Python Security

Course Outline

• Cybersecurity basics
  • What is security?
  • Threat and risk
  • Cybersecurity threat types
  • Consequences of insecure software
  • Constraints and the market
  • The dark side

• The OWASP top ten (Part I)
  • OWASP Top 10 – 2017
  • Injection
    • Injection principles
    • Injection attacks
    • SQL injection
  • SQL injection best practices
    • Input validation
    • Parameterized queries
    • Additional considerations
    • Case study – Hacking Fortnite accounts
    • Testing for SQL injection
  • SQL injection and ORM
    • Parameter manipulation
    • CRLF injection
    • Code injection
    • Injection best practices
  • Broken authentication
    • Authentication basics
    • Authentication weaknesses
    • Spoofing on the Web
    • Testing for weak authentication
    • Case study – PayPal 2FA bypass
    • User interface best practices
    • Password management

• The OWASP top ten (Part II)
  • Broken authentication
    • Password management
    • Session management
    • Cookie security
  • Sensitive data exposure
    • Information exposure
    • Exposure through extracted data and aggregation
    • Case study – Strava fitness app data exposure
    • System information leakage
  • Information exposure best practices
    • Error and exception handling principles
    • Information exposure through error reporting
    • Information leakage via error pages
  • XML external entities (XXE)
    • DTD and the entities
    • Entity expansion
    • Attribute blowup
    • External entity attack (XXE)
  • Broken access control
    • Access control basics
    • Failure to restrict URL access
    • Testing for authorization issues
    • Confused deputy
  • File upload
    • Unrestricted file upload
    • Good practices
    • Testing for file upload vulnerabilities
  • Security misconfiguration
    • Configuration principles
    • Configuration management
    • Server misconfiguration
    • Python configuration best practices
  • Cross-site scripting (XSS)
    • Cross-site scripting basics
    • Cross-site scripting types
  • XSS protection best practices
    • Protection principles – escaping
    • XSS protection APIs in Python
    • XSS protection in Jinja2
    • Additional protection layers
    • Client-side protection principles
    • Blacklisting-based XSS protection evasion
    • Testing for XSS

• The OWASP top ten (Part III)
  • Insecure deserialization
    • Serialization and deserialization challenges
    • Deserializing untrusted streams
    • Deserialization with pickle
    • Deserialization with PyYAML
    • Deserializing best practices
    • Testing for insecure deserialization
  • Using components with known vulnerabilities
    • Using vulnerable components
    • Assessing the environment
    • Hardening
    • Untrusted functionality import
    • Malicious packages in Python
    • Importing JavaScript
    • Case study – The British Airways data breach
    • Vulnerability management
  • Insufficient logging and monitoring
    • Logging and monitoring principles
    • Insufficient logging
    • Plaintext passwords at Facebook
    • Logging best practices
    • Monitoring best practices

• Web application security beyond the top ten
  • Client-side security
  • Same origin policy
  • Frame sandboxing
    • Cross-frame scripting (XFS) attack
    • Clickjacking beyond hijacking a click
    • Clickjacking protection best practices

• Common software security weaknesses
  • Input validation

• JSON security
  • JSON injection
  • Dangers of JSONP
  • JSON/JavaScript hijacking
  • Best practices
  • ReactJS vulnerability in HackerOne

• Security testing
  • Security testing vs functional testing
  • Manual and automated methods
  • Security testing techniques and tools
    • Code analysis
    • Dynamic analysis