00:00:00

Live-Fire Exercises: Security in Django

John Hess

Notes

Objective

At the end of this talk, you should be able to:

  • Perpetrate two common types of attacks
  • Use Django's built-in protections
  • Identify when those protections aren't good enough
  • Do something better when they aren't good enough

Notes

Attacks

  • XSS (Cross Site Scripting)
    • Simpler to understand/perpetrate
    • Giant catastophe if it happens
  • CSRF (Cross Site Request Forgery)
    • A bit more subtle
    • Slightly less giant catastophe if it happens
  • Both take advantage of the trust you have in your users and your users in you
    • Don't trust people.

Notes

What aren't we talking about today?

  • Nation states & zero days
  • Countless other footguns that surround you
    • package management
    • JS libraries you're loading from a CDN
    • ...
  • Why CSRF and XSS start with the same word, but are abbreviated differently

Notes

Get out a laptop

We're not just talking either. Get a laptop out (phones will work, too)

Notes

[a moment of prayer]

Notes

XSS

Notes

XSS: Cross-Site Scripting

a.k.a. Someone else is running JavaScript on your pages.

Notes

XSS: Cross-Site Scripting

Pop Quiz:

What kind of havoc could a baddie wreak if they got to insert any JS they wanted into pages visited by your users?

Notes

XSS: Cross-Site Scripting

Pop Quiz:

What kind of havoc could a baddie wreak if they got to insert any JS they wanted into pages visited by your users?

Visited by your admins?

...nobody ever makes a quick and dirty admin page that goes largely unscrutinized...

Notes

XSS: Cross-Site Scripting




...but this is a Django meetup. I don't wanna hear about front-end nonsense!

Too danged bad. Turns out this is your problem. Not because you can't trust your front end engineers, but because you might perpetrate this yourself -- even if your site has no JS at all!

Notes

Notes

Notes

Live Fire: Reflected XSS

def greeter(request):
    who = request.GET.get('name', 'friend')
    return HttpResponse("Hello, {}".format(who))

http://vcwa.veryveryvulnerable.com







[disclaimer: VCWA is a flask app running similar code.]

No TLS! The horror! Turns out the game is already over :-P

Notes

Live Fire: Reflected XSS

def greeter(request):
    who = request.GET.get('name', 'friend')
    return HttpResponse("Hello, {}".format(who))

http://vcwa.veryveryvulnerable.com

  • "John Baldwin" (our gracious organizer)

Notes

Live Fire: Reflected XSS

def greeter(request):
    who = request.GET.get('name', 'friend')
    return HttpResponse("Hello, {}".format(who))

http://vcwa.veryveryvulnerable.com

  • "John Baldwin" (our gracious organizer)
  • <script>alert('im in ur pages, runnin my own js')</script>

Notes

Notes

Notes

Notes

Notes