SlideShare une entreprise Scribd logo

PyCon Canada 2015 - Is your python application secure

Télécharger en tant que PPTX, PDF
IMMUNIO
IMMUNIO

In today’s world, it's easier than ever to innovate and create great web applications. You release often, but let’s be honest, if you're like most developers out there, you don't spend your days worrying about security. You know it’s important, but you aren’t security savvy. So ask yourself, is your Python application secure? Come learn some of the different ways a hacker (cracker) can attack your code, and some of the best practices out there. In the end, your security is your users’ security.

Technologie
1  sur  43
Is your Python application secure? Frédéric Harper @fharper http://immun.io Sr. Technical Evangelist @ IMMUNIO Pycon Canada – 2015-11-07 CreativeCommons:https://flic.kr/p/34T4Z
is security important? Creative Commons: https://flic.kr/p/s8hvJo
do you have time? CreativeCommons:https://flic.kr/p/b7wRTX
do you have the expertise? Creative Commons: https://flic.kr/p/n7qDvJ
do you have the money? Creative Commons: https://flic.kr/p/rAG5dm
is your app that secure? CreativeCommons:https://flic.kr/p/bY6uU7
what about legacy apps? Creative Commons: https://flic.kr/p/7fFQug
it’s probably happening, now Creative Commons: https://flic.kr/p/acnkbU
...
warning Creative Commons: https://flic.kr/p/oosB
I succeed if… Creative Commons: https://flic.kr/p/ehZRGj
mess with the best die like the rest
SQL injection vulnerabilities allow attackers to modify the structure of SQL queries in ways that allow for data exfiltration or manipulation of existing data. SQL Injection (SQLi)
MIT: http://j.mp/1kKuced no password require
Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on your pages in your customers' browsers.  Hijack of legitimate user sessions  Disclosure of sensitive information  Access to privileged services and functionality  Delivery of malware and browser exploits from our trusted domain Cross-Site Scripting
MIT: http://j.mp/1kKuced Search or not
Remote Command Execution vulnerabilities allow attackers to run arbitrary code on your servers. There are two classes of Remote Command Execution: 1. Shell Command Execution 2. Eval Execution. Remote Command Execution
• Brute force • Common username • Cookie tampering • CSRF tampering • Excessive 4XX & 5XX • HTTP method tampering • HTTP response splitting • Redirect • Session farming • Session hijack • Stolen account • Shellshock • Suspicious Exception • Suspicious HTTP header • Unauthorized file access • Username hijack …
follow the white rabbit
anything from users is unsafe Creative Commons: https://flic.kr/p/m2BKPn
cp = subprocess.Popen(['ls', '-l'], shell=True) # disables shell based features (like no pipe) cp= subprocess.Popen(['ls', '-l’) filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(filename) print(command) # noooooooooo >>> ls -l somefile; rm -rf ~ filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(quote(filename)) print(command) # better luck next time >>> ls -l 'somefile; rm -rf ~’ shell & quote
# unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using escape function from flask import escape @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % escape(name) escape
use a framework Creative Commons: https://flic.kr/p/cHto9S
# unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using template @app.route("/") def hello(): name = request.args.get('name') return render('hello.html', name=name) # where hello.html is: # <html>Hello {{ name }}</html> templates
# Unsafe example using the Python DB API cmd = "update people set name='%s' where id='%s'" % (name, id) curs.execute(cmd) # Sanitize your parameters cmd = "update people set name=%s where id=%s" curs.execute(cmd, (name, id)) # Placeholder syntax depends on the database sanitize
# Unsafe example using the Python DB API cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode) curs.execute(cmd) # Using Django ORM, we assign the data to users variable users = Users.objects.filter(zip_code=zipcode) object-relational mapper
# My awesome Python skills s = "print("Hello, World!")" exec s # Refactor using function def print_hello_world(): print("Hello, World!") print_hello_world() avoid exec (if possible)
ORM libraries Source: http://www.fullstackpython.com/object-relational-mappers-orms.html
OWASP XSS Cheat Sheet
Strengths • Scales Well • Find issues like buffer overflows, SQL Injection Flaws with high confidence Weaknesses • Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. • High numbers of false positives. • Frequently can't find configuration issues, since they are not represented in the code. • Difficulty analyzing code that can't be compiled (using librairies as an example). static code analysis
MIT: http://j.mp/1kKuced XSScrapy
Runtime application self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. RASP
IMMUNIO
Developers  Use a cryptographically slow hash function (bcrypt & PBKDF2) to store password  Stored procedures if possible  Up-to-date frameworks & libraries Devops  HTTPS  Web Application Firewall (WAF)  Intrusion prevention systems (IPS)  Up-to-date platform & infrastructure truist… or not
to infinity... and beyond! Creative Commons: https://flic.kr/p/8Z1Cxm
thanks but no thanks
stop Creative Commons: https://flic.kr/p/gpVdD
I’m serious! CreativeCommons:https://flic.kr/p/9CG51N
plan for it Creative Commons: https://flic.kr/p/5bn2nD
now. Creative Commons: https://flic.kr/p/fA6vnM
nothing is 100% bulletproof Creative Commons: https://flic.kr/p/hpE97
IMMUNIO – Real-time web application security - https://www.immun.io/ OWASP (Open Web Application Security Project) - https://www.owasp.org/ Security in Django - http://j.mp/1Q8VMBP Security system in Pyramid - http://j.mp/1Q8VHxT Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/ XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW XSScrapy - https://github.com/DanMcInerney/xsscrapy www
Frédéric Harper fharper@immun.io @fharper http://outofcomfortzone.net http://immun.io

