DjangoCon US 2018 – Unique ways to Hack into a Python Web Service by Tilak T

(bright folk music) – Hi everyone, thank you for attending my talk I know you are all sleepy because just now you had lunch, so that’s why I won’t talk too much I have a lot of demos to show you guys before this, so thank you, once again So today, I’m gonna talk, and the topic is unique ways to hack into Python web services So don’t worry, I’m not a hacker, I’m just a basic developer, like how you are I’m a full stack developer, so I work at we45 Solutions Then I’m also a developer of an open-source project called Orchestron, that’s a vulnerability correlation engine, so we correlate multiple twos, one liability and I’ll show you our dashboard in that we’ll show some of the examples so that the developer can fix the one liability, so that kind of stuff How many of you know Threat Modeling? So if you know Threat Modeling, this is one of the first to the route, automated Threat Modeling So this is also an Open-Source analyzer and I’m a contributor of that, so you can check it out there And also I’m a part of Devcon, so this is my Twitter handle, you can follow me So, agenda So, in today’s introduction to web services, I’ll talk about, what is web services, and what types of web services are available So, just basic introduction So, what are the common vulnerabilities in web services, so what are those vulnerabilities, I’ll talk about that After that, I’ll go into unique vulnerabilities, what are those unique vulnerabilities are found in web services, and also how to mitigate some of the unique vulnerabilities And also I have a lot of demos to show you guys I hope the demo will work fine, because you guys know, right, once you develop the product, when we want to show the client, that time it won’t work (laughs) Right? I hope today it will work fine So what is web services? Show how many of you are attending this today Django REST framework authentication talk? Yeah, then you know web services So basically, what is web services, means it’s like centralized back-end services, so it’s like machine-to-machine, it transfers information over exchange So, for example, if you’ve written an application back-end in REST framework, if you want to integrate front-end in Vue.js or React.js, you can do that So and also, if you want to write mobile application, maybe if you want to, like Java, it’s written in Java, you can write it Still, it’s centralized, so how it looks like means you can see, blue color is REST framework part, and these are all front-end, you can write centralized applications, so you can do that That’s why REST frameworks are very popular nowadays What other types of web services are available? So one is SOAP-based web services, another one is RESTful web services I won’t talk about SOAP-based web services, because SOAP is basically Java-related So, RESTful web services is a lightweight web service, it transfers information by HTTP protocol, and also, one of the good things in a REST framework is it supports multiple data formats It supports XML as well as JSON format Next, what RESTful web frameworks are available in Python? So, you guys all know Django REST Framework, right? So also, Flask is a, Falcon, Pyramid, CherryPy, Bottle and many more frameworks are available But most popular one is Django REST Framework and Flask So, what are common vulnerabilities in REST framework? So, SQL injection, cross-site scripting, CSRF and session hijacking, these are all common vulnerabilities we are seeing in our web services So, you know Django prevents some of these vulnerabilities, how many of you know this prevents some of these vulnerabilities in Django? Okay, nice, so actually Django prevents SQL injection and cross-site scripting, CSRF forgery, and also session hijacking If you’re using Django, these are all vulnerabilities it’s not possible to attacker can do SQL injection

in Django application If you say, we have written our application in Django, pen tester, they will say, really, then we can’t find SQL injection Because we are an information security company, we know our testers, how they feed back, it won’t when given Django application So because how Django prevents some of these attacks because of its rich middleware Django has a middleware, so I like Django because the unique way they’ve thought of security Other frameworks, they didn’t thought about security Django is, I’m not saying this because this is a Django conference, I started programming using Django and Python, so when I was learning Django and Python, it is so easy to use, it’s like, Django.py, start project, and start app, your app is ready So, so simple, they made it so simple and user-friendly So because of that, and also they thought of security-related, like the inside middleware, if any request or response comes, it transfers via