The Python language is used in many different settings – from command-line tools to complex Web applications. Many of these Python programs are exposed to attack, either by being directly accessible through the Internet or by directly processing user-provided data in a server environment. Developers must therefore be extremely cautious in how to use different technologies securely, and should also have a deep understanding in secure coding techniques and potential pitfalls.
Interested in attending? Have a suggestion about running this event near you?
Register your interest now
Description
Client-side security
JavaScript security
Same Origin Policy
Simple requests
Preflight requests
Exercise – Same-Origin Policy
JavaScript usage
JavaScript Global Object
Dangers of JavaScript
Exercise – Client-side authentication
Client-side authentication and password management
Protecting JavaScript code
Clickjacking
Clickjacking
Exercise – IFrame, Where is My Car?
Protection against Clickjacking
Anti frame-busting – dismissing protection scripts
Protection against busting frame busting
AJAX security
XSS in AJAX
Script injection attack in AJAX
Exercise – XSS in AJAX
XSS protection in AJAX
Exercise CSRF in AJAX – JavaScript hijacking
CSRF protection in AJAX
HTML5 security
New XSS possibilities in HTML5
HTML5 clickjacking attack – text field injection
HTML5 clickjacking – content extraction
Form tampering
Exercise – Form tampering
Cross-origin requests
HTML proxy with cross-origin request
Exercise – Client side include
XML security
Introduction
XML parsing
XML parsing in Python
XML bomb
Exercise – XML bomb
JSON security
Introduction
Embedding JSON server-side
JSON injection
JSON hijacking
Case study – XSS via spoofed JSON element
Python security architecture
Python architecture
Python applications and their attack surfaces
Authentication and authorization
Authentication in Python
Authorization in Python
Authentication and authorization in Django
Authentication and authorization in Flask
Code protection in Python
Python bytecode
Obfuscation
Modifying the Python runtime
Weaknesses in the techniques
Other protection methods
Related security issues
Sandboxing
Practical cryptography
Rule #1 of implementing cryptography
Cryptosystems
Elements of a cryptosystem
Cryptographic libraries in Python – overview
Symmetric-key cryptography
Providing confidentiality with symmetric cryptography
Symmetric encryption algorithms
Modes of operation
Symmetric encryption
Other cryptographic algorithms
Hash or message digest
Hash algorithms
SHAttered
Hashing
Message Authentication Code (MAC)
Providing integrity and authenticity with a symmetric key
Random number generation
Random numbers and cryptography
Cryptographically-strong PRNGs
Weak PRNGs in Python
Random numbers
Hardware-based TRNGs
Asymmetric (public-key) cryptography
Providing confidentiality with public-key encryption
Rule of thumb – possession of private key
The RSA algorithm
Introduction to RSA algorithm
Encrypting with RSA
Combining symmetric and asymmetric algorithms
Digital signing with RSA
Asymmetric encryption
Public Key Infrastructure (PKI)
Man-in-the-Middle (MitM) attack
Digital certificates against MitM attack
Certificate Authorities in Public Key Infrastructure
X.509 digital certificate
Common coding errors and vulnerabilities
Input validation
Input validation concepts
Integer problems
Representation of negative integers
Integer overflow
Integers in Python
Integer problems in Python
Exercise IntOverflow
Path traversal vulnerability
Path traversal vulnerability
Path traversal – weak protections
Path traversal – best practices
Path traversal mitigation
Unvalidated redirects and forwards
Redirects in Django
Log forging
Some other typical problems with log files
Executing user-controlled code in Python
Dangerous code execution – eval() and exec()
Dangerous code execution – input()
String formatting issues in Python
Format string problems in Python
Information leakage – can you guess the output?
Improper use of security features
Typical problems related to the use of security features
Password management
Exercise – Weakness of hashed passwords
Password management and storage
Special purpose hash algorithms for password storage
PBKDF2 and scrypt implementations in Python
Argon2 and bcrypt implementations in Python
Case study – the Ashley Madison data breach
Typical mistakes in password management
Dangers of reflection in Python
Python introspection and reflection – features and risks
Dynamic loading
Module injection
Monkey patching
Monkey patching example
Function hijacking
Exercise – Module injection in Python
Improper error and exception handling
Typical problems with error and exception handling
Exception handling in Python
Empty except block
Overly broad except
Using multi-except
Returning from finally block – spot the bug!
Exercise ErrorHandling – spot the bug!
Exercise – Error handling
Relying on assertions for error checking – spot the bug!
Time and state problems
Concurrency and threading
Concurrency issues in Python
Concurrency modules in Python
The threading module
Synchronization options
The Global Interpreter Lock
Performance and the GIL
GIL management
Bypassing the GIL
A quote from Guido van Rossum
Pools
Exercise – GIL performance
Exercise – Concurrency issues
Time-of-check-to-time-of-use (TOCTTOU)
Serialization errors
Preventing file I/O TOCTTOU in Python
Exercise - TOCTTOU
Code quality problems
Dangers arising from poor code quality
Immutability
Immutability
Immutability – guess the output!
Context managers
Resource management in Python
Releasing resources – spot the bug!
An even better solution
Behind the with statement
@contextmanager decorator – spot the bug!
@contextmanager decorator – handling error
Denial of service
DoS introduction
Asymmetric DoS
Regular expression DoS (ReDoS)
Exercise ReDoS
ReDoS mitigation
Case study – ReDos in Stack Exchange
Hashtable collision attack
Using hashtables to store data
Hashtable collision
Hash tables in Python
Principles of security and secure coding
Matt Bishop’s principles of robust programming
The security principles of Saltzer and Schroeder
Knowledge sources
Secure coding sources – a starter kit
Vulnerability databases
Python secure coding resources
Recommended books – Python security
Learning Outcomes
- Understand basic concepts of security, IT security and secure coding
- Learn Web vulnerabilities beyond OWASP Top Ten and know how to avoid them
- Learn about XML security
- Learn client-side vulnerabilities and secure coding practices
- Understand security concepts of Web services
- Learn about JSON security
- Learn about Python security architecture
- Have a practical understanding of cryptography
- Learn about typical coding mistakes and how to avoid them
- Learn about denial of service attacks and protections
- Get sources and further readings on secure coding practices