DjangoCon Europe 2023 | A Beginners Guide to Security Exploits in Action
A Beginners Guide to Security Exploits in Action by Ashley Mathew & Mario de la Ossa https://pretalx.com/djangocon-europe-2023/talk/9N97WM/
It’s one thing to read the Django security page and follow the recommendations. It’s something completely different to actually understand why those recommendations exist.
The talk will cover 5 different security vulnerabilities (spending ~5 mins on each) that are baked into a fake MySpace clone:
- HTML serialization: Why supporting custom HTML is cool, but also dangerous
- The penalties of using a guessable SECRET_KEY: How one might use it to abuse sessions
- The downfalls of stepping outside the ORM: How write a more complex query and accidentally make it vulnerable to SQL injection
- Consider setting ALLOWED_HOSTS: Injecting custom hosts in password reset emails
- No really, consider setting ALLOWED_HOSTS: Unsafe open redirects and the importance of url_has_allowed_host_and_scheme
Each step will introduce in detail how to exploit the vulnerability, followed by patching and validation.
Date Added: September 19, 2024
Note: We understand that names change, people change, and bodies change. We respect each individual's journey and privacy. If you have any concerns about a video or need us to remove content, please don't hesitate to contact us. We will handle your request with care and promptly address any issues.