middleware So that it checks, is there any malformed injection or something any requests are coming, it checks if there is anything malformed or anything, it’s not related to the application, it rejects the request from there itself Or if any unauthenticated user contacts to the server, it rejects there itself So, that’s why Django is most popular So some of us, we don’t know because of, we just dial up the application, that’s it, we don’t know about how Django works So this is why Django is most popular And what about these vulnerabilities? So if you are using Django REST framework, this is the stateless application, right? It’s completely decoupled, from front-end is different, back-end is different So because of that, we need some authorization to authorize So because of that, we use, some of use JWT, if you attended yesterday’s talk, you know what is JWT So this means, what about JWT manipulation, we can do that, and XML External Entity, then IDOR, then Server-Side Template Injection, there are many more vulnerabilities out there So these are all vulnerabilities we can do that This is not a Django flaw, this is basically an architecture flaw When we design the application architecture, we are to take care of, these are all flaws So we should make sure that our, these are all flaws when we’re architecturing the application So first one I am talking about is JWT manipulation So we follow OWASP standards, how many of you heard about OWASP? That’s good So OWASP means there’s an Open Web Application Standard Programming, this is an open source project, so where they, so ELER4ES, they will collect the vulnerabilities or attacks, based on that, they make a standard as to vulnerability, they make top 10 vulnerabilities based on that So in that, broken access is a JWT manipulation will come in A5, that’s broken access control So why JWT is required, as I mention, (laughs from audience) so, as I mentioned, JWT is required because of, it’s a stateless application So we have one common understanding about JWT, we think that it’s an authentication mechanism Actually, JWT is not an authentication mechanism, it’s an authorization mechanism So once we’ve authenticated the application, so next time the user, if he wants something information about product, or some user information, so he needs to extend the JWT, so we can authorize if he’s a valid user or not So that’s why we use JWT So it transfers information between server to client and server too, server to client and client to server So it is very lightweight, JWT is, there are many more frameworks that are available but JWT is most popular because it’s lightweight, and it’s scalable also So JSON web token look like this, basically So if for example headers will be there This header’s is algorithm, it’s like JWT has assigned, it’s not encrypted, it’s signed with unique ID So that if attacker, if he wants to tamper, he can’t tamper Because if you want to tamper, he needs a unique ID Then only he can tamper with JWT So JWT looks like, I’ll show you, this is the JWT.io, this is the one you can see

So this is header, so in this header you can see the algorithm So algorithm, there `are two types of algorithm available So he has access 256, and will run it, RSA RSA means it’s like public and private key So, it’s encrypted with public key, if you’re private key, if you want to decrypt, you need a private key Then only it will decrypt the information So, in the payload section, you are passing the information, or data, so that is the user ID, username, email or role So when you are decrypting, you can validate, is the user or role existing or not? Next one is, as I mentioned, signature So, unique ID signature, you assign the written unique signature So, we think JWT’s secure, right? Because no one can tamper with JWT But it’s wrong, JWT, there are many ways JWT can make wrong So first one is, if algorithm allows, it’s like, for example, if it is none signature, if it is allows, the signature is none, it’s like signature that has nearly a unique ID If unique ID doesn’t exist, if the framework allows none algorithm, then it will be flawed So, next one is, there are algorithm confusion Algorithm confusion means, JWT allows, two types of algorithm, one is HS256 and 256, another one, RSA For example, if when user asks, they are authenticated to the server, it encrypted where using RSA256 When the client receives that is encrypted with ID, RSA256 When client sends back to the unique identity to the server, it is boundary three, it is 256 So it is like algorithm, this one, algorithm confusion Next one is unique private claims So for example you should validate generally based on someone’s unique ID, like using email address or unique ID You should validate based on that There’s a recent attack happened in JWT, how many of you know Auth0? Okay So Auth0 basically