CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents - - PowerPoint PPT Presentation

▶

Mar 17, 2023 332 likes •628 views

CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan Bogoev at: https://damyanon.net/post/flask-series-security/ Plan for Today XSS (Cross Site Scripting) CSRF (Cross-Site Request Forgery) SQL

SLIDE 1

CS1520 Recitation: Security in Flask

Jeongmin Lee Slide contents based on a post by Damyan Bogoev at: https://damyanon.net/post/flask-series-security/

SLIDE 2

Plan for Today

XSS (Cross Site Scripting)
CSRF (Cross-Site Request Forgery)
SQL Injection
Authentication and Authorization

SLIDE 3

Plan for Today

XSS
CSRF
SQL Injection
Authentication and Authorization

SLIDE 4

XSS

Cross Site Scripting (XSS)

○ Attack that tries to have your websites or applications load malicious script in your browser

SLIDE 5

XSS

Cross Site Scripting (XSS)

○ Attack that tries to have your websites or applications load malicious script in your browser ○ Try access user’s credentials, get cookie info, modify settings and download files etc.

SLIDE 6

XSS

Cross Site Scripting (XSS)

○ Attack that tries to have your websites or applications load malicious script in your browser ○ Try access user’s credentials, get cookie info, modify settings and download files etc. ○ Can avoided by escaping text and validating user input.

SLIDE 7

XSS

In Flask, by default it configures Jinja2 to auto escape

all values loaded in the page. http://jinja.pocoo.org/docs/dev/extensions/#autoescap e-extension)

SLIDE 8

XSS

More considerations for securing your applications

w.r.t XSS: ○ avoid generating html without Jinja2

SLIDE 9

XSS

More considerations for securing your applications

w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files

SLIDE 10

XSS

More considerations for securing your applications

w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files ○ avoid using the Markup class on not verified data sent by a user

SLIDE 11

XSS

More considerations for securing your applications

w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files ○ avoid using the Markup class on not verified data sent by a user ○ always quote the attributes values in your templates.

SLIDE 12

Plan for Today

XSS
CSRF
SQL Injection
Authentication and Authorization

SLIDE 13

CSRF

Cross-Site Request Forgery (CSRF) is an attack that

uses the user’s authentication credentials to execute unwanted actions.

To against CSRF, you can use random string and to

verify it against a hidden field in post.

SLIDE 14

CSRF

source: http://flask.pocoo.org/snippets/3/

SLIDE 15

CSRF

source: http://flask.pocoo.org/snippets/3/

Put this in your template:

SLIDE 16

Plan for Today

XSS
CSRF
SQL Injection
Authentication and Authorization

SLIDE 17

SQL Injection

SQL Injection is an attack where users can inject SQL

commands via user input form and have them executed on the server.

SLIDE 18

SQL Injection

SQL Injection is an attack where users can inject SQL

commands via user input form and have them executed on the server.

This SQL query can be anything and can be very

harmful.

SLIDE 19

SQL Injection

SQL Injection is an attack where users can inject SQL

commands via user input form and have them executed on the server.

This SQL query can be anything and can be very

harmful.

Your application can be exposed to this attack when

you dynamically create SQL statements. ○ e.g., concatenating data based on user’s input

SLIDE 20

SQL Injection

By default SQL Alchemy quotes special characters –

semicolons or apostrophes.

SLIDE 21

Plan for Today

XSS
CSRF
SQL Injection
Authentication and Authorization

SLIDE 22

Authentication and Authorization

Authentication

○ verifies the user’s identity by validating his/her credential (username / email, password)

Authorization

○ verifies whether authenticated user has access to a given resource

SLIDE 23

Flask-Security

Flask-Security uses internally a User and Role data

model, that could be defined via the SQL Alchemy API.

You can inherit Flask-Security’s User and Role MixIn

class to build your own.

SLIDE 24

source: https://damyanon.net/post/flask-series-security/ roles_users = db.Table('roles_users', \ db.Column('user_id', db.Integer(), db.ForeignKey('user.id')), \ db.Column('role_id', db.Integer(), db.ForeignKey('role.id'))) class Role(db.Model, RoleMixin): id = db.Column(db.Integer(), primary_key=True) name = db.Column(db.String(80), unique=True) description = db.Column(db.String(255)) def __init__(self, name): self.name = name

SLIDE 25

source: https://damyanon.net/post/flask-series-security/ class User(db.Model, UserMixin): id = db.Column(db.Integer, primary_key=True) email = db.Column(db.String(255), unique=True) password = db.Column(db.String(255)) active = db.Column(db.Boolean()) roles = db.relationship('Role', secondary=roles_users, backref=db.backref('users', lazy='dynamic')) def __init__(self, email, password, active, roles): self.email = email self.password = password self.active = active self.roles = roles

SLIDE 26

Flask-Security

The User class derives from UserMixin Flask-Login

default user implementation. Same for Role class.

SQL Alchemy is used for both User and Role objects.
Following configurations is added to use Flask-Login

with SQL Alchemy

SLIDE 27

source: https://damyanon.net/post/flask-series-security/ def configure_app(app): ... # Configure Security user_datastore = SQLAlchemyUserDatastore(db, User, Role) app.security = Security(app, user_datastore) ...

Complete explanation of Flask-Security configuration is here:

https://pythonhosted.org/Flask-Security/configuration.html

SLIDE 28

CS1520 Recitation: Security in Flask

Plan for Today

Plan for Today

XSS

○ Attack that tries to have your websites or applications load malicious script in your browser

XSS

○ Attack that tries to have your websites or applications load malicious script in your browser ○ Try access user’s credentials, get cookie info, modify settings and download files etc.

XSS

○ Attack that tries to have your websites or applications load malicious script in your browser ○ Try access user’s credentials, get cookie info, modify settings and download files etc. ○ Can avoided by escaping text and validating user input.

XSS

all values loaded in the page. http://jinja.pocoo.org/docs/dev/extensions/#autoescap e-extension)

XSS

w.r.t XSS: ○ avoid generating html without Jinja2

XSS

w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files

XSS

w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files ○ avoid using the Markup class on not verified data sent by a user

XSS

w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files ○ avoid using the Markup class on not verified data sent by a user ○ always quote the attributes values in your templates.

Plan for Today

CSRF

uses the user’s authentication credentials to execute unwanted actions.

verify it against a hidden field in post.

CSRF

CSRF

Plan for Today

SQL Injection

commands via user input form and have them executed on the server.

SQL Injection

commands via user input form and have them executed on the server.

harmful.

SQL Injection

commands via user input form and have them executed on the server.

harmful.

you dynamically create SQL statements. ○ e.g., concatenating data based on user’s input

SQL Injection

semicolons or apostrophes.

Plan for Today

Authentication and Authorization

○ verifies the user’s identity by validating his/her credential (username / email, password)

○ verifies whether authenticated user has access to a given resource

Flask-Security

model, that could be defined via the SQL Alchemy API.

class to build your own.

Flask-Security

default user implementation. Same for Role class.

with SQL Alchemy

https://pythonhosted.org/Flask-Security/configuration.html

Questions?