Sichere Web-Applikationen am Beispiel von Django
Markus Zapke-Gründemann LinuxTag 2014
Markus Zapke-Gründemann
Softwareentwickler seit 2001
Python, Django und Mercurial
Inhaber von transcode
Vorstand des Deutschen Django-Vereins
keimlink.de // @keimlink
Einführung
DjangoPython Web-Application Framework
Open Source (BSD-Lizenz)
Rapid Development
Model Template View (MTV)
Object Relational Mapper (ORM)
www.djangoproject.com
OWASP
Open Web Application Security Project
Non-Profit-Organisation
Alle Materialien unter freier Lizenz
www.owasp.org
OWASP Top 10
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
OWASP Top 10
OWASP Top 101. Injection
OWASP Top 101. Injection
2. Broken Authentication and Session Management
OWASP Top 101. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
OWASP Top 101. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
OWASP Top 101. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
OWASP Top 101. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
OWASP Top 101. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
OWASP Top 101. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
OWASP Top 101. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
OWASP Top 101. Injection
2. Broken Authentication and Session Management
3. Cross-Site Scripting (XSS)
4. Insecure Direct Object References
5. Security Misconfiguration
6. Sensitive Data Exposure
7. Missing Function Level Access Control
8. Cross-Site Request Forgery (CSRF)
9. Using Components with Known Vulnerabilities
10.Unvalidated Redirects and Forwards
SQL Injection
>>> cmd = "UPDATE animals SET name='%s' WHERE id='%s'" % (name, id)
>>> cursor.execute(cmd)
SQL Injection
Exploits of a Mom by Randall Munroe (cc-by-nc)
SQL Injection
Exploits of a Mom by Randall Munroe (cc-by-nc)
Datenbank-Eingaben bereinigen!
SQL Injection
>>> from animals.models import Animal
>>> Animal.objects.filter(id=id).update(name=name)
Broken Authentication and Session Management
http://example.com/sale/saleitems;sessionid= 2P0OC2JSNDLPSKHCJUN2JV?dest=Hawaii
Cross-Site Scripting (XSS)
<h3>Preparation</h3>
{{ recipe.preparation }}
!
<script>alert('The best recipe in the world!')</script>
Heat the water in the pot to 100 °C.
!
<p><script>alert('The best recipe in the <world!')</script></p>
<p>Heat the water in the pot to 100 °C.</p>
Cross-Site Scripting (XSS)
<h3>Preparation</h3>
{{ recipe.preparation|safe }}
!
<script>alert('The best recipe in the world!')</script>
Heat the water in the pot to 100 °C.
!
<p><script>alert('The best recipe in the world!')</script></p>
<p>Heat the water in the pot to 100 °C.</p>
Security Misconfiguration
DEBUG = True
Sensitive Data Exposure
>>> from django.contrib.auth.models import User
>>> User.objects.get(pk=1).password
u'pbkdf2_sha256$10000$sDN75YuuoUWi$Ua/H364jPAPTPBiAyJ1fc0uB4ClzQD5yGFisYrxCo40='
Cross-Site Request Forgery (CSRF)
http://example.com/app/transferFunds?amount=1500 &destinationAccount=4673243243
Cross-Site Request Forgery (CSRF)
<form method="post" accept-charset="utf-8">
{{ form.as_p }}
{% csrf_token %}
<input type="submit" value="Submit"/>
</form>
Cross-Site Request Forgery (CSRF)
<form method="post" accept-charset="utf-8">
...
<input type='hidden' name='csrfmiddlewaretoken' value='gB3bL3MU2fr8BCQXXrNV6pfS7GJYBdU0' />
<p><input type="submit" value="Submit" /></p>
</form>
Clickjacking
X-Frame-Options Header aktivieren: MIDDLEWARE_CLASSES = (
...
'django.middleware.clickjacking.XFrameOptionsMiddleware',
...
)
Information Leakage
WerkzeugeOWASP Cheat Sheet Series
HackBar
Tamper Data
sqlmap
Scapy
dsniff
Django Apps
django-secure
django-configurations
Code sicher(er) machen
Code Review
Security Scanner
Security Audit
Recommended
