cs1520 recitation security in flask
play

CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents - PowerPoint PPT Presentation

Mar 17, 2023 •332 likes •626 views

CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan Bogoev at: https://damyanon.net/post/flask-series-security/ Plan for Today XSS (Cross Site Scripting) CSRF (Cross-Site Request Forgery) SQL

  1. CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan Bogoev at: https://damyanon.net/post/flask-series-security/

  2. Plan for Today ● XSS (Cross Site Scripting) ● CSRF (Cross-Site Request Forgery) ● SQL Injection ● Authentication and Authorization

  3. Plan for Today ● XSS ● CSRF ● SQL Injection ● Authentication and Authorization

  4. XSS ● Cross Site Scripting (XSS) ○ Attack that tries to have your websites or applications load malicious script in your browser

  5. XSS ● Cross Site Scripting (XSS) ○ Attack that tries to have your websites or applications load malicious script in your browser ○ Try access user’s credentials, get cookie info, modify settings and download files etc.

  6. XSS ● Cross Site Scripting (XSS) ○ Attack that tries to have your websites or applications load malicious script in your browser ○ Try access user’s credentials, get cookie info, modify settings and download files etc. ○ Can avoided by escaping text and validating user input.

  7. XSS ● In Flask, by default it configures Jinja2 to auto escape all values loaded in the page. http://jinja.pocoo.org/docs/dev/extensions/#autoescap e-extension)

  8. XSS ● More considerations for securing your applications w.r.t XSS: ○ avoid generating html without Jinja2

  9. XSS ● More considerations for securing your applications w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files

  10. XSS ● More considerations for securing your applications w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files ○ avoid using the Markup class on not verified data sent by a user

  11. XSS ● More considerations for securing your applications w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files ○ avoid using the Markup class on not verified data sent by a user ○ always quote the attributes values in your templates.

  12. Plan for Today ● XSS ● CSRF ● SQL Injection ● Authentication and Authorization

  13. CSRF ● Cross-Site Request Forgery (CSRF) is an attack that uses the user’s authentication credentials to execute unwanted actions. ● To against CSRF, you can use random string and to verify it against a hidden field in post.

  14. CSRF source: http://flask.pocoo.org/snippets/3/

  15. CSRF ● Put this in your template: source: http://flask.pocoo.org/snippets/3/

  16. Plan for Today ● XSS ● CSRF ● SQL Injection ● Authentication and Authorization

  17. SQL Injection ● SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server.

  18. SQL Injection ● SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server. ● This SQL query can be anything and can be very harmful.

  19. SQL Injection ● SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server. ● This SQL query can be anything and can be very harmful. ● Your application can be exposed to this attack when you dynamically create SQL statements. ○ e.g., concatenating data based on user’s input

  20. SQL Injection ● By default SQL Alchemy quotes special characters – semicolons or apostrophes.

  21. Plan for Today ● XSS ● CSRF ● SQL Injection ● Authentication and Authorization

  22. Authentication and Authorization ● Authentication ○ verifies the user’s identity by validating his/her credential (username / email, password) ● Authorization ○ verifies whether authenticated user has access to a given resource

  23. Flask-Security ● Flask-Security uses internally a User and Role data model, that could be defined via the SQL Alchemy API. ● You can inherit Flask-Security’s User and Role MixIn class to build your own.

  24. roles_users = db.Table('roles_users', \ db.Column('user_id', db.Integer(), db.ForeignKey('user.id')), \ db.Column('role_id', db.Integer(), db.ForeignKey('role.id'))) class Role(db.Model, RoleMixin): id = db.Column(db.Integer(), primary_key=True) name = db.Column(db.String(80), unique=True) description = db.Column(db.String(255)) def __init__(self, name): self.name = name source: https://damyanon.net/post/flask-series-security/

  25. class User(db.Model, UserMixin): id = db.Column(db.Integer, primary_key=True) email = db.Column(db.String(255), unique=True) password = db.Column(db.String(255)) active = db.Column(db.Boolean()) roles = db.relationship('Role', secondary=roles_users, backref=db.backref('users', lazy='dynamic')) def __init__(self, email, password, active, roles): self.email = email self.password = password self.active = active self.roles = roles source: https://damyanon.net/post/flask-series-security/

  26. Flask-Security ● The User class derives from UserMixin Flask-Login default user implementation. Same for Role class. ● SQL Alchemy is used for both User and Role objects. ● Following configurations is added to use Flask-Login with SQL Alchemy

  27. def configure_app(app): ... # Configure Security user_datastore = SQLAlchemyUserDatastore(db, User, Role) app.security = Security(app, user_datastore) ... ● Complete explanation of Flask-Security configuration is here: https://pythonhosted.org/Flask-Security/configuration.html source: https://damyanon.net/post/flask-series-security/

