ngenuity djangocon2010 pony pwning
TRANSCRIPT
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
1/44
Pony PwningDjangocon 2010 // Adam Baldwin
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
2/44
Hi, Im not thatAdam Baldwin.
Im this one:
@adam_baldwin
ngenuity-is.com
evilpacket.net
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
3/44
I break stuff
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
4/44
Django = pile
ofawesome
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
5/44
Django isnt
perfect
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
6/44
Developers
arent perfect
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
7/44
I WANT TOHELP YOU
AVOIDHUGE ASSMISTAKES
Captain Howdy McAssumptions,the nGenuity Mascot
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
8/44
Completely
made upstatistics
INTRODUCING!
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
9/44
of security
failures60%
project
constraints!
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
10/44Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
11/44
of security
failures30%
incompetence
or ignorance
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
12/44
See http://evilpacket.net/2010/jan/14/mifi-geopwn/
Wednesday, September 8, 2010
http://evilpacket.net/2010/jan/14/mifi-geopwn/http://evilpacket.net/2010/jan/14/mifi-geopwn/http://evilpacket.net/2010/jan/14/mifi-geopwn/ -
8/8/2019 nGenuity Djangocon2010 Pony Pwning
13/44
of security
failures9%
needle in
the haystack
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
14/44
See http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/
and http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/
Wednesday, September 8, 2010
http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/http://evilpacket.net/2009/jul/9/theft-rackspace-cloud-api-key/http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/http://evilpacket.net/2009/jul/9/rackspace-cloud-xss-root/ -
8/8/2019 nGenuity Djangocon2010 Pony Pwning
15/44
of security
failures1%
0 days
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
16/44
90%Lets talk
about the
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
17/44
Sad PonyWarning
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
18/44
cross-site scripting
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
19/44
the
BigFive
double quote
single quote
ampersand
less than
greater than
&{
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
20/44
{% autoescape off %}
|safe filter
mark_safe( )
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
21/44
Context matters.{{object.name}}
{{object.name}}
Missing quotes in the second URL make it possibleto inject malicious code.
Which is bad.
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
22/44
swingsetOWASP ESAPI Swingset by Craig Younkins
http://www.owasp.org/index.php/ESAPI_Swingset
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
23/44
Browser behavior
click
This works in IE8, without the big five and executeswithout user interaction.
click
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
24/44
Avoid
gettingburned
Consider OWASP ESAPI
Audit templates
Audit reusables and snippets
Educate designers
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
25/44
FILE UP
LOADS
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
26/44
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
27/44
Avoid
gettingburned
Check file extensions
Disable PHP
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
28/44
secret_report.pdf
File upload TMI
secret_report_1.pdf
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
29/44
Avoid
gettingburned
Put user content behind a file API
Obfuscate filenames of uploads
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
30/44
Direct
ObjectAccess
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
31/44
Not Found
General TMI
Forbidden / Access denied
vs.
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
32/44
Avoid
gettingburned
Return consistent results(preferably Not Found)
Log security violations
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
33/44
eg /object/delete/2
Doing stupid things
Privileged operations with HTTP GET
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
34/44
Avoid
gettingburned
Dont do stupid things.
Consider Django-Piston for REST
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
35/44
ClickJacking
What the hell is it?
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
36/44
Click jackets
/admin/ is vulnerable.
pre-filling forms removesmost user interaction
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
37/44
Avoid
gettingburned
Set X-FRAME-OPTIONS DENYheader
Use django-xframeoptionsmiddleware
Implement frame breakout code
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
38/44
Abusing
/admin/
:(
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
39/44
Wuh-oh, kids.
[ REDACTED ]
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
40/44
Avoid
gettingburned
I HAVE NO IDEA.
[email protected] to check their email ;)
Wednesday, September 8, 2010
mailto:[email protected]:[email protected] -
8/8/2019 nGenuity Djangocon2010 Pony Pwning
41/44
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
42/44
I have a
hard job
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
43/44
Your job
is harder.
Wednesday, September 8, 2010
-
8/8/2019 nGenuity Djangocon2010 Pony Pwning
44/44
Questions?
@adam_baldwin // ngenuity-is.com // evilpacket.net