is centralized authentication mechanism, centralized authentication like AWS Cognito So because of they had a one fly in JWT, so they compromised so many users’ information So this is a recent attack So, I am praying to God, I hope demo will work (audience laughs) You can see, everyone, no? Now? Okay Clear? Okay, so there a list of users are available here There are two users started So, one is super user, another running admin user So what I will do now, so there is a Tilak one, username is tilak, so I will take Tilak’s token So, this is Tilak’s token So what I will do, copy this and JWT.io so now I can see the information, you can, right? Okay, so this user ID is 5, then username is tilak, then email address is tilak@we45.io, right? So now what I’ll do, I’ll copy this token, and I’ll paste it somewhere Now, Tilak wants to change his username Instead of tilak, he wants to change his username to tilak.t I don’t know, some reason, he wants to change his username So what I’ll do is, I’ll update his username So his username is tilak.t So now what I will do, I’ll create another user So his email address is different, tilak.t@we45.com But username is tilak So what I’ll do, I’ll create user, okay? So now I’ll copy this token, belongs to

tilak.t@we45.io, right? If I use this token, it should not give me the list of products, because the username tilak, that tilak.t@we.45.io, he changed his username, so it should not allow, right? Because I’m using this token, because this is the tilak.t, his username is tilak So what I’ll do for you is, still is accepting So if you didn’t get it, I’ll show you again So I’ll get a token off tilak.t, is a renamed, username I changed, I’ll take his token So I’ll copy his token into JWT This is actually his token So, which user I created, tilak.t@we45.com, so if you want to authenticate within the application, he should require JWT For that, you should authenticate, right? He didn’t do that We thought authenticating the server, he’ll get the access off the server, because he used other person’s token So what you have to do, basically, so you have to always, once username is changed, you should destroy his old token Or you should bind unique IDs using email ID or any some of, you have to generate some unique ID or something You have to do, based on that, you have to validate Okay? So, how to mitigate, as I mentioned, you have to validate based on unique ID And also JWT lifetime, it should be shorter So basically we miss this one It’s like we use default lifetime, it should not be more than eight hours It should be lifetime shorter than eight hours, so that we can prevent some of these attacks And also check library flaw, I have not made any single changes in this code I have used Django REST framework JWT And that has a flaw, this is because Django REST framework JWT using username-based, it is validating So someone has mentioned but they didn’t still fix this So I use same thing here, I have not changed any code Be careful when you are using libraries Make sure to check library, any issues are there, then you can use in your applications So that you can prevent these attacks, because these are not your development projects, these are library flaws, okay? Next one, insecure deserialization flaw, this is the one I like, this one, actually So, because in 2013, more or less 2013, this deserialization flaw, it was not at all there Because in 2017 they included, because of the insecure deserialization, attacks or breaches happened a lot Because of that, they included in the 2017 OWASP category They made a separate category for insecure deserialization So what is serialization and what is deserialization means? Serialzation means it converts object into a binary For example, when eCommerce website will be there, so vendor, he wants to upload his products, so he can’t create a number of products, so it takes time For that purpose, we’ll create some of the YAML file So in that file, he will create add user product name, product price, description, something, he will add some information When we upload the YAML file, so when we resume, so that is called serializing It converts objects into a binary So once it’s in our views.py, then we will extract that mess, we will deserialize it That makes binary too, we will convert binary into an object, so that we can read and then we can save into our database So in that case, if you have not validated what is coming, what is coming, is there any malformed information is going on, or something, if you have not validated properly, then it will be looks like this It’s like bad eggs chicken It’s like completely malformed So, because of this, the attacker,

