PyCon 2019 in Cleveland, Ohio

Thursday 1:20 p.m.–4:40 p.m. in Room 21

Hands-On Web Application Security with Django

Jacinda Shelly


XSS, SQL Injections and Improper Authorization, oh my! Between the OWASP Top 10, CSRF, stealing sessions, and DDOS attacks, have you ever felt that the world of web security was too complex to understand? Do you find yourself wishing that you understood what those acronyms *really* translate to in a live web application? If so, then this is the tutorial you've been waiting for. In this tutorial, we'll cover essential topics in web security, including the majority of the OWASP Top 10, but we *won't* be doing it in a theoretical manner. We'll take a live, deliberately insecure web application, identify the vulnerabilities, exploit them, and finally fix them. Sound cool? It is! Topics include the following: * Cross-site scripting (XSS) * Cross-site request forgery (CSRF) * Cookies and how they can be abused * Why default passwords are dangerous * Improper authorization checking * Incorrect Session Management * SQL Injection * How to abuse Pickle * And more! You'll also learn next steps and we'll provide suggested resources for continuing your security education. While previous experience with Django is not required, it is recommended. You should have an understanding of how web applications work in general and have completed the official [Django Tutorial]( or something substantially similar.

Student Handout

No handouts have been provided yet for this tutorial