SlideShare a Scribd company logo

Django book20 security

Shih-yi Wei
Shih-yi Wei

A brief introduction of Django Book ch 20. With basic network security knowledge.

Related slideshows

Oracle Security 101
Oracle Security 101Oracle Security 101
Oracle Security 101
 
Introduction of Reverse Engineering
Introduction of Reverse EngineeringIntroduction of Reverse Engineering
Introduction of Reverse Engineering
 
Python速成指南
Python速成指南Python速成指南
Python速成指南
 
1 of 23
Download to read offline
Django book Chapter 20 - Security Alfred 113年10月1⽇日星期⼆二
Never - under any circumstances - trust data from browser! 213年10月1⽇日星期⼆二
A simple theory of security (based on 質餘) ‣ choose 2 prime p, q ‣ n = p, q ‣ based on Euler Function, phi(n) = (p-1)(q-1) ‣ 1 < e, public key <= phi(n) ‣ let d 是 e 的modulo reverse, d。e 同餘 1 mod phi(n) 313年10月1⽇日星期⼆二
A simple theory of security (based on 質餘) cont. 413年10月1⽇日星期⼆二
Number example (from wiki) 1. Choose two distinct prime numbers, such as and . 2. Compute n = p。q giving 3. Compute the totient of the product as φ(n) = (p − 1)(q − 1) giving. 4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for e leaves us only to check that e is not a divisor of 3120.Let 5. Compute d, the modular multiplicative inverse of e (mod φ(n)) yielding The public key is (n = 3233, e = 17). For a padded plaintext message m, the encryption function is The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the decryption function is c2753(mod 3233). 513年10月1⽇日星期⼆二
IdentifyYour Identity 613年10月1⽇日星期⼆二
Cross-Site Request Forgery , CSRF Attack • Malicious Client request a fake link. • Solution is mentioned by CSRF token, chapter 16. 713年10月1⽇日星期⼆二
Session Forging/Hijacking • man-in-the-middle (男⼈人 在中間) • session forging • cookie forging • session fixation • session poisoning wiki:session fixation 813年10月1⽇日星期⼆二
Solutions • Never allow session information to be contained in the URL. Django bless you. • Don’t store data in cookies directly. request.session bless you. • Prevent attackers from spoofing session IDs whenever possible. Django use hash function to protect you session ID. (As I know, some hash function is not safe, ex. SHA-1) • Sensitive Data? use Https:// SESSION_COOKIE_SECURE  =  TRUE 913年10月1⽇日星期⼆二
Break.... 1013年10月1⽇日星期⼆二
Code Injection Code Injection is a type of system bugs that is caused by processing invalid data. 既然稱為Bug, 那當然就是你的問題阿 1113年10月1⽇日星期⼆二
SQL Injection How a username could become invalid data? • Escape char ‘’ • SQL reserved word • SQL logic 1213年10月1⽇日星期⼆二
SQL Injection (Cont.) Tears In Heaven... 1313年10月1⽇日星期⼆二
SQL Injection Solution 1. Use Django API, please. 2. Exception Person.objects.raw('SELECT * FROM foo') django.db.connection.ops.quote_name(user) 1413年10月1⽇日星期⼆二
Cross Site Script, XSS XSS enables attackers to inject client-side script into Web pages viewed by other users. xss, xsstc(css javascript) 1513年10月1⽇日星期⼆二
Cross Site Script, XSS Q. How it works? A. 攻擊者利⽤用Client Browser可以動態執⾏行語法的特性,或可從 其他Server讀取程式碼的⽅方式,設計⼀一組簡易的link提供victims。 1. Find a Web Page who contains leak of any kind of XSS. 2. Design the XSS script, stolen cookies, do sth., etc 3. Send a link toVictims. (By mail or anything.) 再好的網站設計也不能阻擋清純的使⽤用者 1613年10月1⽇日星期⼆二
Example of XSS http://example.com/hello/?name=Jacob http://example.com/hello/?name=<i>Jacob</i> http://redirect.example.com/hello/?name=jacob Malicious Link 1713年10月1⽇日星期⼆二
Solution of XSS 1813年10月1⽇日星期⼆二
Email Header Injection • A field of E-Mail form would provide another Injection method. "helloncc:spamvictim@example.com" (where "n” is a newline character) solution:  django.core.mail.send_mail 1913年10月1⽇日星期⼆二
Filename Injection • A field to let user fill the file name... • how about ../../../../../etc/passwd. • Needless to say, you should never write code that can read from any area of the disk! 2013年10月1⽇日星期⼆二
Filename Injection (cont.) 2113年10月1⽇日星期⼆二
• 破解密碼 (暴⼒力法、字典、Birthday Attack) • 偽裝( 男⼈人在中間, xx forging... ) • Code Injection (SQL, XSS, email header,...) • 破壞 (DDOS, explode request) • Zero-Day Attack + Service Scan • Social-Engineering (information gathering) 2213年10月1⽇日星期⼆二
Thanks Alfred 2313年10月1⽇日星期⼆二

