Skip to content

Instantly share code, notes, and snippets.

@pavanw3b

pavanw3b/security_review_report.md

Created April 18, 2026 01:53
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save pavanw3b/d7e38fc4aba02da07eae4ddd417ca85e to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save pavanw3b/d7e38fc4aba02da07eae4ddd417ca85e to your computer and use it in GitHub Desktop.
Download ZIP
Security Review Report - insecure-django
Raw
security_review_report.md

Security Review Report - insecure-django

Summary of Findings

This security review identified 10 critical/high severity vulnerabilities across recent commits in the insecure-django repository. The codebase appears to be intentionally insecure for educational/demonstration purposes (demonstrating various web vulnerabilities), but if deployed in production, these would pose severe security risks.

Critical Vulnerabilities

1. Command Injection via os.system()

File: xploitSOP_CORS_CSRF/views.py
Line: 47
Severity: CRITICAL

Description:
The application executes user-controlled input directly in the operating system shell without sanitization.

Code:

os.system(body["instructions"])

Impact: Remote code execution. Attacker can execute arbitrary commands on the server.

Recommendation: Never pass user input to shell commands. Use subprocess with argument lists and shell=False.

2. Command Injection via subprocess.Popen with shell=True

File: xploitpp/views.py
Line: 19
Severity: CRITICAL

Description:
Shell command injection vulnerability in the prototype pollution demo endpoint.

Code:

subprocess.Popen('whoami', shell=True)

Impact: Remote code execution.

Recommendation: Use subprocess.run() with shell=False and pass arguments as a list.

3. Hardcoded Django SECRET_KEY

File: insecure_django/settings.py
Line: 24
Severity: CRITICAL

Description:
Hardcoded Django secret key exposed in source code.

Code:

SECRET_KEY = 'django-insecure-b0@$%a6ho7v2b(@_ac5xbduv$w@n3)bo!*g(0y6+dmj3ry8sm='

Impact: Session hijacking, potential RCE via password reset tokens, CSRF bypass.

Recommendation: Use environment variables or a secrets management system:

SECRET_KEY = os.environ.get('DJANGO_SECRET_KEY')

4. Hardcoded API Token

File: xploitSSRF/views.py
Line: 83
Severity: CRITICAL

Description:
Hardcoded API token exposed in source code.

Code:

return JsonResponse({"token": "u4PHVXvAzhF5TA6stkbWFkFviKVMsJxc9"})

Impact: Unauthorized API access if token is guessed or leaked.

Recommendation: Store tokens in environment variables, never hardcode in source.

High Severity Vulnerabilities

5. Hardcoded Credentials

File: xploitSOP_CORS_CSRF/views.py
Lines: 7-8
Severity: HIGH

Description:
Test credentials hardcoded in production code.

Code:

TEST_USERNAME = "test"
TEST_PASSWORD = "test"

Impact: Unauthorized access to application.

Recommendation: Remove test credentials from production code or use proper authentication.

6. Static Session IDs

File: xploitSOP_CORS_CSRF/views.py
Lines: 9-10, 23-24
Severity: HIGH

Description:
Using predictable static session identifier instead of secure random tokens.

Code:

RANDOM_SESSION_ID = "1337"
response.set_cookie(SESSION_COOKIE_NAME, RANDOM_SESSION_ID, httponly=False, secure=False)

Impact: Session hijacking, session prediction attacks.

Recommendation: Use Django's built-in session framework with secure settings.

7. Insecure Cookie Settings

File: xploitSOP_CORS_CSRF/views.py
Lines: 23-24
Severity: HIGH

Description:
Session cookies set without secure and httponly flags.

Code:

response.set_cookie(SESSION_COOKIE_NAME, RANDOM_SESSION_ID, httponly=False, secure=False)
response.set_cookie(SESSION_USER_NAME, TEST_USERNAME, httponly=False, secure=False)

Impact: XSS cookie theft, man-in-the-middle attacks on HTTP connections.

Recommendation: Enable secure and httponly flags:

response.set_cookie(..., httponly=True, secure=True, samesite=Strict)

8. CORS Misconfiguration - Credentials with Wildcard Origin

File: xploitSOP_CORS_CSRF/views.py
Lines: 185-186, 193-194
Severity: HIGH

Description:
CORS allows credentials with wildcard origin, which is insecure.

