Facebook SDK

Saturday, January 4, 2014

Programming Security - Part 7 (Python Security, cont.)

Since the Python Security.org website isn’t being updated anymore, I will do my best to give some general tips for Python programming. While these aren't necessarily expressly for Python, they were listed on the Python Security site so I thought I would put them here.
  • When validating input, use a whitelist for approved data rather than a blacklist. It is easier to deal with a limited data set than try to block every “bad thing” that may be out there. If you know what to expect then you know how to work with it; everything else is rejected by default.
    • If you use regular expressions (regex) for validation, make sure you are matching against the entire string by using start and end anchors.
    • Consider converting input data to a different datatype for further validation. If you receive numbers as a text string, convert them to integers to validate that they are “in range” of expected values. If you get a date string, convert it to a date object to ensure the date is real.
    • If you expect to receive numbers, determine beforehand whether they should be signed or unsigned and what the min/max values should be. This can help eliminate unexpected values and prevent buffer overrun or other attacks.
  • Web authentication can be handled a number of ways, however “basic authentication” is the worst. Basic authentication is supported by nearly every web browser and is not secure, at all. The username and password are sent, in the clear, within the HTTP header during every request. These credentials are stored in the browser cache the entire time the browser is open. Thus, until the browser is actually closed or the user manually clears the cache, the authentication information is available to malicious browser attacks.
  • If you're developing a web application, be cognizant of cross-site scripting (XSS) attacks. XSS allows attackers to inject client-side scripts into a web page that will be run by the client, bypassing the access controls established on the site. The easiest way (but not the only way) to mitigate this attack is through input validation and escaping. Escaping can be handled by your template engine.
  • Escaping is essentially ensuring your output data is treated as data and not characters that can be parsed by the interpreter and executed. Escaping can be as simple as using a simple “escape” character or more complex, depending on the needs of the system.
    • Escaping is not the same as converting (“encoding”) to Unicode. Unicode will still be interpreted and decoded automatically by the browser or sever and will not prevent an attack.
    • You will often see escaped characters in HTML when you see an ampersand (“&”) converted to “&”. These conversions prevent the system from switching to “execution mode” and attempting to run the following characters as a program or script.
  • Hashing data performs a one-way encoding of data, of any size, to a fixed-length text string. Any changes to the data, whether accidental or intentional, will change the resulting hash, thus indicating that the original data is corrupt.
    • MD5 and SHA-1, while very popular, are not considered secure anymore and should not be used. If you are implementing a hashing system in your program, use one of the functions from the SHA-2 family.
    • Salting is padding your data, typically a password, with random data to make it more difficult to determine the original data through certain attack vectors, such as rainbow tables. With the advent of GPU-powered hash attacks, salting doesn't have the same effect it once had but is still considered a safe practice and should be used.
    • If you are posting publicly downloadable software, consider also posting a hash value of the final product so downloaders can verify they have the correct software and that it wasn't corrupted during transfer or tampered with.

1 comment:

Bruce Wayne said...

thanks for share i need a highly qualified experts online who can teach me python language online or any other programming help