CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan Bogoev at: https://damyanon.net/post/flask-series-security/
Plan for Today XSS (Cross Site Scripting) CSRF (Cross-Site Request Forgery) SQL Injection Authentication and Authorization
Plan for Today XSS CSRF SQL Injection Authentication and Authorization
XSS Cross Site Scripting (XSS) Attack that tries to have your websites or applications load malicious script in your browser
XSS Cross Site Scripting (XSS) Attack that tries to have your websites or applications load malicious script in your browser Try access user s credentials, get cookie info, modify settings and download files etc.
XSS Cross Site Scripting (XSS) Attack that tries to have your websites or applications load malicious script in your browser Try access user s credentials, get cookie info, modify settings and download files etc. Can avoided by escaping text and validating user input.
XSS In Flask, by default it configures Jinja2 to auto escape all values loaded in the page. http://jinja.pocoo.org/docs/dev/extensions/#autoescap e-extension)
XSS More considerations for securing your applications w.r.t XSS: avoid generating html without Jinja2
XSS More considerations for securing your applications w.r.t XSS: avoid generating html without Jinja2 avoid sending out data from uploaded files
XSS More considerations for securing your applications w.r.t XSS: avoid generating html without Jinja2 avoid sending out data from uploaded files avoid using the Markup class on not verified data sent by a user
XSS More considerations for securing your applications w.r.t XSS: avoid generating html without Jinja2 avoid sending out data from uploaded files avoid using the Markup class on not verified data sent by a user always quote the attributes values in your templates.
Plan for Today XSS CSRF SQL Injection Authentication and Authorization
CSRF Cross-Site Request Forgery (CSRF) is an attack that uses the user s authentication credentials to execute unwanted actions. To against CSRF, you can use random string and to verify it against a hidden field in post.
CSRF source: http://flask.pocoo.org/snippets/3/
CSRF Put this in your template: source: http://flask.pocoo.org/snippets/3/
Plan for Today XSS CSRF SQL Injection Authentication and Authorization
SQL Injection SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server.
SQL Injection SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server. This SQL query can be anything and can be very harmful.
SQL Injection SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server. This SQL query can be anything and can be very harmful. Your application can be exposed to this attack when you dynamically create SQL statements. e.g., concatenating data based on user s input
SQL Injection By default SQL Alchemy quotes special characters semicolons or apostrophes.
Plan for Today XSS CSRF SQL Injection Authentication and Authorization
Authentication and Authorization Authentication verifies the user s identity by validating his/her credential (username / email, password) Authorization verifies whether authenticated user has access to a given resource
Flask-Security Flask-Security uses internally a User and Role data model, that could be defined via the SQL Alchemy API. You can inherit Flask-Security s User and Role MixIn class to build your own.
roles_users = db.table('roles_users', \ db.column('user_id', db.integer(), db.foreignkey('user.id')), \ db.column('role_id', db.integer(), db.foreignkey('role.id'))) class Role(db.Model, RoleMixin): id = db.column(db.integer(), primary_key=true) name = db.column(db.string(80), unique=true) description = db.column(db.string(255)) def init (self, name): self.name = name source: https://damyanon.net/post/flask-series-security/
class User(db.Model, UserMixin): id = db.column(db.integer, primary_key=true) email = db.column(db.string(255), unique=true) password = db.column(db.string(255)) active = db.column(db.boolean()) roles = db.relationship('role', secondary=roles_users, backref=db.backref('users', lazy='dynamic')) def init (self, email, password, active, roles): self.email = email self.password = password self.active = active self.roles = roles source: https://damyanon.net/post/flask-series-security/
Flask-Security The User class derives from UserMixin Flask-Login default user implementation. Same for Role class. SQL Alchemy is used for both User and Role objects. Following configurations is added to use Flask-Login with SQL Alchemy
def configure_app(app):... # Configure Security user_datastore = SQLAlchemyUserDatastore(db, User, Role) app.security = Security(app, user_datastore)... Complete explanation of Flask-Security configuration is here: https://pythonhosted.org/flask-security/configuration.html source: https://damyanon.net/post/flask-series-security/
Questions?