Code:

response["Access-Control-Allow-Origin"] = "*"
response["Access-Control-Allow-Credentials"] = "true"

Impact: Enables cross-origin attacks, violates CORS specification.

Recommendation: Never use "*" origin with credentials. Explicitly whitelist origins.

9. Debug Mode Enabled

File: insecure_django/settings.py
Line: 27
Severity: HIGH

Description:
Django debug mode is enabled.

Code:

DEBUG = True

Impact: Information disclosure, stack traces, full error pages leak sensitive details.

Recommendation: Set DEBUG = False in production.

10. ALLOWED_HOSTS Wildcard

File: insecure_django/settings.py
Line: 29
Severity: HIGH

Description:
Allowing all hosts in production.

Code:

ALLOWED_HOSTS = ["*"]

Impact: Host header attacks, cache poisoning.

Recommendation: Specify exact allowed hosts:

ALLOWED_HOSTS = [example.com, www.example.com]

Medium Severity Vulnerabilities

11. CSRF Protection Disabled

File: xploitSOP_CORS_CSRF/views.py
Line: 30 (decorator)
Severity: MEDIUM

Description:
CSRF protection disabled via @csrf_exempt on sensitive endpoints.

Code:

@csrf_exempt
def run(request):

Impact: Cross-site request forgery attacks possible.

Recommendation: Use CSRF protection for state-changing operations.

12. Pickle Deserialization (Intentional POC)

File: xploitPickl/views.py
Severity: MEDIUM

Description:
Uses pickle.loads() on user-controlled data (demonstrating deserialization vulnerability).

Recommendation: This appears intentional for educational purposes. If not, use JSON for serialization.

13. SSRF via URL Loading (Intentional POC)

File: xploitSSRF/views.py
Severity: MEDIUM

Description:
User-controlled URL parameters passed to URL fetching functions (demonstrating SSRF).

Recommendation: This appears intentional for educational purposes. Implement proper URL validation if used in production.

Dependency Vulnerabilities

14. Unpinned Dependencies

File: requirements.txt
Severity: MEDIUM

Description:
Dependencies are not pinned to specific versions.

Code:

beautifulsoup4
pycurl
django
requests

Impact: Potential for dependency confusion attacks, incompatible version issues.

Recommendation: Pin versions:

beautifulsoup4==4.12.2
pycurl==7.45.1
django==4.2.30
requests==2.31.0

Summary Table

# Vulnerability File Line Severity
1 Command Injection (os.system) xploitSOP_CORS_CSRF/views.py 47 CRITICAL
2 Command Injection (subprocess) xploitpp/views.py 19 CRITICAL
3 Hardcoded SECRET_KEY insecure_django/settings.py 24 CRITICAL
4 Hardcoded API Token xploitSSRF/views.py 83 CRITICAL
5 Hardcoded Credentials xploitSOP_CORS_CSRF/views.py 7-8 HIGH
6 Static Session ID xploitSOP_CORS_CSRF/views.py 9-10 HIGH
7 Insecure Cookie Settings xploitSOP_CORS_CSRF/views.py 23-24 HIGH
8 CORS Misconfiguration xploitSOP_CORS_CSRF/views.py 185-186 HIGH
9 Debug Mode Enabled insecure_django/settings.py 27 HIGH
10 ALLOWED_HOSTS Wildcard insecure_django/settings.py 29 HIGH
11 CSRF Disabled xploitSOP_CORS_CSRF/views.py 30 MEDIUM
12 Unpinned Dependencies requirements.txt - MEDIUM

Recommended Fixes

  1. Environment-based secrets: Move all secrets to environment variables
  2. Use subprocess properly: Never use shell=True with user input
  3. Enable security settings: Set DEBUG=False, configure ALLOWED_HOSTS
  4. Secure cookies: Enable httponly, secure, samesite flags
  5. Fix CORS: Use specific allowed origins, not wildcards
  6. Pin dependencies: Use exact versions in requirements.txt
  7. Use Django sessions: Leverage built-in secure session management
  8. Enable CSRF protection: Remove @csrf_exempt from sensitive endpoints

Report generated: 2026-04-18 Repository: ../insecure-django/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment