cs1520 recitation security in flask
play

CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents - PowerPoint PPT Presentation

Mar 17, 2023 •332 likes •626 views

CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan Bogoev at: https://damyanon.net/post/flask-series-security/ Plan for Today XSS (Cross Site Scripting) CSRF (Cross-Site Request Forgery) SQL

  1. CS1520 Recitation: Security in Flask Jeongmin Lee Slide contents based on a post by Damyan Bogoev at: https://damyanon.net/post/flask-series-security/

  2. Plan for Today ● XSS (Cross Site Scripting) ● CSRF (Cross-Site Request Forgery) ● SQL Injection ● Authentication and Authorization

  3. Plan for Today ● XSS ● CSRF ● SQL Injection ● Authentication and Authorization

  4. XSS ● Cross Site Scripting (XSS) ○ Attack that tries to have your websites or applications load malicious script in your browser

  5. XSS ● Cross Site Scripting (XSS) ○ Attack that tries to have your websites or applications load malicious script in your browser ○ Try access user’s credentials, get cookie info, modify settings and download files etc.

  6. XSS ● Cross Site Scripting (XSS) ○ Attack that tries to have your websites or applications load malicious script in your browser ○ Try access user’s credentials, get cookie info, modify settings and download files etc. ○ Can avoided by escaping text and validating user input.

  7. XSS ● In Flask, by default it configures Jinja2 to auto escape all values loaded in the page. http://jinja.pocoo.org/docs/dev/extensions/#autoescap e-extension)

  8. XSS ● More considerations for securing your applications w.r.t XSS: ○ avoid generating html without Jinja2

  9. XSS ● More considerations for securing your applications w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files

  10. XSS ● More considerations for securing your applications w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files ○ avoid using the Markup class on not verified data sent by a user

  11. XSS ● More considerations for securing your applications w.r.t XSS: ○ avoid generating html without Jinja2 ○ avoid sending out data from uploaded files ○ avoid using the Markup class on not verified data sent by a user ○ always quote the attributes values in your templates.

  12. Plan for Today ● XSS ● CSRF ● SQL Injection ● Authentication and Authorization

  13. CSRF ● Cross-Site Request Forgery (CSRF) is an attack that uses the user’s authentication credentials to execute unwanted actions. ● To against CSRF, you can use random string and to verify it against a hidden field in post.

  14. CSRF source: http://flask.pocoo.org/snippets/3/

  15. CSRF ● Put this in your template: source: http://flask.pocoo.org/snippets/3/

  16. Plan for Today ● XSS ● CSRF ● SQL Injection ● Authentication and Authorization

  17. SQL Injection ● SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server.

  18. SQL Injection ● SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server. ● This SQL query can be anything and can be very harmful.

  19. SQL Injection ● SQL Injection is an attack where users can inject SQL commands via user input form and have them executed on the server. ● This SQL query can be anything and can be very harmful. ● Your application can be exposed to this attack when you dynamically create SQL statements. ○ e.g., concatenating data based on user’s input

  20. SQL Injection ● By default SQL Alchemy quotes special characters – semicolons or apostrophes.

  21. Plan for Today ● XSS ● CSRF ● SQL Injection ● Authentication and Authorization

  22. Authentication and Authorization ● Authentication ○ verifies the user’s identity by validating his/her credential (username / email, password) ● Authorization ○ verifies whether authenticated user has access to a given resource

  23. Flask-Security ● Flask-Security uses internally a User and Role data model, that could be defined via the SQL Alchemy API. ● You can inherit Flask-Security’s User and Role MixIn class to build your own.

  24. roles_users = db.Table('roles_users', \ db.Column('user_id', db.Integer(), db.ForeignKey('user.id')), \ db.Column('role_id', db.Integer(), db.ForeignKey('role.id'))) class Role(db.Model, RoleMixin): id = db.Column(db.Integer(), primary_key=True) name = db.Column(db.String(80), unique=True) description = db.Column(db.String(255)) def __init__(self, name): self.name = name source: https://damyanon.net/post/flask-series-security/

  25. class User(db.Model, UserMixin): id = db.Column(db.Integer, primary_key=True) email = db.Column(db.String(255), unique=True) password = db.Column(db.String(255)) active = db.Column(db.Boolean()) roles = db.relationship('Role', secondary=roles_users, backref=db.backref('users', lazy='dynamic')) def __init__(self, email, password, active, roles): self.email = email self.password = password self.active = active self.roles = roles source: https://damyanon.net/post/flask-series-security/

  26. Flask-Security ● The User class derives from UserMixin Flask-Login default user implementation. Same for Role class. ● SQL Alchemy is used for both User and Role objects. ● Following configurations is added to use Flask-Login with SQL Alchemy

  27. def configure_app(app): ... # Configure Security user_datastore = SQLAlchemyUserDatastore(db, User, Role) app.security = Security(app, user_datastore) ... ● Complete explanation of Flask-Security configuration is here: https://pythonhosted.org/Flask-Security/configuration.html source: https://damyanon.net/post/flask-series-security/

  28. Questions?

Recommend

CS1520 Recitation: Flask 2: Templating Jeongmin Lee Plan for Today Templating in Flask

CS1520 Recitation: Flask 2: Templating Jeongmin Lee Plan for Today Templating in Flask

CS1520 Recitation: Flask 2: Templating Jeongmin Lee Plan for Today Templating in Flask Jinja Tags Control Flow Static Files Templating In previous example Everything to show from flask import Flask app = Flask(__name__)

310 views • 16 slides
CS1520 Recitation: RESTful Flask Jeongmin Lee Plan for Today Install RESTful-Flask

CS1520 Recitation: RESTful Flask Jeongmin Lee Plan for Today Install RESTful-Flask

CS1520 Recitation: RESTful Flask Jeongmin Lee Plan for Today Install RESTful-Flask Simple Example Resourceful Routing Add resource Argument Parsing Data Formatting Full Example Install Flask-RESTful >> pip

717 views • 35 slides
CS1520 Recitation: Flask 1 Jeongmin Lee Plan for Today Install Flask and Run First Program

CS1520 Recitation: Flask 1 Jeongmin Lee Plan for Today Install Flask and Run First Program

CS1520 Recitation: Flask 1 Jeongmin Lee Plan for Today Install Flask and Run First Program Routing Variable Rules Installing Flask Start with Virtual ENV 1. Install Virtual Environment first pip install virtualenv Start with

471 views • 28 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web

CS/COE 1520 pitt.edu/~ach54/cs1520 Server-side scripting with Flask Flask A micro web framework written in Python First release was in 2010 Current version (1.1.1) was released in July 2019 Currently powers LinkedIn and

278 views • 8 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Using Templates to Generate Views in Flask Jinja2 templating

CS/COE 1520 pitt.edu/~ach54/cs1520 Using Templates to Generate Views in Flask Jinja2 templating

CS/COE 1520 pitt.edu/~ach54/cs1520 Using Templates to Generate Views in Flask Jinja2 templating language Jinja templates are simply text files Include Jinja tags that will be expanded when the template is rendered Here, we'll

381 views • 8 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Developing Models in Flask Database overview Our models

CS/COE 1520 pitt.edu/~ach54/cs1520 Developing Models in Flask Database overview Our models

CS/COE 1520 pitt.edu/~ach54/cs1520 Developing Models in Flask Database overview Our models are going to represent the state of a database that contains all of the data used by our web application We'll assume the use of transactional

515 views • 17 slides
CS1520 Recitation: Python Jeongmin Lee Plan for Today String functions Tuples

CS1520 Recitation: Python Jeongmin Lee Plan for Today String functions Tuples

CS1520 Recitation: Python Jeongmin Lee Plan for Today String functions Tuples Dictionaries List Manipulation Note that this slide is largely based on the Python Cheat Sheet distributed at

694 views • 41 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 AJAX Where we stand so far With JavaScript, we said that

CS/COE 1520 pitt.edu/~ach54/cs1520 AJAX Where we stand so far With JavaScript, we said that

CS/COE 1520 pitt.edu/~ach54/cs1520 AJAX Where we stand so far With JavaScript, we said that we wanted to build dynamic web applications E.g., your battleship game With Flask, we started to utilize client/server interactions

570 views • 21 slides
CS1520 Recitation: Ajax Jeongmin Lee Plan for Today Introduction How does it work

CS1520 Recitation: Ajax Jeongmin Lee Plan for Today Introduction How does it work

CS1520 Recitation: Ajax Jeongmin Lee Plan for Today Introduction How does it work XMLHttpRequest Object Send Request Get Response Example: Get CD Plan for Today Introduction How does it work XMLHttpRequest

971 views • 49 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Web security Security basics: CIA Confidentiality

CS/COE 1520 pitt.edu/~ach54/cs1520 Web security Security basics: CIA Confidentiality

CS/COE 1520 pitt.edu/~ach54/cs1520 Web security Security basics: CIA Confidentiality Keeping information secret from those who should not be able to see it Integrity Two portions: Data integrity: has the content of

680 views • 19 slides
CS1520 Recitation: VirtualENV Jeongmin Lee What is it Virtualenv is a tool to create isolated

CS1520 Recitation: VirtualENV Jeongmin Lee What is it Virtualenv is a tool to create isolated

CS1520 Recitation: VirtualENV Jeongmin Lee What is it Virtualenv is a tool to create isolated Python environments What is it Virtualenv is a tool to create isolated Python environments environments : version, dependencies, packages

400 views • 15 slides
Web Development with Flask and the Raspberry Pi Leading by Example CU A U H T E M O C CA R B A J

Web Development with Flask and the Raspberry Pi Leading by Example CU A U H T E M O C CA R B A J

Web Development with Flask and the Raspberry Pi Leading by Example CU A U H T E M O C CA R B A J A L I T E S M C E M 2 2 / 0 4 / 2 0 14 Introduction Flask: lightweight web application framework written in Python and based on the Werkzeug

478 views • 45 slides
Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris

Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris

Moving FLASK to BSD Systems Moving FLASK to BSD Systems SELinux ELinux Symposium 2006 Symposium 2006 S Chris Vance Information Systems Security Operation, SPARTA, Inc. Vance_20060301_01 Overview Overview Security Frameworks A

610 views • 22 slides
Flask Data Manipulation in Python 1 / 12 Flask Pythons built-in web server is nice, but

Flask Data Manipulation in Python 1 / 12 Flask Pythons built-in web server is nice, but

Flask Data Manipulation in Python 1 / 12 Flask Pythons built-in web server is nice, but serious web development is done using a web framework. Web frameworks typically provide: Routes, which map URLs to server files or Python code

622 views • 12 slides
MICROALGAE CULTURE (4) BIO301 Dr Navid Moheimani Prof Michael Borowitzka Flask Cultures Flask

MICROALGAE CULTURE (4) BIO301 Dr Navid Moheimani Prof Michael Borowitzka Flask Cultures Flask

MICROALGAE CULTURE (4) BIO301 Dr Navid Moheimani Prof Michael Borowitzka Flask Cultures Flask Cultures Carbuoy Tubular Airlift Reactor Commercial-Scale production Systems Open ponds Hutt Lagoon; WA Whyalla; SA Dunaliella &

3.94k views • 39 slides
BUILDING BEAUTIFUL REST APIs with Flask, Swagger UI and Flask-RESTPlus Micha Karzy ski

BUILDING BEAUTIFUL REST APIs with Flask, Swagger UI and Flask-RESTPlus Micha Karzy ski

BUILDING BEAUTIFUL REST APIs with Flask, Swagger UI and Flask-RESTPlus Micha Karzy ski EuroPython 2016 ABOUT ME My name is Micha Karzy ski (thats Polish for Mike) I blog at http://michal.karzynski.pl Short URL:

495 views • 34 slides
CS/COE 1520 pitt.edu/~ach54/cs1520 Introduction Meta-notes These notes are intended for

CS/COE 1520 pitt.edu/~ach54/cs1520 Introduction Meta-notes These notes are intended for

CS/COE 1520 pitt.edu/~ach54/cs1520 Introduction Meta-notes These notes are intended for use by students in CS1520 at the University of Pittsburgh. They are provided free of charge and may not be sold in any shape or form. These

539 views • 19 slides
Principle - Standardization Standardization of KMnO 4 (aq) with Na 2 C 2 O 4 2- (aq) + 16H +

Principle - Standardization Standardization of KMnO 4 (aq) with Na 2 C 2 O 4 2- (aq) + 16H +

Redox Titration with KMnO 4 (2020/05/08 revised) Collect: One 100 mL volumetric flask One magnetic stir bar (from TA) Four 250 mL Erlenmeyer flask One 25 mL burette One glass dropper Thermometer General apparatus Two

279 views • 11 slides
Flask Pyth thon on web eb fram amewor orks ks Django Roughly follows MVC pattern

Flask Pyth thon on web eb fram amewor orks ks Django Roughly follows MVC pattern

Flask Pyth thon on web eb fram amewor orks ks Django Roughly follows MVC pattern Steeper learning curve. Flask Initially an April Fools joke Micro -framework: minimal approach. Smaller learning curve

472 views • 24 slides
useFlask() useFlask() useFlask() useFlask() or how to use a React frontend for your Flask

useFlask() useFlask() useFlask() useFlask() or how to use a React frontend for your Flask

useFlask() useFlask() useFlask() useFlask() or how to use a React frontend for your Flask app ABOUT ME ABOUT ME Adrian Mnnich @ThiefMaster Lead Developer of the Indico project at CERN One of the Pallets maintainers

934 views • 39 slides
Recursion continued Midterm Exam 2 parts Part 1 done in recitation Programming

Recursion continued Midterm Exam 2 parts Part 1 done in recitation Programming

9/26/2016 Recursion continued Midterm Exam 2 parts Part 1 done in recitation Programming using server Covers material done in Recitation Part 2 Friday 8am to 4pm in CS110 lab Question/Answer Similar format to

317 views • 11 slides
Flask Marcin Jenczmyk Clearcode m.jenczmyk@clearcode.cc 27/05/2017 Marcin Jenczmyk Flask

Flask Marcin Jenczmyk Clearcode m.jenczmyk@clearcode.cc 27/05/2017 Marcin Jenczmyk Flask

requirements.txt Hello there! HTTP methods Templates Static files Flask Marcin Jenczmyk Clearcode m.jenczmyk@clearcode.cc 27/05/2017 Marcin Jenczmyk Flask requirements.txt Hello there! HTTP methods Templates Static files Overview

978 views • 29 slides
Quart; an asyncio alternative to Flask P G Jones - 2018-07-27 pgjones@stet.io 1 Quart; an ASGI

Quart; an asyncio alternative to Flask P G Jones - 2018-07-27 pgjones@stet.io 1 Quart; an ASGI

Quart; an asyncio alternative to Flask P G Jones - 2018-07-27 pgjones@stet.io 1 Quart; an ASGI alternative to Flask P G Jones - 2018-07-27 pgjones@stet.io 2 Me Background rejection for the neutrinoless doublebeta decay experiment SNO+.

504 views • 26 slides
Recitation 3: Synchronisation Kai Mast E L 3 3 T H4 X0 R ? Which of the following is

Recitation 3: Synchronisation Kai Mast E L 3 3 T H4 X0 R ? Which of the following is

Recitation 3: Synchronisation Kai Mast E L 3 3 T H4 X0 R ? Which of the following is the best way to wait for two predicates to be true? Which of the following are (virtually) shared by threads within a single process? (A) Heap (B)

242 views • 13 slides

More recommend