Recommandé

Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Frédéric Harper
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Intelligent Software Development, Courtesy of Intelligent Software
Intelligent Software Development, Courtesy of Intelligent SoftwareIntelligent Software Development, Courtesy of Intelligent Software
Intelligent Software Development, Courtesy of Intelligent SoftwareTechWell
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicssecurityxploded
 

Recommandé

Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Is your python application secure? - PyCon Canada - 2015-11-07
Is your python application secure? - PyCon Canada - 2015-11-07Frédéric Harper
 
[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+Csrf[Php Camp]Owasp Php Top5+Csrf
[Php Camp]Owasp Php Top5+CsrfBipin Upadhyay
 
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]
Remote File Inclusion / Local File Inclusion [Attack and Defense Techniques]Ismail Tasdelen
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1
Advanced Malware Analysis Training Session 2 - Botnet Analysis Part 1 securityxploded
 
Intelligent Software Development, Courtesy of Intelligent Software
Intelligent Software Development, Courtesy of Intelligent SoftwareIntelligent Software Development, Courtesy of Intelligent Software
Intelligent Software Development, Courtesy of Intelligent SoftwareTechWell
 
Introduction to Binary Exploitation
Introduction to Binary Exploitation Introduction to Binary Exploitation
Introduction to Binary Exploitation Cysinfo Cyber Security Community
 
Reversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicsReversing & malware analysis training part 3 windows pe file format basics
Reversing & malware analysis training part 3 windows pe file format basicssecurityxploded
 
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 Sasaya Hu
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP ShellsVedran Krivokuca
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
Java Cloud and Container Ready
Java Cloud and Container ReadyJava Cloud and Container Ready
Java Cloud and Container ReadyCodeOps Technologies LLP
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure CodingPrathan Phongthiproek
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automationsecurityxploded
 
JavaCro'15 - Beyond the basics of SonarQube improve your Java(Script) code ev...
JavaCro'15 - Beyond the basics of SonarQube improve your Java(Script) code ev...JavaCro'15 - Beyond the basics of SonarQube improve your Java(Script) code ev...
JavaCro'15 - Beyond the basics of SonarQube improve your Java(Script) code ev...HUJAK - Hrvatska udruga Java korisnika / Croatian Java User Association
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalssecurityxploded
 
File inclusion
File inclusionFile inclusion
File inclusionAaftabKhan14
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]securityxploded
 
