[GSOC 2014 proposal] enhancing security features in django

[Prithviraj Billa]

Hello Guys!

I am planning to work on developing and improving the security features of Django.

I would like some help in formalizing the proposal so that it will meet the requirements.

Things i understood how security against csrf works and how it is implemented in django. (please correct me if I’m wrong)

• When ever user request a csrf_token in the HTML view or using the function csrf_protect(), the server creates a randomized token which is different for every request. (changes for requests). and we set a cookie csrf_token=value.

• When a POST request is sent (or some sensitive operation is done at server side), we also send a hidden variable csrf_token which is validated against the cookie.(Double submitting cookie technique.).

• The attacker may send the the request from the other domain on behalf of the user logged in, but the attack will mostly fail because he cannot read the session data (because of same origin policy)

• These all operations are taken care of CSRF middleware.

It is mentioned that you want to integrate the django-secure project with the django project. ssl redirect, security against clickjacking, some xss attacks were already implemented in the above project. Do the candidate  have to improve those features or just have to integrate those features with the present django?

How can we enhance the security measures against the csrf attacks?(I don’t know how to enhance security the using  Double submitting cookie technique which is already implemented in the django project).

I think we can implement Encrypted token pattern to enhance the security against csrf attacks.It is mentioned that it allows us greater control over CSRF-defense, without introducing new security concerns or architectural problems.I’m a newbie in this area .So please let me know, If this is not a good idea.

I like to hear your comments and opinions.

Thanks,

Prithviraj M Billa

github: http://github.com/Prithvirajbilla

blog: http://blog.prithvirajbilla.com

[Prithviraj Billa]

I am eagerly waiting  to hear your comments and opinions.

Thanks,

Prithviraj M Billa

github :: htttp://github.com/Prithvirajbilla
blog:: http://blog.prithvirajbilla.com

[Russell Keith-Magee]

Hi Prithviraj,

I suspect the reason you haven't had a response is that there isn't much to respond to here. 

Regarding integrating django-secure -- I agree that this would be a worthwhile activity; it was part of the plan for last year's GSoC project on the validation framework, but got dropped due to time constraints. However, that body of work was estimated as 2 weeks of work or less - it certainly won't be enough to sustain a GSoC project on its own. If you can propose additional checks that could be added to django-secure, that *might* bulk out your project proposal to fill the allotted time, but you'd need to propose a *lot* of new checks - and as part of your proposal process, we'd be expecting *you* to proposed which new checks you can add.

As for your other suggestion -- well… you suggest implementing an "encrypted token pattern", but don't actually provide any references to describe what you actually mean. You say "it is said", but don't say *by whom*. 

In short -- we need a lot more detail than this before we can provide any meaningful feedback. If you've got specific questions, we're happy to answer them, but based on the information you've provided so far, all we can say is yes, improving Django's security features is a project on our wish list. 

Yours,

Russ Magee %-)

--
You received this message because you are subscribed to the Google Groups "Django developers" group.
To unsubscribe from this group and stop receiving emails from it, send an email to django-develop...@googlegroups.com.
To post to this group, send email to django-d...@googlegroups.com.
Visit this group at http://groups.google.com/group/django-developers.

To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/9ba193b8-8308-41ed-9189-576fe8480f78%40googlegroups.com.

For more options, visit https://groups.google.com/groups/opt_out.