Web Security with Python | Python 2 is Not Your Friend

Cyber Security Python
Transcript

English (Auto-generated)

my beloved casters. Um Today we're gonna do something a little different. You see we have have work open which is a command. It's terminal shell for Mac. Os. But it's just a command line. And I have these two files that should be shared with you. View logs dot pi and server dot log go to the server log. Which is like an Apache log that I stole off of someone's get hub. So get up working for you and then we have our code. Thank you. Yeah, we have our code and pie which is empty. And that's what we're gonna be working on. Uh The situation is our character junior dev. Dave. That's the person who doesn't know what he's doing. He's a naive junior developer. He wants to create a little tool that gets the last few lines of this file. Okay. So we're gonna we're gonna go in there and start editing that code. We were creating it from scratch really because there's nothing to edit. So we're just gonna open this and and open these this server log and get the last end lines and end will be input from the command line. So let's go for it. We'll say, first of all open it. Yes. It's called several dot long as log file odds will read the log file. Sorry, it's really late here right now. So I'm trying to make my voice clear without waking everyone up. Have a sleeping baby. So gotta be careful. And just to make sure that works. Let's go ahead and print the logs and then we'll get back to this meeting. Its editor that I've never used before. Look at this like I think I got to do like man e Okay, quit. Yeah. And they'll ask me if I want to say sorry I'm using this editor called Micro. I think I mentioned that I've never used it before so I feel like a total nub and we'll just say python view log, stop I and great, there's a log so I'm not to work. Let's get back into the code. Okay. But remember we don't want to prank the whole log. Just the last end lines. So I'm gonna use the read lines command which gives you a list of lines. Very creative naming their we will say blast and lines equals but wait a second we don't have end yet. Right, so let's just say and equals um and equals input. We'll just say how many lines in real life we would obviously just use the tail command for this. But again, this is junior dev. Dave he's a junior dev. He doesn't know about systems administration stuff. All those fancy sys admin commands are a little bit beyond his pay grade. So how many lines to read. Great we'll get that input and then we will same logs and we will start at movement. I want to start at the end. Can we do it like that. So this is actually a question I have I haven't I haven't thought about this. It's a little late for me. Okay. So we want to get but at the end, right, we're gonna get up till something like that. I forget About -1. Let's see, slice notation. So embarrassing to not remember something like that. Okay. Okay. And put again, save my changes and run my code. That's three lines. I just want to make those, make sure those are actually the last lines. You know, they're totally not one of those the first lines. Oh right, right, right. Because I'm going negative. Okay. I don't want to be doing that. So I'm gonna start. Sorry, Sorry. I swear it's late. It's late here. It's late. Don't judge me. We're gonna start at negative and and go up to the end and that's it. That's all we would have to agree. Okay, that should totally work. Now. I'm embarrassing How embarrassing that you guys are never going to trust my python skills. Okay, how many lines? three. Last three lines we have it ending in 77 ending in 77. There we go. Those are the last three lines it appears. Who? See that's a line. That's the line and that's the line. Those will be the last three lines which correspond to these three lines here. So very cool, correct? Well, it appears to have worked. Okay, But this is extremely vulnerable. So what's the vulnerability? Well, the problem is if we type which python, we see we're just running user bin python and if we run python bachelor V. We see that. This is python. Wait, I actually think that's not the command. So I think it might be like capital v. Yeah, there we go. We're running Python 2.7. Okay. And if if any of you are actually python developers, you'll probably notice that when I said input, this should have been a string so I shouldn't have been able to use that. I should have had to say something like this. Right. Thanks. Okay. I should have had to convert it to an integer. I think there's some other function called like two numeric or whatever it's called. But also convert something to an America value. But the point is that I should have had to convert it to a number, right? Because it's a string. So the reason this works is that in python two input would actually take in a raw value, like an expression and then it would evaluate it and it would give you that. So I'm giving it a number and it's like that's a number. Cool, legit Back in the Python two days, you had to say raw input. Excuse me? You have to say raw input if you wanted it to be a string in Python three raw input which became input. Since that's usually what people want when they want input. Have some delicious water here anyway. Yeah. So that's no good. Right. Well Junior dev Dave isn't gonna know any of that. He's just gonna work with this and be like yeah whatever at work, he's not even going to notice his bug, Right? Nothing wrong with that. We all have to learn at one point. But if we run this code okay, if we run this, I am hilarious. Okay, so we run it when we do this we can put actual python code here and run things on the system. Okay? And that's no good. So to give you an example we could say something like you know, one plus one, right? And it's going to run it and give it it's gonna give us the last two lines because it evaluated that into two. So let's see if we could do like let us do an import. I don't think so. I think it'll let us just do one expression but we can do anything we wanted um what's a good python function to do? I guess we could actually do our own input if we wanted. We can say input, give me your money. So for I am a four. I don't know, I am a poor bird with no seeds so hungry. Please seeds Okay I don't know what I'm doing here and it runs it it's just gonna run it just like that and we give it three and it'll give us the last three lines. We don't run any python code we want here so not not good, okay um and the solution to this is super obvious. We would just say python three. You need to specify that it's sometimes python does refer to python three, but the solution, what are senior debt is going to do here, is that right? We don't want to make sure that we're actually running the right version of python. And you might think, well, who's gonna think to run python dash capital V. Well, a lot of people, because if you're using Mac Os, for example, the default Python is Python 2.7. Same thing. If you're using older versions of Ubuntu, like I think on ubuntu 18, maybe maybe at 16. They were still using 2.7 is the default. Usually I just specify python three and if I'm gonna say python on the new system will usually just python battery to make sure. So let's try python three and run our same code and see what happens. You logged about pie. We'll say three lines and it gives us an error. Well, time to fix that error. So let's go in here and we'll have to do exactly what we said, which is will convert this to an integer. Usually I use Vim. So I don't know how to get through the last line in this meeting. Its editor, mainlanders, they're called Micro. Okay, so quit. Yes. And let's try it now. There we go now. We can get the last three lines securely. Maybe it's secure if I'm still doing something that you could find a way to exploit. I love hearing that. Please tell me, But for now, um, I hope I've given you a taste of why Python two is not your friend. Thank you a lot for listening and have a wonderful, well for me, it's nighttime but I hope you're having a wonderful night, day, afternoon, whatever it is, where you are. Thanks a lot. Bye.
119 Views 0 Likes 1 Comments

When you type `python` in the terminal on MacOS, you may not get what you expect.

Comment
Leave a comment (supports markdown format)
@jesusvilla 2 years ago

The sound of me breathing in this is just so ominous lol, promise mic will be farther away next time!