  28. Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

CS1520 Recitation: Flask 2: Templating Jeongmin Lee Plan for Today Templating in Flask

CS1520 Recitation: Flask 2: Templating Jeongmin Lee Plan for Today Templating in Flask

CS1520 Recitation: Flask 2: Templating Jeongmin Lee Plan for Today Templating in Flask Jinja Tags Control Flow Static Files Templating In previous example Everything to show from flask import Flask app = Flask(__name__)

310 views • 16 slides
CS1520 Recitation: RESTful Flask Jeongmin Lee Plan for Today Install RESTful-Flask

CS1520 Recitation: RESTful Flask Jeongmin Lee Plan for Today Install RESTful-Flask

CS1520 Recitation: RESTful Flask Jeongmin Lee Plan for Today Install RESTful-Flask Simple Example Resourceful Routing Add resource Argument Parsing Data Formatting Full Example Install Flask-RESTful >> pip

717 views • 35 slides
CS1520 Recitation: Flask 1 Jeongmin Lee Plan for Today Install Flask and Run First Program

CS1520 Recitation: Flask 1 Jeongmin Lee Plan for Today Install Flask and Run First Program

CS1520 Recitation: Flask 1 Jeongmin Lee Plan for Today Install Flask and Run First Program Routing Variable Rules Installing Flask Start with Virtual ENV 1. Install Virtual Environment first pip install virtualenv Start with

471 views • 28 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web framework written in Python First release was in 2010 Current version (1.1.1) was released in July 2019 Currently powers LinkedIn and

278 views • 8 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Using Templates to Generate Views in Flask Jinja2 templating

CS/COE 1520 pitt.edu/~ach54/cs1520 Using Templates to Generate Views in Flask Jinja2 templating

CS/COE 1520 pitt.edu/~ach54/cs1520 Using Templates to Generate Views in Flask Jinja2 templating language Jinja templates are simply text files Include Jinja tags that will be expanded when the template is rendered Here, we'll

381 views • 8 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Developing Models in Flask Database overview Our models

CS/COE 1520 pitt.edu/~ach54/cs1520 Developing Models in Flask Database overview Our models

CS/COE 1520 pitt.edu/~ach54/cs1520 Developing Models in Flask Database overview Our models are going to represent the state of a database that contains all of the data used by our web application We'll assume the use of transactional

515 views • 17 slides
CS1520 Recitation: Python Jeongmin Lee Plan for Today String functions Tuples

CS1520 Recitation: Python Jeongmin Lee Plan for Today String functions Tuples

CS1520 Recitation: Python Jeongmin Lee Plan for Today String functions Tuples Dictionaries List Manipulation Note that this slide is largely based on the Python Cheat Sheet distributed at

694 views • 41 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 AJAX Where we stand so far With JavaScript, we said that

CS/COE 1520 pitt.edu/~ach54/cs1520 AJAX Where we stand so far With JavaScript, we said that

CS/COE 1520 pitt.edu/~ach54/cs1520 AJAX Where we stand so far With JavaScript, we said that we wanted to build dynamic web applications E.g., your battleship game With Flask, we started to utilize client/server interactions

570 views • 21 slides
CS1520 Recitation: Ajax Jeongmin Lee Plan for Today Introduction How does it work

CS1520 Recitation: Ajax Jeongmin Lee Plan for Today Introduction How does it work

CS1520 Recitation: Ajax Jeongmin Lee Plan for Today Introduction How does it work XMLHttpRequest Object Send Request Get Response Example: Get CD Plan for Today Introduction How does it work XMLHttpRequest

971 views • 49 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Web security Security basics: CIA Confidentiality

CS/COE 1520 pitt.edu/~ach54/cs1520 Web security Security basics: CIA Confidentiality

CS/COE 1520 pitt.edu/~ach54/cs1520 Web security Security basics: CIA Confidentiality Keeping information secret from those who should not be able to see it Integrity Two portions: Data integrity: has the content of

680 views • 19 slides
CS1520 Recitation: VirtualENV Jeongmin Lee What is it Virtualenv is a tool to create isolated

CS1520 Recitation: VirtualENV Jeongmin Lee What is it Virtualenv is a tool to create isolated

CS1520 Recitation: VirtualENV Jeongmin Lee What is it Virtualenv is a tool to create isolated Python environments What is it Virtualenv is a tool to create isolated Python environments environments : version, dependencies, packages

400 views • 15 slides
Web Development with Flask and the Raspberry Pi Leading by Example CU A U H T E M O C CA R B A J

