Web Application Security in Python

DAY 1

Cyber security basics

• What is security?
• Threat and risk
• Cyber security threat types
• Consequences of insecure software

The OWASP Top Ten

• OWASP Top 10 – 2017
• A1 – Injection
•        Injection principles
•        Injection attacks
•        SQL injection
•                SQL injection basics
•                Lab – SQL injection
•                Attack techniques
•                Content-based blind SQL injection
•                Time-based blind SQL injection
•        SQL injection best practices
•                Input validation
•                Parameterized queries
•                Additional considerations
•                Lab – SQL injection best practices
•                Case study – Hacking Fortnite accounts
•        Code injection
•                Code injection via input()
•                OS command injection
•                        Lab – Command injection
•                        OS command injection best practices
•                        Avoiding command injection with the right APIs
•                        Lab – Command injection best practices
•                        Case study – Shellshock
•                        Lab – Shellshock
•                        Case study – Command injection via ping
•                Script injection
•                        Server-side template injection (SSTI)
•                        Lab – Template injection
•        General protection best practices
• A2 – Broken Authentication
•        Authentication basics
•        Multi-factor authentication
•        Authentication weaknesses – spoofing
•        Spoofing on the Web
•        Case study – PayPal 2FA bypass
•        Password management
•                Inbound password management
•                Storing account passwords
•                Password in transit
•                Lab – Is just hashing passwords enough?
•                Dictionary attacks and brute forcing
•                Salting
•                Adaptive hash functions for password storage
•                Password policy
•                        NIST authenticator requirements for memorized secrets
•                Case study – The Ashley Madison data breach
•                        The dictionary attack
•                        The ultimate crack
•                        Exploitation and the lessons learned
•                Password database migration
•                        (Mis)handling None passwords

DAY 2

The OWASP Top Ten

• A2 – Broken Authentication
•        Password management
•                Outbound password management
•                        Hard coded passwords
•                        Best practices
•                        Lab – Hardcoded password
•                        Protecting sensitive information in memory
•                                Challenges in protecting memory
•                        Session management
•                                Session management essentials
•                                Session ID best practices
•                                Why do we protect session IDs – Session hijacking
•                                Session fixation
•                                Session handling in Flask
• A3 – Sensitive Data Exposure
•        Information exposure
•        Exposure through extracted data and aggregation
•        Case study – Strava data exposure
•        Error and exception handling principles
• A4 – XML External Entities (XXE)
•        DTD and the entities
•        Entity expansion
•        Lab – Billion laughs attack
•        External Entity Attack (XXE)
•                File inclusion with external entities
•                Server-Side Request Forgery with external entities
•                Lab – External entity attack
•                Case study – XXE vulnerability in SAP Store
•                Preventing XXE
•                Lab – Using non-vulnerable parsers
• A5 – Broken Access Control
•        Access control basics
•        Failure to restrict URL access
•        Confused deputy
•                Insecure direct object reference (IDOR)
•                Lab – Insecure Direct Object Reference
•                Authorization bypass through user-controlled keys
•                Case study – Authorization bypass on Facebook
•                Lab – Horizontal authorization
•        File upload
•                Unrestricted file upload
•                Good practices
•                Lab – Unrestricted file upload
• A6 – Security Misconfiguration
•        Configuration principles
•        Python configuration best practices
•                Configuring Flask
• A7 – Cross-site Scripting (XSS)
•        Cross-site scripting basics
•        Cross-site scripting types
•                Persistent cross-site scripting
•                Reflected cross-site scripting
•                Client-side (DOM-based) cross-site scripting
•                Lab – Stored XSS
•                Lab – Reflected XSS
•                Case study – XSS in Fortnite accounts
•        XSS protection best practices
•                Protection principles – escaping
•                XSS protection APIs in Python
•                XSS protection in Jinja2
•                Lab – XSS fix / stored
•                Lab – XSS fix / reflected
•                Additional protection layers
•                Client-side protection principles
• A8 – Insecure Deserialization
•        Serialization and deserialization challenges
•        Deserializing untrusted streams
•        Deserialization with pickle
•        Lab – Deserializing with Pickle
•        PyYAML deserialization challenges
•        Deserialization best practices

DAY 3

The OWASP Top Ten

• A9 – Using Components with Known Vulnerabilities
•        Using vulnerable components
•        Assessing the environment
•        Hardening
•        Untrusted functionality import
•        Malicious packages in Python
•        Importing JavaScript
•        Lab – Importing JavaScript
•        Case study – The British Airways data breach
•        Vulnerability management
•                Patch management
•                Vulnerability databases
• A10 – Insufficient Logging & Monitoring
•        Logging and monitoring principles
•        Insufficient logging
•        Plaintext passwords at Facebook
•        Logging best practices
•        Monitoring best practices
• Web application security beyond the Top Ten
•        Client-side security
•        Same Origin Policy
•                Lab – Same-origin policy demo
•                Tabnabbing
•                Lab – Reverse tabnabbing
•        Frame sandboxing
•                Cross-Frame Scripting (XFS) attack
•                Lab – Clickjacking
•                Clickjacking beyond hijacking a click
•                Clickjacking protection best practices
•                Lab – Using CSP to prevent clickjacking

Common software security weaknesses

• Input validation
•        Input validation principles
•                Blacklists and whitelists
•                Data validation techniques
•                Lab – Input validation
•                What to validate – the attack surface
•                Where to validate – defense in depth
•                How to validate – validation vs transformations
•                Output sanitization
•                Encoding challenges
•                Lab – Encoding challenges
•                Validation with regex
•                Regular expression denial of service (ReDoS)
•                Lab – Regular expression denial of service (ReDoS)
•                Dealing with ReDoS
•        Files and streams
•                Path traversal
•                Path traversal-related examples
•                Lab – Path traversal
•                Additional challenges in Windows
•                Virtual resources
•                Path traversal best practices
•                Format string issues
•        Unsafe native code
•                Native code dependence
•                Lab – Unsafe native code
•                Best practices for dealing with native code

JSON security

• JSON injection
• Dangers of JSONP
• JSON/JavaScript hijacking
• Best practices
• Case study – ReactJS vulnerability in HackerOne

Wrap up

• Secure coding principles
•        Principles of robust programming by Matt Bishop
•        Secure design principles of Saltzer and Schröder
• And now what?
•        Software security sources and further reading
•        Python resources