Practical Django Security

Andy Dai

Software Security is HARD!

Quick Investigation

OWASP TOP 10 2013

10. Unvalidated Redirects and Forwards

http://www.example.com/redirect.jsp?url=evil.com

SOLUTION: Be careful!

9. Using Components with Known Vulnerabilities

SOLUTION: Check often and Upgrade often

8. Cross Site Request Forgery

SOLUTION: CSRF token & CAPTCHA

7. Missing Function Level Access Control

SOLUTION: Control your access

Django Provides

• @login_required

• Access Mixins in django-braces

6. Sensitive Data Exposure

Forget your password

NO SSL

SOLUTION: SSL & Encrypt all sensitive data

django-encrypted-fields

5. Security Misconfiguration

• Use default username/password

• Directory listing

• Debug Mode

4. Insecure Direct Object References

http://example.com/app/accountInfo?acct=notmyacct

SOLUTION: Access Control

3. Cross-Site Scripting(XSS)

SOLUTION: Check user input. Escape!

Django Template will do this for you

2. Broken Authentication and Session Management

h\p://example.com/sale/saleitems;jsessionid=

2P0OC2JDPXM0OQSNDLPSKHCJUN2JV?dest=Hawaii

1. Injection

SOLUTION

• Don’t Use SQL directly

• Check user input

• Turn off debug mode

Software Security is HARD!

Other Rules

Don’t mixing up data and code

What is code? What is data?

Explicit is better than implicit

class ArticleForm(ModelForm): class Meta: model = Article fields = ['pub_date', 'headline', 'content', ]

class ArticleForm(ModelForm): class Meta: model = Article exclude = ['id', ]

v.s

Don’t reinvent the wheel

Look to assert what is supposed to happen in

your application

Software Security is IMPORTANT!!

Q&A