Web Application Security in Python

DAY 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types
• Consequences of insecure software

The OWASP Top Ten

• OWASP Top 10 – 2017
• A1 – Injection
  • Injection principles
  • Injection attacks
  • SQL injection
    • SQL injection basics
    • Lab – SQL injection
    • Attack techniques
    • Content-based blind SQL injection
    • Time-based blind SQL injection
  • SQL injection best practices
    • Input validation
    • Parameterized queries
    • Additional considerations
    • Lab – SQL injection best practices
    • Case study – Hacking Fortnite accounts
  • Code injection
    • Code injection via input()
    • OS command injection
      • Lab – Command injection
      • OS command injection best practices
      • Avoiding command injection with the right APIs
      • Lab – Command injection best practices
      • Case study – Shellshock
      • Lab – Shellshock
      • Case study – Command injection via ping
    • Script injection
      • Server-side template injection (SSTI)
      • Lab – Template injection
  • General protection best practices
• A2 – Broken Authentication
  • Authentication basics
  • Multi-factor authentication
  • Authentication weaknesses – spoofing
  • Spoofing on the Web
  • Case study – PayPal 2FA bypass
  • Password management
    • Inbound password management
    • Storing account passwords
    • Password in transit
    • Lab – Is just hashing passwords enough?
    • Dictionary attacks and brute forcing
    • Salting
    • Adaptive hash functions for password storage
    • Password policy
      • NIST authenticator requirements for memorized secrets
    • Case study – The Ashley Madison data breach
      • The dictionary attack
      • The ultimate crack
      • Exploitation and the lessons learned
    • Password database migration
      • (Mis)handling None passwords

DAY 2

The OWASP Top Ten

• A2 – Broken Authentication
  • Password management
    • Outbound password management
      • Hard coded passwords
      • Best practices
      • Lab – Hardcoded password
      • Protecting sensitive information in memory
        • Challenges in protecting memory
  • Session management
    • Session management essentials
    • Session ID best practices
    • Why do we protect session IDs – Session hijacking
    • Session fixation
    • Session handling in Flask
• A3 – Sensitive Data Exposure
  • Information exposure
  • Exposure through extracted data and aggregation
  • Case study – Strava data exposure
  • Error and exception handling principles
• A4 – XML External Entities (XXE)
  • DTD and the entities
  • Entity expansion
  • Lab – Billion laughs attack
  • External Entity Attack (XXE)
    • File inclusion with external entities
    • Server-Side Request Forgery with external entities
    • Lab – External entity attack
    • Case study – XXE vulnerability in SAP Store
    • Preventing XXE
    • Lab – Using non-vulnerable parsers
• A5 – Broken Access Control
  • Access control basics
  • Failure to restrict URL access
  • Confused deputy
    • Insecure direct object reference (IDOR)
    • Lab – Insecure Direct Object Reference
    • Authorization bypass through user-controlled keys
    • Case study – Authorization bypass on Facebook
    • Lab – Horizontal authorization
  • File upload
    • Unrestricted file upload
    • Good practices
    • Lab – Unrestricted file upload
• A6 – Security Misconfiguration
  • Configuration principles
  • Python configuration best practices
    • Configuring Flask
• A7 – Cross-site Scripting (XSS)
  • Cross-site scripting basics
  • Cross-site scripting types
    • Persistent cross-site scripting
    • Reflected cross-site scripting
    • Client-side (DOM-based) cross-site scripting
    • Lab – Stored XSS
    • Lab – Reflected XSS
    • Case study – XSS in Fortnite accounts
  • XSS protection best practices
    • Protection principles – escaping
    • XSS protection APIs in Python
    • XSS protection in Jinja2
    • Lab – XSS fix / stored
    • Lab – XSS fix / reflected
    • Additional protection layers
    • Client-side protection principles
• A8 – Insecure Deserialization
  • Serialization and deserialization challenges
  • Deserializing untrusted streams
  • Deserialization with pickle
  • Lab – Deserializing with Pickle
  • PyYAML deserialization challenges
  • Deserialization best practices

DAY 3

The OWASP Top Ten

• A9 – Using Components with Known Vulnerabilities
  • Using vulnerable components
  • Assessing the environment
  • Hardening
  • Untrusted functionality import
  • Malicious packages in Python
  • Importing JavaScript
  • Lab – Importing JavaScript
  • Case study – The British Airways data breach
  • Vulnerability management
    • Patch management
    • Vulnerability databases
• A10 – Insufficient Logging & Monitoring
  • Logging and monitoring principles
  • Insufficient logging
  • Plaintext passwords at Facebook
  • Logging best practices
  • Monitoring best practices
• Web application security beyond the Top Ten
  • Client-side security
  • Same Origin Policy
    • Lab – Same-origin policy demo
    • Tabnabbing
    • Lab – Reverse tabnabbing
  • Frame sandboxing
    • Cross-Frame Scripting (XFS) attack
    • Lab – Clickjacking
    • Clickjacking beyond hijacking a click
    • Clickjacking protection best practices
    • Lab – Using CSP to prevent clickjacking

Common software security weaknesses

• Input validation
  • Input validation principles
    • Blacklists and whitelists
    • Data validation techniques
    • Lab – Input validation
    • What to validate – the attack surface
    • Where to validate – defense in depth
    • How to validate – validation vs transformations
    • Output sanitization
    • Encoding challenges
    • Lab – Encoding challenges
    • Validation with regex
    • Regular expression denial of service (ReDoS)
    • Lab – Regular expression denial of service (ReDoS)
    • Dealing with ReDoS
  • Files and streams
    • Path traversal
    • Path traversal-related examples
    • Lab – Path traversal
    • Additional challenges in Windows
    • Virtual resources
    • Path traversal best practices
    • Format string issues
  • Unsafe native code
    • Native code dependence
    • Lab – Unsafe native code
    • Best practices for dealing with native code

JSON security

• JSON injection
• Dangers of JSONP
• JSON/JavaScript hijacking
• Best practices
• Case study – ReactJS vulnerability in HackerOne

Wrap up

• Secure coding principles
  • Principles of robust programming by Matt Bishop
  • Secure design principles of Saltzer and Schröder
• And now what?
  • Software security sources and further reading
  • Python resources