Web Development with Flask and the Raspberry Pi Leading by Example CU A U H T E M O C CA R B A J

Web Development with Flask and the Raspberry Pi Leading by Example CU A U H T E M O C CA R B A J A L I T E S M C E M 2 2 / 0 4 / 2 0 14 Introduction Flask: lightweight web application framework written in Python and based on the Werkzeug

478 views • 45 slides
Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris

Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris

Moving FLASK to BSD Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris Vance Information Systems Security Operation, SPARTA, Inc. Vance_20060301_01 Overview Overview Security Frameworks A

610 views • 22 slides
Flask Data Manipulation in Python 1 / 12 Flask Pythons built-in web server is nice, but

Flask Data Manipulation in Python 1 / 12 Flask Pythons built-in web server is nice, but

Flask Data Manipulation in Python 1 / 12 Flask Pythons built-in web server is nice, but serious web development is done using a web framework. Web frameworks typically provide: Routes, which map URLs to server files or Python code

622 views • 12 slides
MICROALGAE CULTURE (4) BIO301 Dr Navid Moheimani Prof Michael Borowitzka Flask Cultures Flask

MICROALGAE CULTURE (4) BIO301 Dr Navid Moheimani Prof Michael Borowitzka Flask Cultures Flask

MICROALGAE CULTURE (4) BIO301 Dr Navid Moheimani Prof Michael Borowitzka Flask Cultures Flask Cultures Carbuoy Tubular Airlift Reactor Commercial-Scale production Systems Open ponds Hutt Lagoon; WA Whyalla; SA Dunaliella &

3.94k views • 39 slides
BUILDING BEAUTIFUL REST APIs with Flask, Swagger UI and Flask-RESTPlus Micha Karzy ski

BUILDING BEAUTIFUL REST APIs with Flask, Swagger UI and Flask-RESTPlus Micha Karzy ski

BUILDING BEAUTIFUL REST APIs with Flask, Swagger UI and Flask-RESTPlus Micha Karzy ski EuroPython 2016 ABOUT ME My name is Micha Karzy ski (thats Polish for Mike) I blog at http://michal.karzynski.pl Short URL:

495 views • 34 slides
Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel

Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel

Internet Security [1] VU 184.216 Engin Kirda engin@infosys.tuwien.ac.at Christopher Kruegel chris@auto.tuwien.ac.at Outline Web Application Security, Part II Today, we continue from where we left last time. We look at further

508 views • 35 slides
SSP - Web Security with Adam & Ryan <;'"}()[]>{ XSSFish says, "Swim wif

SSP - Web Security with Adam & Ryan <;'"}()[]>{ XSSFish says, "Swim wif

SSP - Web Security with Adam & Ryan <;'"}()[]>{ XSSFish says, "Swim wif us" Todays Topics Sessions Why do we need them? What weaknesses can attackers take advantage of? Cross-site Scripting

380 views • 37 slides
eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks

eb Security Software Studio yslin@DataLAB 1 Common Security Risks Brute-Force Attacks SQL Injections Cross-Site Scripting (XSS) Cross-Site Request Forgery (CSRF) 2 Common Security Risks Brute-Force Attacks SQL

1.66k views • 141 slides
Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network

Web Security Thierry Sans Securing the web architecture means securing ... The network The operating system The web server ( Apache for instance) The administration server ( SSH for instance) The database ( Oracle for instance)

1.37k views • 61 slides
iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University

Chair for Network Architectures and Services Department of Informatics TU Mnchen Prof. Carle iLab2 WWW and Application Layer Security with friendly support by P. Laskov, Ph.D., University of Tbingen Recap: Internet Protocol Suite

755 views • 41 slides
Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal

Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal

Web (In)Security: Remediation Efforts - Status and Outlook Jeff Hodges Andy Steingruebl PayPal February 2011 Overall Agenda The Current Web Has Some Holes Help is On The Way (Some Anyway) Solving Real World Problems Still A Ways To Go 2

971 views • 39 slides
Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th

Secure Programming Laboratory 4: Web Attack SP Demonstrators: Arthur Chan / David Aspinall 20th March 2019 Orientation This is the fourth Laboratory Session for Secure Programming It is convened by Arthur and David. The handout and other

441 views • 8 slides
Bonus slides Confused Deputy Problem Original exam ple Norm al output file Request: 1. Do

Bonus slides Confused Deputy Problem Original exam ple Norm al output file Request: 1. Do

Bonus slides Confused Deputy Problem Original exam ple Norm al output file Request: 1. Do action 2. Write results to Im portant server file Client Server Response: OK Im portant server file Original exam ple ( 2 )

237 views • 8 slides

More recommend