More Related Content

Django book20 security

  • 1. Django book Chapter 20 - Security Alfred 113年10月1⽇日星期⼆二
  • 2. Never - under any circumstances - trust data from browser! 213年10月1⽇日星期⼆二
  • 3. A simple theory of security (based on 質餘) ‣ choose 2 prime p, q ‣ n = p, q ‣ based on Euler Function, phi(n) = (p-1)(q-1) ‣ 1 < e, public key <= phi(n) ‣ let d 是 e 的modulo reverse, d。e 同餘 1 mod phi(n) 313年10月1⽇日星期⼆二
  • 4. A simple theory of security (based on 質餘) cont. 413年10月1⽇日星期⼆二
  • 5. Number example (from wiki) 1. Choose two distinct prime numbers, such as and . 2. Compute n = p。q giving 3. Compute the totient of the product as φ(n) = (p − 1)(q − 1) giving. 4. Choose any number 1 < e < 3120 that is coprime to 3120. Choosing a prime number for e leaves us only to check that e is not a divisor of 3120.Let 5. Compute d, the modular multiplicative inverse of e (mod φ(n)) yielding The public key is (n = 3233, e = 17). For a padded plaintext message m, the encryption function is The private key is (n = 3233, d = 2753). For an encrypted ciphertext c, the decryption function is c2753(mod 3233). 513年10月1⽇日星期⼆二
  • 7. Cross-Site Request Forgery , CSRF Attack • Malicious Client request a fake link. • Solution is mentioned by CSRF token, chapter 16. 713年10月1⽇日星期⼆二
  • 8. Session Forging/Hijacking • man-in-the-middle (男⼈人 在中間) • session forging • cookie forging • session fixation • session poisoning wiki:session fixation 813年10月1⽇日星期⼆二
  • 9. Solutions • Never allow session information to be contained in the URL. Django bless you. • Don’t store data in cookies directly. request.session bless you. • Prevent attackers from spoofing session IDs whenever possible. Django use hash function to protect you session ID. (As I know, some hash function is not safe, ex. SHA-1) • Sensitive Data? use Https:// SESSION_COOKIE_SECURE  =  TRUE 913年10月1⽇日星期⼆二
  • 11. Code Injection Code Injection is a type of system bugs that is caused by processing invalid data. 既然稱為Bug, 那當然就是你的問題阿 1113年10月1⽇日星期⼆二
  • 12. SQL Injection How a username could become invalid data? • Escape char ‘’ • SQL reserved word • SQL logic 1213年10月1⽇日星期⼆二
  • 13. SQL Injection (Cont.) Tears In Heaven... 1313年10月1⽇日星期⼆二
  • 14. SQL Injection Solution 1. Use Django API, please. 2. Exception Person.objects.raw('SELECT * FROM foo') django.db.connection.ops.quote_name(user) 1413年10月1⽇日星期⼆二
  • 15. Cross Site Script, XSS XSS enables attackers to inject client-side script into Web pages viewed by other users. xss, xsstc(css javascript) 1513年10月1⽇日星期⼆二
  • 16. Cross Site Script, XSS Q. How it works? A. 攻擊者利⽤用Client Browser可以動態執⾏行語法的特性,或可從 其他Server讀取程式碼的⽅方式,設計⼀一組簡易的link提供victims。 1. Find a Web Page who contains leak of any kind of XSS. 2. Design the XSS script, stolen cookies, do sth., etc 3. Send a link toVictims. (By mail or anything.) 再好的網站設計也不能阻擋清純的使⽤用者 1613年10月1⽇日星期⼆二
  • 19. Email Header Injection • A field of E-Mail form would provide another Injection method. "helloncc:spamvictim@example.com" (where "n” is a newline character) solution:  django.core.mail.send_mail 1913年10月1⽇日星期⼆二
  • 20. Filename Injection • A field to let user fill the file name... • how about ../../../../../etc/passwd. • Needless to say, you should never write code that can read from any area of the disk! 2013年10月1⽇日星期⼆二
  • 22. • 破解密碼 (暴⼒力法、字典、Birthday Attack) • 偽裝( 男⼈人在中間, xx forging... ) • Code Injection (SQL, XSS, email header,...) • 破壞 (DDOS, explode request) • Zero-Day Attack + Service Scan • Social-Engineering (information gathering) 2213年10月1⽇日星期⼆二