05-29, 12:20–12:50 (Europe/London), Music Hall
It’s one thing to read the Django security page and follow the recommendations. It’s something completely different to actually understand why those recommendations exist.
Video: https://youtu.be/CN6zJlqdxt0
The talk will cover 5 different security vulnerabilities (spending ~5 mins on each) that are baked into a fake MySpace clone:
- HTML serialization: Why supporting custom HTML is cool, but also dangerous
- The penalties of using a guessable SECRET_KEY: How one might use it to abuse sessions
- The downfalls of stepping outside the ORM: How write a more complex query and accidentally make it vulnerable to SQL injection
- Consider setting ALLOWED_HOSTS: Injecting custom hosts in password reset emails
- No really, consider setting ALLOWED_HOSTS: Unsafe open redirects and the importance of url_has_allowed_host_and_scheme
Each step will introduce in detail how to exploit the vulnerability, followed by patching and validation.
Ashley has spent 10 years as a software engineer, alternating between the Django and Rails environments. Most recently, she's been working on making infrastructure accessible to everyone at Aptible.
Mario has spent the last decade solving high-availability issues in places like Plex and GitLab, and most recently has been working on making infrastructure accessible to everyone at Aptible.