Software Requirements V1
Software Requirements V1Software Requirements V1
Software Requirements V1quentin.tremerie
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Enginesc0c0n - International Cyber Security and Policing Conference
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resourcesAdam Baldwin
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 
Glen allen it business makes inc. 500 list | richmond biz sense
Glen allen it business makes inc. 500 list | richmond biz senseGlen allen it business makes inc. 500 list | richmond biz sense
Glen allen it business makes inc. 500 list | richmond biz senseKevin Gerber
 
Richard saavedra administracion-a
Richard saavedra administracion-aRichard saavedra administracion-a
Richard saavedra administracion-arichard_saavedra
 

Contenu connexe

Tendances

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawEC-Council
 
徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 Sasaya Hu
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Imperva
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacksRoberto Suggi Liverani
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensicssecurityxploded
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Roberto Suggi Liverani
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksImperva
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automationsecurityxploded
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalssecurityxploded
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]securityxploded
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeMohammed A. Imran
 
Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resourcesAdam Baldwin
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationRoberto Suggi Liverani
 

Tendances (20)

TakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian CrenshawTakeDownCon Rocket City: WebShells by Adrian Crenshaw
TakeDownCon Rocket City: WebShells by Adrian Crenshaw
 
徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人 徒手打造自己的粉專客服機器人
徒手打造自己的粉專客服機器人
 
Anatomy of PHP Shells
Anatomy of PHP ShellsAnatomy of PHP Shells
Anatomy of PHP Shells
 
Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101Remote File Inclusion (RFI) Vulnerabilities 101
Remote File Inclusion (RFI) Vulnerabilities 101
 
Java Cloud and Container Ready
Java Cloud and Container ReadyJava Cloud and Container Ready
Java Cloud and Container Ready
 
Defending Against Application DoS attacks
Defending Against Application DoS attacksDefending Against Application DoS attacks
Defending Against Application DoS attacks
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory ForensicsAdvanced Malware Analysis Training Session 7 - Malware Memory Forensics
Advanced Malware Analysis Training Session 7 - Malware Memory Forensics
 
Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012Window Shopping Browser - Bug Hunting in 2012
Window Shopping Browser - Bug Hunting in 2012
 
How to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI AttacksHow to Prevent RFI and LFI Attacks
How to Prevent RFI and LFI Attacks
 
Advanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing AutomationAdvanced Malware Analysis Training Session 5 - Reversing Automation
Advanced Malware Analysis Training Session 5 - Reversing Automation
 
JavaCro'15 - Beyond the basics of SonarQube improve your Java(Script) code ev...
JavaCro'15 - Beyond the basics of SonarQube improve your Java(Script) code ev...JavaCro'15 - Beyond the basics of SonarQube improve your Java(Script) code ev...
JavaCro'15 - Beyond the basics of SonarQube improve your Java(Script) code ev...
 
Reversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internalsReversing & malware analysis training part 2 introduction to windows internals
Reversing & malware analysis training part 2 introduction to windows internals
 
File inclusion
File inclusionFile inclusion
File inclusion
 
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
Reversing & Malware Analysis Training Part 11 - Exploit Development [Advanced]
 
Software Requirements V1
Software Requirements V1Software Requirements V1
Software Requirements V1
 
Web-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting EnginesWeb-App Remote Code Execution Via Scripting Engines
Web-App Remote Code Execution Via Scripting Engines
 
Exploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null SingaporeExploit development 101 - Part 1 - Null Singapore
Exploit development 101 - Part 1 - Null Singapore
 
Attacking open source using abandoned resources
Attacking open source using abandoned resourcesAttacking open source using abandoned resources
Attacking open source using abandoned resources
 
Cross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitationCross Context Scripting attacks & exploitation
Cross Context Scripting attacks & exploitation
 

En vedette

Glen allen it business makes inc. 500 list | richmond biz sense
Glen allen it business makes inc. 500 list | richmond biz senseGlen allen it business makes inc. 500 list | richmond biz sense
Glen allen it business makes inc. 500 list | richmond biz senseKevin Gerber
 
Richard saavedra administracion-a
Richard saavedra administracion-aRichard saavedra administracion-a
Richard saavedra administracion-arichard_saavedra
 
