A Beginners Guide to Security Exploits in Action
by Ashley Mathew & Mario de la Ossa
pretalx.com/dj...
It’s one thing to read the Django security page and follow the recommendations. It’s something completely different to actually understand why those recommendations exist.
The talk will cover 5 different security vulnerabilities (spending ~5 mins on each) that are baked into a fake MySpace clone:
HTML serialization: Why supporting custom HTML is cool, but also dangerous
The penalties of using a guessable SECRET_KEY: How one might use it to abuse sessions
The downfalls of stepping outside the ORM: How write a more complex query and accidentally make it vulnerable to SQL injection
Consider setting ALLOWED_HOSTS: Injecting custom hosts in password reset emails
No really, consider setting ALLOWED_HOSTS: Unsafe open redirects and the importance of url_has_allowed_host_and_scheme
Each step will introduce in detail how to exploit the vulnerability, followed by patching and validation.