he can access your application server completely And also, he can make your application completely DDOS, that means Denial of Service, so the user can’t use your application So, there’s a recent attack happened in WordPress So many website has been compromised because of some of the plugins, WordPress plugin has this serialization flaw Because of that, so many a website has been compromised Another one is PayPal PayPal was using Java Because Java, some of the Java serializer has some of these flaw, because of that, PayPal also has been hacked Ah, I know, Django is secure, right, as I mentioned? (laughs from audience) Yes, of course Django is secure But, what about this? We use some of the serialization, right? XML we will use, YAML we use, and JSON we use, right? How many of you have used PyML? Okay, that’s cool, not bad So, how many of you has tried Tavern? How many of you know Tavern? Tavern is basically REST framework’s testing API So, in this, this is an open source project, in this we found a vulnerability, we didn’t inform them, but we found the vulnerability in this I will show you how So So I’ll upload one YAML file, and that contains name, name of the product, then category, this is a bad code, I’m so sorry This is description of the mobile, then price, available, and stock and image This is the basic normal, this is the YAML file I should upload, so I’ll upload now, All right It’s created, so let’s go to, List of products, it’s created, right? So, this is the way that clients should upload YAML file So what if I’m a bad boy, I will do something else, because of this, I’ll do something So what I will do, I will try to do, get some of the environment variable, so it’s like, back-end, is it validating or not, I will check So for that, what I will do, so this is a malicious payload, okay? It’s clear? So, in the description section, I will add one Python small script, this is, so one line code I will printenv, so what this is, how many of you know printenv means? It produces an environment variable of the server, right? So if you are saving anything, information like password, so we will save it in the environment variable, if you have deployed any application, if you know why we will use the environment variable So we use to say password, or something informational So I will try to, I will try if it is possible to get it back or not So now, it’s scanning the environment variables You can see it, right? Here’s some MySQL server DB, MySQL host MySQL DB’s showing, because I’m using Docker Compose, so that’s why MySQL DB is showing So it’s showing internal environment variables So now I know that in back-end, I’m not validating anything It’s like, I can do any activities, I can do now reverse shell access Reverse shell means, I can compromise the server, so I can gain the access in my local system I’ll set up on local server, I will contact that server then I’ll gain the shell access in my local system It should not do, actually If it does, then your application is gone It’s like, done, so we’ll try that one So for that, I’ll set up Netcat Strange How many of you Netcat? So I am sitting on local server here, Netcat

So if then, in my malicious code, this is the reverse shell code And before that I have to check my IP of my local system, because I want to, I want it, shell access in my local system That server’s shell access, I want So for that, I want, I’ll actually complete This is my IP, so, this is single line shell code execution So, this is a single line Python code, this one is So I’ll get my IP here, and port is 1337, okay? So Netcat is running 133, yes, 1337, Netcat is running 1337, right? So now, so this is the reverse shell, this is the YAML file I uploaded, I updated, sorry So now I will upload So if I come to this, see now, I have complete server access Completely Now I can do whatever I want, right? So write cat etc/, boss, sorry, cat/etc, I have now password etc, so in Ubuntu, all passwords are stored in etc directly, right? So now I have all users’ password So now attacker can do whatever he wants, like he can compromise, he can block your application completely Okay, how to mitigate this, right? Where does the problem happen in this case? I’ll show you, this is a single line code problem, One line code, because of that, our entire application server has been compromised, because of one line of code If anyone used YAML, they’ll know, I’ll show you the code Because of YAML.load, in a way it’s correct, YAML.load, it loads the information, and it’s just dumped into the database, it won’t validate, is it valid, malicious activities or nothing, it won’t check nothing It just dumped into database, it requests some dump, whatever the information comes, then it’s dumped into the, that’s it So, when we are deserializing it, you should deserialize based on, you should integrate the checks based on the digital signature And also, you should, when you are serializing, make it isolated environment, use containers So use container, and also make sure that container