Created
March 28, 2018 18:38
-
-
Save maretekent/be7fe1b99fe024ebf74e47d24b1baa75 to your computer and use it in GitHub Desktop.
basic django security key elements worthy noting
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| XXE injection: | |
| To use these parsers safely, you have to explicitly disable referencing of external entities in the | |
| SAX parser implementation you use. | |
| problem: | |
| from django.http import HttpResponse | |
| from lxml import etree | |
| parser = etree.XMLParser(resolve_entities=True) | |
| try: | |
| document = etree.fromstring(content, parser) | |
| except etree.XMLSyntaxError: | |
| return None | |
| solution: | |
| set parser = etree.XMLParser(resolve_entities=False) -- set it to False | |
| disallowing inline DTD is a good defense against this type of attack, | |
| but implementing this is specific to the XML parsing engine being used. | |
| Command Injection: | |
| Should any non alphanumeric characters be encountered, the re.match() method will automatically escape the input, | |
| preventing malicious control shell characters from being passed to the statlab program. | |
| Although the proposed fix is sufficient to remediate our vulnerable example, | |
| the overall logic and security design for os.popen() method can be significantly | |
| improved by not accepting user supplied myUid value through the request.GET['username'] parameter. | |
| import os | |
| from django.http import HttpResponse | |
| import re | |
| def executeCommand(request): | |
| myUid = request.GET['username'] | |
| matchResult = re.match(r"[0-9A-Za-z]+$", myUid) | |
| if not matchResult: | |
| return HttpResponse("Inva | |
| out = os.popen("/usr/bin/statlab " + "-" + myUid).read() | |
| return HttpResponse(out)Copy-paste code here to remove the line numbers. | |
| Session Fixation: | |
| 1. Ensure that only server generated session values are accepted by the application. | |
| 2. Upon a successful login, invalidate the original session value, and re-issue a new session value. | |
| 3. Prevent the application from accepting session values via GET or POST requests and | |
| instead store session values within HTTP Cookies only. | |
| def authenticate(request, username, password): | |
| user = verify_uname_password(username, password) | |
| if user and user.is_active: | |
| request.session.flush() | |
| request.session.cycle_key() |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
content_length = self.headers.getheaders('content-length')
length = int(content_length[0]) if content_length else 0
pickledError = self.rfile.read(length)
exceptionRecord = cPickle.loads(base64.b64decode(pickledError))
self._set_headers()
jsonRecordError = self.rfile.read(length)
exceptionRecordJson = json.loads(jsonRecordError)
try:
exceptionRecord = ExceptionRecord(exceptionRecordJson["version"], exceptionRecordJson["log"], exceptionRecordJson["userID"])
saveError(exceptionRecord)
self._set_headers()
self.wfile.write(createJSONSuccess(exceptionRecord));
except (ValueError, TypeError, NameError) as e:
log_error(e, exceptionRecord)
self._set_error_headers()
self.wfile.write(createJSONError(e,exceptionRecord));