Providing A Network Encryption Approach to reduce end-to-end Delay in MANET
Providing A Network Encryption Approach to reduce end-to-end Delay in MANETProviding A Network Encryption Approach to reduce end-to-end Delay in MANET
Providing A Network Encryption Approach to reduce end-to-end Delay in MANETEditor IJCATR
 
Certificado de Seminário sobre "lndustria Quimica e Petroquimica" ENDRESS+HAUSER
Certificado de Seminário sobre "lndustria Quimica e Petroquimica" ENDRESS+HAUSERCertificado de Seminário sobre "lndustria Quimica e Petroquimica" ENDRESS+HAUSER
Certificado de Seminário sobre "lndustria Quimica e Petroquimica" ENDRESS+HAUSERDavid Pires
 
Stacey Acuna Resume 2015
Stacey Acuna Resume 2015Stacey Acuna Resume 2015
Stacey Acuna Resume 2015Stacey Acuna
 
Top 8 bilingual teacher resume samples
Top 8 bilingual teacher resume samplesTop 8 bilingual teacher resume samples
Top 8 bilingual teacher resume sampleskingsmonkey15
 
Paragrafações de literatura
Paragrafações de literaturaParagrafações de literatura
Paragrafações de literaturama.no.el.ne.ves
 
Atividades de português ortografia, paragrafação
Atividades de português ortografia, paragrafaçãoAtividades de português ortografia, paragrafação
Atividades de português ortografia, paragrafaçãoPriscila Castro de Cara
 

En vedette (11)

Glen allen it business makes inc. 500 list | richmond biz sense
Glen allen it business makes inc. 500 list | richmond biz senseGlen allen it business makes inc. 500 list | richmond biz sense
Glen allen it business makes inc. 500 list | richmond biz sense
 
Richard saavedra administracion-a
Richard saavedra administracion-aRichard saavedra administracion-a
Richard saavedra administracion-a
 
Providing A Network Encryption Approach to reduce end-to-end Delay in MANET
Providing A Network Encryption Approach to reduce end-to-end Delay in MANETProviding A Network Encryption Approach to reduce end-to-end Delay in MANET
Providing A Network Encryption Approach to reduce end-to-end Delay in MANET
 
Certificado de Seminário sobre "lndustria Quimica e Petroquimica" ENDRESS+HAUSER
Certificado de Seminário sobre "lndustria Quimica e Petroquimica" ENDRESS+HAUSERCertificado de Seminário sobre "lndustria Quimica e Petroquimica" ENDRESS+HAUSER
Certificado de Seminário sobre "lndustria Quimica e Petroquimica" ENDRESS+HAUSER
 
Stacey Acuna Resume 2015
Stacey Acuna Resume 2015Stacey Acuna Resume 2015
Stacey Acuna Resume 2015
 
can cant
can cantcan cant
can cant
 
PUB 2
PUB 2PUB 2
PUB 2
 
O buliiyng
O buliiyngO buliiyng
O buliiyng
 
Top 8 bilingual teacher resume samples
Top 8 bilingual teacher resume samplesTop 8 bilingual teacher resume samples
Top 8 bilingual teacher resume samples
 
Paragrafações de literatura
Paragrafações de literaturaParagrafações de literatura
Paragrafações de literatura
 
Atividades de português ortografia, paragrafação
Atividades de português ortografia, paragrafaçãoAtividades de português ortografia, paragrafação
Atividades de português ortografia, paragrafação
 

Similaire à PyCon Canada 2015 - Is your python application secure

Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxC4Media
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainInfosecTrain
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) securityNahidul Kibria
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015CODE BLUE
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxFernandoVizer
 
Web application security
Web application securityWeb application security
Web application securityRavi Raj
 
Slides
SlidesSlides
Slidesvti
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Aaron Hnatiw
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with PythonAndrii Soldatenko
 
Presentation on Japanese doc sprint
Presentation on Japanese doc sprintPresentation on Japanese doc sprint
Presentation on Japanese doc sprintGo Chiba
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...Magno Logan
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9sumsid1234
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesciklum_ods
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingVlatko Kosturjak
 

