shellshock
• Suspicious Exception
• Suspicious HTTP header
• Unauthorized file access
• Username hijack
…

anything from users is unsafe
Creative Commons: https://flic.kr/p/m2BKPn

cp = subprocess.Popen(['ls', '-l'], shell=True)
# disables shell based features (like no pipe)
cp= subprocess.Popen(['ls', '-l’)
filename = 'somefile; rm -rf ~’
command = 'ls -l {}'.format(filename)
print(command) # noooooooooo
>>> ls -l somefile; rm -rf ~
filename = 'somefile; rm -rf ~’
command = 'ls -l {}'.format(quote(filename))
print(command) # better luck next time
>>> ls -l 'somefile; rm -rf ~’
shell & quote

# unsafe flask example
@app.route("/")
def hello():
name = request.args.get('name')
return "Hello %s" % name
# using escape function
from flask import escape
@app.route("/")
def hello():
return "Hello %s" % escape(name)
escape

use a framework
Creative Commons: https://flic.kr/p/cHto9S

# unsafe flask example
@app.route("/")
def hello():
return "Hello %s" % name
# using template
@app.route("/")
def hello():
return render('hello.html', name=name)
# where hello.html is:
# <html>Hello {{ name }}</html>
templates

# Unsafe example using the Python DB API
cmd = "update people set name='%s' where id='%s'" % (name, id)
curs.execute(cmd)
# Sanitize your parameters
cmd = "update people set name=%s where id=%s"
curs.execute(cmd, (name, id))
# Placeholder syntax depends on the database
sanitize

# Unsafe example using the Python DB API
cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode)
curs.execute(cmd)
# Using Django ORM, we assign the data to users variable
users = Users.objects.filter(zip_code=zipcode)
object-relational mapper

# My awesome Python skills
s = "print("Hello, World!")"
exec s
# Refactor using function
def print_hello_world():
print("Hello, World!")
print_hello_world()
avoid exec (if possible)

ORM libraries
Source: http://www.fullstackpython.com/object-relational-mappers-orms.html

Strengths
• Scales Well
• Find issues like buffer overflows, SQL Injection Flaws with high confidence
Weaknesses
• Many types of security vulnerabilities are very difficult to find automatically, such as
authentication problems, access control issues, insecure use of cryptography, etc.
• High numbers of false positives.
• Frequently can't find configuration issues, since they are not represented in the code.
• Difficulty analyzing code that can't be compiled (using librairies as an example).
static code analysis

XSScrapy

Runtime application self-protection (RASP) is a security technology that is built or
linked into an application or application runtime environment, and is capable of
controlling application execution and detecting and preventing real-time attacks.
RASP

Developers
 Use a cryptographically slow hash function
(bcrypt & PBKDF2) to store password
 Stored procedures if possible
 Up-to-date frameworks & libraries
Devops
 HTTPS
 Web Application Firewall (WAF)
 Intrusion prevention systems (IPS)
 Up-to-date platform & infrastructure
truist… or not

to infinity... and beyond!
Creative Commons: https://flic.kr/p/8Z1Cxm

stop
Creative Commons: https://flic.kr/p/gpVdD

I’m serious!
CreativeCommons:https://flic.kr/p/9CG51N

plan for it
Creative Commons: https://flic.kr/p/5bn2nD

now.
Creative Commons: https://flic.kr/p/fA6vnM

nothing is 100% bulletproof
Creative Commons: https://flic.kr/p/hpE97

IMMUNIO – Real-time web application security - https://www.immun.io/
OWASP (Open Web Application Security Project) - https://www.owasp.org/
Security in Django - http://j.mp/1Q8VMBP
Security system in Pyramid - http://j.mp/1Q8VHxT
Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/
XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW
XSScrapy - https://github.com/DanMcInerney/xsscrapy
www

Frédéric Harper
fharper@immun.io
@fharper
http://outofcomfortzone.net
http://immun.io

PyCon Canada 2015 - Is your python application secure

More Related Content

PyCon Canada 2015 - Is your python application secure

Editor's Notes