Skip to content

Instantly share code, notes, and snippets.

@pavanw3b
Created April 17, 2026 11:53
Show Gist options
  • Select an option

  • Save pavanw3b/0c2ce5cde6c08fcc46f264d44be65455 to your computer and use it in GitHub Desktop.

Select an option

Save pavanw3b/0c2ce5cde6c08fcc46f264d44be65455 to your computer and use it in GitHub Desktop.
Security Review Report - insecure-django/xploitAuthZ

Security Review Report

Repository: insecure-django/xploitAuthZ

Date: 2026-04-17

Summary

This security review analyzed recent commits in the insecure-django/xploitAuthZ repository. The codebase appears to be intentionally vulnerable for educational/demonstration purposes (exploitation training). Several security vulnerabilities were identified across different modules.


Findings

1. IDOR (Insecure Direct Object Reference) - High

File: xploitAuthZ/views.py (Line 18 in earlier commit)
Commit: 398a184
Issue: The todo_list view was initially fetching ALL todos instead of filtering by the current user.

Code (before fix):

def todo_list(request):
    todos = Todo.objects.all()  # Exposes all users' todos!
    return render(request, 'xploitAuthZ/todo_list.html', {'todos': todos})

Recommended Fix:

def todo_list(request):
    todos = Todo.objects.filter(user=request.user)
    return render(request, 'xploitAuthZ/todo_list.html', {'todos': todos})

Status: Fixed in later commit.


2. Hardcoded Credentials - Medium

File: xploitSOP_CORS_CSRF/views.py (Lines 6-8)
Severity: Medium
Issue: Hardcoded test credentials in source code.

Code:

TEST_USERNAME = "test"
TEST_PASSWORD = "test"
RANDOM_SESSION_ID = "1337"

Recommended Fix: Use environment variables or a secure configuration:

import os
TEST_USERNAME = os.environ.get('TEST_USERNAME', 'test')
TEST_PASSWORD = os.environ.get('TEST_PASSWORD', 'test')

3. CSRF Protection Removed - High

File: xploitSOP_CORS_CSRF/views.py (Line 86)
Commit: Various
Issue: The @csrf_exempt decorator was added to chg_pwd_post, removing CSRF protection.

Code:

@csrf_exempt
def chg_pwd_post(request):

Recommended Fix: Remove @csrf_exempt unless absolutely necessary, and implement proper CSRF token validation.


4. Weak Session Management - High

File: xploitSOP_CORS_CSRF/views.py (Lines 23-24)
Issue: Static session cookie with insecure flags.

Code:

response.set_cookie(SESSION_COOKIE_NAME, RANDOM_SESSION_ID, httponly=False, secure=False)
response.set_cookie(SESSION_USER_NAME, TEST_USERNAME, httponly=False, secure=False)

Recommended Fix:

response.set_cookie(
    SESSION_COOKIE_NAME, 
    RANDOM_SESSION_ID, 
    httponly=True, 
    secure=True, 
    samesite='Strict'
)

5. Command Injection Risk - Critical

File: xploitpp/views.py (Line 19)
Issue: Use of shell=True in subprocess.

Code:

subprocess.Popen('whoami', shell=True)

Recommended Fix: Use subprocess with argument list:

subprocess.Popen(['whoami'])

6. CORS Misconfiguration - High

File: xploitSOP_CORS_CSRF/views.py (Lines 185, 198)
Issue: Wildcard origin with credentials allowed.

Code:

response["Access-Control-Allow-Origin"] = "*"
response["Access-Control-Allow-Credentials"] = "true"

Recommended Fix: Never use wildcard * with Access-Control-Allow-Credentials. Use specific origins:

response["Access-Control-Allow-Origin"] = "https://trusted-domain.com"

7. Prototype Pollution POC - Educational

File: prototype-poc/solutions.py
Issue: Contains solutions demonstrating prototype pollution attacks.
Note: This appears to be intentional for educational purposes (exploitation demos).


8. No Dependency Vulnerabilities Found

Requirements: beautifulsoup4, pycurl
Status: Standard libraries with no known critical vulnerabilities in recent versions.


Risk Assessment Summary

Severity Count
Critical 1
High 3
Medium 2
Low 0

Conclusion

This repository appears to be intentionally insecure for security education/training purposes (demonstrating web vulnerabilities). All identified vulnerabilities are exploitable and should only be used in controlled demo environments, NOT in production systems.

If this code is intended for educational purposes, the current implementation is effective for demonstrating:

  • IDOR vulnerabilities
  • CSRF attacks
  • CORS misconfigurations
  • Session management issues
  • Prototype pollution concepts
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment