Hello, (disclaimer: it's a security question and I don't have any proper expertise in this area, so please bear with me)
the people responsible for the Apache part of our Django application have recently introduced a policy for mandatory use of mod_security with OWASP ruleset. The SQL injection rule [1], has raised their attention, because it has found substrings like "XOr" and "0xa66e" in the "sessionid" and "csrftoken" cookies and has rejected the appropriate requests as a possible SQL injection attack (apparently, a known phenomenon in other environments as well [2]). Based on that, we now have a request on the table to change hash key generation to something that doesn't produce any substrings looking like SQL (e.g. producing no more than two alphabetical symbols in a row or using hex strings). I consider this extremely risky, since the chance of session ID collisions increases noticeably (and on top of that, I don't want to go forking Django code). On the other hand, they consider disabling that rule risky since they think they'd be missing SQL injections; which shouldn't be a problem in my opinion, because we don't put raw cookie values into raw SQL statements (but they'd have to take my word for it) and everything else is ORM-managed. I think I can argue against changing the hash generation routine and in favor of killing the mod_security rule. However, I'd like to have some additional information from Django developers to strenghten my case a bit. 1. Has there been some security audit in the past which confirmed that session ID handling inside Django is not vulnerable to SQL injection attacks? 2. Can I argue that Django's ORM is SQL injection safe (we are 99% ORM-based)? 3. In general, is my assumption correct that I'd be vastly reducing entropy if I implemented a session handler with different key generation? I can't really analyze [3] for collisions probability, esp. since it's not one of the usual suspects (MD5/SHA1/SHA256/etc.), but have a feeling that anything I'd produce will have a much higher percentage. If anyone had experienced a similar problem with mod_security, I'd be happy to hear how you resolved it or how you would have resolved it if you were in charge. Thanks! [1] https://github.com/SpiderLabs/owasp-modsecurity-crs/blob/master/base_rules/modsecurity_crs_41_sql_injection_attacks.conf [2] http://stackoverflow.com/questions/21029081/detects-chained-sql-injection-attempts-1-2-in-phpsessid-cookie [3] https://github.com/django/django/blob/master/django/utils/crypto.py#L54 -- You received this message because you are subscribed to the Google Groups "Django developers" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. Visit this group at http://groups.google.com/group/django-developers. To view this discussion on the web visit https://groups.google.com/d/msgid/django-developers/5e39d2e6-db01-4a64-b1c9-e449a3bb552b%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
