-
-
Save maretekent/be7fe1b99fe024ebf74e47d24b1baa75 to your computer and use it in GitHub Desktop.
| XXE injection: | |
| To use these parsers safely, you have to explicitly disable referencing of external entities in the | |
| SAX parser implementation you use. | |
| problem: | |
| from django.http import HttpResponse | |
| from lxml import etree | |
| parser = etree.XMLParser(resolve_entities=True) | |
| try: | |
| document = etree.fromstring(content, parser) | |
| except etree.XMLSyntaxError: | |
| return None | |
| solution: | |
| set parser = etree.XMLParser(resolve_entities=False) -- set it to False | |
| disallowing inline DTD is a good defense against this type of attack, | |
| but implementing this is specific to the XML parsing engine being used. | |
| Command Injection: | |
| Should any non alphanumeric characters be encountered, the re.match() method will automatically escape the input, | |
| preventing malicious control shell characters from being passed to the statlab program. | |
| Although the proposed fix is sufficient to remediate our vulnerable example, | |
| the overall logic and security design for os.popen() method can be significantly | |
| improved by not accepting user supplied myUid value through the request.GET['username'] parameter. | |
| import os | |
| from django.http import HttpResponse | |
| import re | |
| def executeCommand(request): | |
| myUid = request.GET['username'] | |
| matchResult = re.match(r"[0-9A-Za-z]+$", myUid) | |
| if not matchResult: | |
| return HttpResponse("Inva | |
| out = os.popen("/usr/bin/statlab " + "-" + myUid).read() | |
| return HttpResponse(out)Copy-paste code here to remove the line numbers. | |
| Session Fixation: | |
| 1. Ensure that only server generated session values are accepted by the application. | |
| 2. Upon a successful login, invalidate the original session value, and re-issue a new session value. | |
| 3. Prevent the application from accepting session values via GET or POST requests and | |
| instead store session values within HTTP Cookies only. | |
| def authenticate(request, username, password): | |
| user = verify_uname_password(username, password) | |
| if user and user.is_active: | |
| request.session.flush() | |
| request.session.cycle_key() |
maretekent
commented
Mar 31, 2018
The json.loads() method then saves the extracted JSON to the exceptionRecordJson variable. And after that its value is passed to the ExceptionRecord constructor class that records the parced error message to the server log.
When the parsed error message is processed, the self.wfile.write() method sends the response in the form of JSON back to the client .
content_length = self.headers.getheaders('content-length')
length = int(content_length[0]) if content_length else 0
pickledError = self.rfile.read(length)
exceptionRecord = cPickle.loads(base64.b64decode(pickledError))
self._set_headers()
jsonRecordError = self.rfile.read(length)
exceptionRecordJson = json.loads(jsonRecordError)
try:
exceptionRecord = ExceptionRecord(exceptionRecordJson["version"], exceptionRecordJson["log"], exceptionRecordJson["userID"])
saveError(exceptionRecord)
self._set_headers()
self.wfile.write(createJSONSuccess(exceptionRecord));
except (ValueError, TypeError, NameError) as e:
log_error(e, exceptionRecord)
self._set_error_headers()
self.wfile.write(createJSONError(e,exceptionRecord));