should be normal user, not as a root user If you are using root user, then he can compromise your whole system as well as, so be careful, when you are using, isolating, make sure that he’s a normal user, so that if attacker can compromise that, he will be in that container box only, he can’t access the whole system Next, monitor incoming and outgoing outputs So how many of you have heard about recent Facebook breach? If you heard about, because their monitoring system was, they’re good, because of that, they avoided the major breach Then, this is what, instead of YAML.load, you use YAML.safe_load, that’s it, so that you can prevent this attack if you are using YAML file And also another way is, I’ll show you how to prevent these attacks So, how many of you know Bandit, sass two? So, use Bandit, Bandit means it’s a source core analysis It analyses core, if it finds any vulnerability in your core, it will say that you have a vulnerability in this line, so please fix this So we can do it, this one, using Git post-commit hook So if you’re integrating that,

so that we can prevent some of these vulnerabilities, I will show you how Let’s do this, I have something open Okay, some changes I, (laughs) some changes I made, So in fact when I’m commenting, it scans So this is before pushing in to the repository So, before pushing into your repository, you can scan It says, the vulnerability it found, so please fix this vulnerability This is, no, is something, Yeah, this is the one Yeah, see here, in line number 119, yaml.load you are using, so it says So that if you are using, use Git post-hook so that you can prevent some of the attacks Next one is IDOR, Insecure Direct Object Reference So how many of you know what IDOR means? It’s a shorter format, okay, so one hand, okay I think security’s low, oh right So, IDOR isn’t robust as as a JWT broken access Control-H command, so how many of you used pkid in the URL? As a Django developer, you should know, right? Yeah, same, I also use same pkid So, while using that, we should be careful when you are using it For example, user profile, if we want to access someone’s user profile, what we will do, in the URL we’ll pass pk, right? So that we can validate in our back-end, we can validate pk, so user.objects.get, I’ll show you like this, this is what we are using, right? Ah, pk, we are getting pk value, then we are validating a user.objects.get id call to pk, then we are showing this information to the client So if you are not properly validating, then the attacker can change the super user’s email ID or password, he can change So how, so far that you can prevent using that if it in Django, there is a good thing I like in middleware, request.user, you can get who is the requester, you can get, so based on that, we can validate them So we can, I’ll show you a demo, you’ll get to know how it works How many of you heard about Yahoo breach in 2014? No one, okay, 2014 Yahoo breach has happened because this was small mistake what he made, developer That’s in sub-domain suggestion.yahoo.com, because if he can browse others’ user profile, so he got 1.5 million user’s records So I’ll show you demo how it works (audience laughs) So this is, the username is 2, okay? So what I will do, so, I don’t want to create passwords, so I’ll just copy and paste it So, Tilak is a normal user, so now what I’ll do in this case is id, technically, he’s ID 7, right? You’re able to see, right, 7 ID? So instead of 7, what he does, he changes fifth one ID Fifth one is admin user ID He changes user admin ID using his token, I’ll take his token This is normal Tilak’s token So now, he will change email, is admin@we45.com,

the username is djangocon, he will make it change It should not accept, right? So this is the current username You are able to see? I can’t zoom, I can’t don’t think, so So, have time constraint, I’m so sorry So I will change it, it’s accepted So if you go into database, you see Now there is no tilak username, he’s an admin But I changed it just djangocon and also I changed tilak.t@we45.., instead of that, I changed it to admin@we45.com So now if I am admin@we45.com, now I can access applications So, how do we mitigate this, as I mentioned, Django has a good thing that validate by requesting requester, instead of directly sending pk, just validate, request.user.id, is a valid user or not, so that you can avoid such kind of things Next, check database that genuine or not, as I mentioned, same thing I’ll skip, I don’t think I have time So some of tips I’ll lose because I don’t have time, constraints I have I had made lot of them, as I’ll just keep notes, so sorry I’ll share with you anyway So, use SCA, Source Composition Analysis, that means it scans your packages, so if you are finding any vulnerabilities in your packages, it says, this vulnerability exists in this