Similaire à PyCon Canada 2015 - Is your python application secure (20)

Modern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a FoxModern Web Security, Lazy but Mindful Like a Fox
Modern Web Security, Lazy but Mindful Like a Fox
 
OSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ InfosectrainOSCP Preparation Guide @ Infosectrain
OSCP Preparation Guide @ Infosectrain
 
Penetration testing web application web application (in) security
Penetration testing web application web application (in) securityPenetration testing web application web application (in) security
Penetration testing web application web application (in) security
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
 
OWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptxOWASP_Top_Ten_Proactive_Controls_v2.pptx
OWASP_Top_Ten_Proactive_Controls_v2.pptx
 
HARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVERHARDENING IN APACHE WEB SERVER
HARDENING IN APACHE WEB SERVER
 
PHP Security
PHP SecurityPHP Security
PHP Security
 
Origins of Serverless
Origins of ServerlessOrigins of Serverless
Origins of Serverless
 
Web application security
Web application securityWeb application security
Web application security
 
Slides
SlidesSlides
Slides
 
Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017Beyond OWASP Top 10 - TASK October 2017
Beyond OWASP Top 10 - TASK October 2017
 
Building Serverless applications with Python
Building Serverless applications with PythonBuilding Serverless applications with Python
Building Serverless applications with Python
 
Presentation on Japanese doc sprint
Presentation on Japanese doc sprintPresentation on Japanese doc sprint
Presentation on Japanese doc sprint
 
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery... DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
AppSec EU 2009 - HTTP Parameter Pollution by Luca Carettoni and Stefano di P...
 
Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9Hacking Oracle From Web Apps 1 9
Hacking Oracle From Web Apps 1 9
 
Rapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devicesRapid java backend and api development for mobile devices
Rapid java backend and api development for mobile devices
 
Perl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testingPerl Usage In Security and Penetration testing
Perl Usage In Security and Penetration testing
 
Secure PHP Coding
Secure PHP CodingSecure PHP Coding
Secure PHP Coding
 

Dernier

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024The Digital Insurer
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 

Dernier (20)

Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 

PyCon Canada 2015 - Is your python application secure

  • 1. Is your Python application secure? Frédéric Harper @fharper http://immun.io Sr. Technical Evangelist @ IMMUNIO Pycon Canada – 2015-11-07 CreativeCommons:https://flic.kr/p/34T4Z
  • 2. is security important? Creative Commons: https://flic.kr/p/s8hvJo
  • 3. do you have time? CreativeCommons:https://flic.kr/p/b7wRTX
  • 4. do you have the expertise? Creative Commons: https://flic.kr/p/n7qDvJ
  • 5. do you have the money? Creative Commons: https://flic.kr/p/rAG5dm
  • 6. is your app that secure? CreativeCommons:https://flic.kr/p/bY6uU7
  • 7. what about legacy apps? Creative Commons: https://flic.kr/p/7fFQug
  • 8. it’s probably happening, now Creative Commons: https://flic.kr/p/acnkbU
  • 9. ...
  • 11. I succeed if… Creative Commons: https://flic.kr/p/ehZRGj
  • 12. mess with the best die like the rest
  • 13. SQL injection vulnerabilities allow attackers to modify the structure of SQL queries in ways that allow for data exfiltration or manipulation of existing data. SQL Injection (SQLi)
  • 15. Cross-Site Scripting (XSS) vulnerabilities allow attackers to run arbitrary code on your pages in your customers' browsers.  Hijack of legitimate user sessions  Disclosure of sensitive information  Access to privileged services and functionality  Delivery of malware and browser exploits from our trusted domain Cross-Site Scripting
  • 17. Remote Command Execution vulnerabilities allow attackers to run arbitrary code on your servers. There are two classes of Remote Command Execution: 1. Shell Command Execution 2. Eval Execution. Remote Command Execution
  • 18. • Brute force • Common username • Cookie tampering • CSRF tampering • Excessive 4XX & 5XX • HTTP method tampering • HTTP response splitting • Redirect • Session farming • Session hijack • Stolen account • Shellshock • Suspicious Exception • Suspicious HTTP header • Unauthorized file access • Username hijack …
  • 20. anything from users is unsafe Creative Commons: https://flic.kr/p/m2BKPn
  • 21. cp = subprocess.Popen(['ls', '-l'], shell=True) # disables shell based features (like no pipe) cp= subprocess.Popen(['ls', '-l’) filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(filename) print(command) # noooooooooo >>> ls -l somefile; rm -rf ~ filename = 'somefile; rm -rf ~’ command = 'ls -l {}'.format(quote(filename)) print(command) # better luck next time >>> ls -l 'somefile; rm -rf ~’ shell & quote
  • 22. # unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using escape function from flask import escape @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % escape(name) escape
  • 23. use a framework Creative Commons: https://flic.kr/p/cHto9S
  • 24. # unsafe flask example @app.route("/") def hello(): name = request.args.get('name') return "Hello %s" % name # using template @app.route("/") def hello(): name = request.args.get('name') return render('hello.html', name=name) # where hello.html is: # <html>Hello {{ name }}</html> templates
  • 25. # Unsafe example using the Python DB API cmd = "update people set name='%s' where id='%s'" % (name, id) curs.execute(cmd) # Sanitize your parameters cmd = "update people set name=%s where id=%s" curs.execute(cmd, (name, id)) # Placeholder syntax depends on the database sanitize
  • 26. # Unsafe example using the Python DB API cmd = "SELECT * FROM USERS WHERE zip_code='%s'" % (zipcode) curs.execute(cmd) # Using Django ORM, we assign the data to users variable users = Users.objects.filter(zip_code=zipcode) object-relational mapper
  • 27. # My awesome Python skills s = "print("Hello, World!")" exec s # Refactor using function def print_hello_world(): print("Hello, World!") print_hello_world() avoid exec (if possible)
  • 30. Strengths • Scales Well • Find issues like buffer overflows, SQL Injection Flaws with high confidence Weaknesses • Many types of security vulnerabilities are very difficult to find automatically, such as authentication problems, access control issues, insecure use of cryptography, etc. • High numbers of false positives. • Frequently can't find configuration issues, since they are not represented in the code. • Difficulty analyzing code that can't be compiled (using librairies as an example). static code analysis
  • 32. Runtime application self-protection (RASP) is a security technology that is built or linked into an application or application runtime environment, and is capable of controlling application execution and detecting and preventing real-time attacks. RASP
  • 34. Developers  Use a cryptographically slow hash function (bcrypt & PBKDF2) to store password  Stored procedures if possible  Up-to-date frameworks & libraries Devops  HTTPS  Web Application Firewall (WAF)  Intrusion prevention systems (IPS)  Up-to-date platform & infrastructure truist… or not
  • 35. to infinity... and beyond! Creative Commons: https://flic.kr/p/8Z1Cxm
  • 39. plan for it Creative Commons: https://flic.kr/p/5bn2nD
  • 41. nothing is 100% bulletproof Creative Commons: https://flic.kr/p/hpE97
  • 42. IMMUNIO – Real-time web application security - https://www.immun.io/ OWASP (Open Web Application Security Project) - https://www.owasp.org/ Security in Django - http://j.mp/1Q8VMBP Security system in Pyramid - http://j.mp/1Q8VHxT Bobby Tables: A guide to preventing SQL injection - http://bobby-tables.com/ XSS Filter Evasion Cheat Sheet - http://j.mp/1Q97hsW XSScrapy - https://github.com/DanMcInerney/xsscrapy www

Notes de l'éditeur

  1. START CAMSTUDIO ZOOM – CMD + ALT + 8
  2. http://www.codebashing.com/log_in trader@bank.com trader ‘ ‘’ ' or 1=1)#
  3. http://www.insecurelabs.org/Talk <script>alert('Hi!')</script> http://www.insecurelabs.org/Search.aspx?Query=%3Cscript%3Ealert%28%27Hi%21%27%29%3C%2Fscript%3E
  4. Is unsafe
  5. cd Immunio/xsscrapy/ ./xsscrapy.py -u http://www.insecurelabs.org/