DjangoCon Europe 2023 | A Beginners Guide to Security Exploits in Action

A Beginners Guide to Security Exploits in Action by Ashley Mathew & Mario de la Ossa https://pretalx.com/djangocon-europe-2023/talk/9N97WM/

It’s one thing to read the Django security page and follow the recommendations. It’s something completely different to actually understand why those recommendations exist.

The talk will cover 5 different security vulnerabilities (spending ~5 mins on each) that are baked into a fake MySpace clone: - HTML serialization: Why supporting custom HTML is cool, but also dangerous - The penalties of using a guessable SECRET_KEY: How one might use it to abuse sessions - The downfalls of stepping outside the ORM: How write a more complex query and accidentally make it vulnerable to SQL injection - Consider setting ALLOWED_HOSTS: Injecting custom hosts in password reset emails - No really, consider setting ALLOWED_HOSTS: Unsafe open redirects and the importance of url_has_allowed_host_and_scheme

Each step will introduce in detail how to exploit the vulnerability, followed by patching and validation.

Date Added: September 19, 2024