version, please upgrade this version that Source Composition Analysis says, use that one Also use SAST as I shown, use Bandit, use that one for Python, so if there are any vulnerabilities there in our code, so that we can prevent these attacks And also run DAST, use ZAP, that’s an open source project So it use a good API, so we can integrate in our, as a developer, we are allowed to use APIs, right? No, okay (laughs from audience) I allowed to use the APIs Okay, please try, is really good So, include security testing in your DevOps pipeline If you are using Jenkins or Travis, anything, so use this pipe, make it as a pipeline, so I have, how many of you have Robot Framework, or how many of you heard of Robot Framework? None, okay So, Robot Framework is like Selenium ‘Cause like Selenium, you have to do xpaths, like, blah blah, you have to do so many things, right? In Robot Framework, we have to do like markdown extensions, Run Disk ZAP, Run Bandit, that’s it, it will take care of everything So that’s a very easy, I will show you how it looks like I have a basic demo also, in 10 minutes I’m not sure Okay, I’ll show you This is the Robot script You are able to see, right? So, this is the Robot ZAP, it runs ZAP, then it’s like, I am using Safety as a file Source Composition Analysis, I commented Bandit because it takes time, if you read all my code, it takes time So just I commented that And ZAP will run the scan, ZAP is basically a pen test user tool to scan your application So here I am using the ZAP, so we will run the ZAP script, I hope it works Right? So this is the running of the simple, so simple, right, this is using Robot Run CFD again, as we comment, then use this part, that’s it Run ZAP, you have to give the xpath In Selenium, you have to give xpath like so many things I didn’t learn ZAP, it was Selenium, I hate that one, it’s too complicated to run ZAP So that’s why I love this Robot script So, I’ll run this As I mentioned, some problem has happened Yeah, I’m so sorry, spelling mistake, so sorry (audience laughs) So, now all we do is start ZAP, you can see, ZAP is starting now So, this is the ZAP if you are not familiar with ZAP, this is the basically, penetration testing, the team, they use ZAP and Bub the most So they test it against your application and they find one vulnerability, and they give a report to you, right?

No? Okay So you can see now, it’s automatic, see it’s set to the context, now we can see, some action’s been going on here See, just hang on So it will scan like this So, why, just my suggestion, I am sharing this script in GitHub, please use this And either I am doing a written script but it’s not working, I am still working on that, once it is done, I will update in GitHub, please use this script in your daily business world, or in application development, so that you can prevent some of the vulnerabilities So this is what the queues, and also Robot gives a report, it’s really good, HTML report it gives you, so, this is one of the reports It gives a really good report, you can check it out And also, now our safety has written, so PyYAML has a flaw, please fix this, gunicorn has a flaw, you have to fix that, it says And also Bandit has some of problems, this is Bandit giving results So, you can check out these results So, this ZAP has gave you some of their results, like medium, what is the one vulnerability name? What is the request, what is the response, so, so that using this, you can prevent some of the attacks And I’m sharing with you in this link, please have a look, and also, if you or anyone interested to contribute with our Orchestron or Threat Playbook, please And this is my Twitter link and thank you so much for your patience, I hope you like this (applause) – [Male Audience Member] Just a really fast question, you mention a time lifespan, – Yeah, okay – [Male Audience Member] For tokens, what’s your recommendation for a short lifespan? – Make it lifetime shorter, make it a maximum six to eight hour Once the user is not logged, user is deleted, or he’s changed username or something, his activity is done, please make sure that you make JWT as a reward You generate new JWT token, so that’s a good way, so that we can avoid some of these attacks – [Audience Member With Accent] Nice talk – Thank you – Whatever you showed here, is it specific to Django, or can you apply this to any other web framework? – In any other framework you can upload, this is actually Django talk, so that’s why I showed Django-related stuff, so you can do it in, if you’re using Java, if you’re using .Net you can do it, it’s very simple So ZAP doesn’t care, is it a Django, only I will do Django-related, I find, I will, we don’t do that It’s like tools, right, you can do any applications in any programming language – Let’s thank Tilak again – Thank you – for the incredible presentation