This security review analyzed recent commits in the insecure-django/xploitAuthZ repository. The codebase appears to be intentionally vulnerable for educational/demonstration purposes (exploitation training). Several security vulnerabilities were identified across different modules.
File: xploitAuthZ/views.py (Line 18 in earlier commit)
Commit: 398a184
Issue: The todo_list view was initially fetching ALL todos instead of filtering by the current user.
Code (before fix):
def todo_list(request):
todos = Todo.objects.all() # Exposes all users' todos!
return render(request, 'xploitAuthZ/todo_list.html', {'todos': todos})Recommended Fix:
def todo_list(request):
todos = Todo.objects.filter(user=request.user)
return render(request, 'xploitAuthZ/todo_list.html', {'todos': todos})Status: Fixed in later commit.
File: xploitSOP_CORS_CSRF/views.py (Lines 6-8)
Severity: Medium
Issue: Hardcoded test credentials in source code.
Code:
TEST_USERNAME = "test"
TEST_PASSWORD = "test"
RANDOM_SESSION_ID = "1337"Recommended Fix: Use environment variables or a secure configuration:
import os
TEST_USERNAME = os.environ.get('TEST_USERNAME', 'test')
TEST_PASSWORD = os.environ.get('TEST_PASSWORD', 'test')File: xploitSOP_CORS_CSRF/views.py (Line 86)
Commit: Various
Issue: The @csrf_exempt decorator was added to chg_pwd_post, removing CSRF protection.
Code:
@csrf_exempt
def chg_pwd_post(request):Recommended Fix: Remove @csrf_exempt unless absolutely necessary, and implement proper CSRF token validation.
File: xploitSOP_CORS_CSRF/views.py (Lines 23-24)
Issue: Static session cookie with insecure flags.
Code:
response.set_cookie(SESSION_COOKIE_NAME, RANDOM_SESSION_ID, httponly=False, secure=False)
response.set_cookie(SESSION_USER_NAME, TEST_USERNAME, httponly=False, secure=False)Recommended Fix:
response.set_cookie(
SESSION_COOKIE_NAME,
RANDOM_SESSION_ID,
httponly=True,
secure=True,
samesite='Strict'
)File: xploitpp/views.py (Line 19)
Issue: Use of shell=True in subprocess.
Code:
subprocess.Popen('whoami', shell=True)Recommended Fix: Use subprocess with argument list:
subprocess.Popen(['whoami'])File: xploitSOP_CORS_CSRF/views.py (Lines 185, 198)
Issue: Wildcard origin with credentials allowed.
Code:
response["Access-Control-Allow-Origin"] = "*"
response["Access-Control-Allow-Credentials"] = "true"Recommended Fix: Never use wildcard * with Access-Control-Allow-Credentials. Use specific origins:
response["Access-Control-Allow-Origin"] = "https://trusted-domain.com"File: prototype-poc/solutions.py
Issue: Contains solutions demonstrating prototype pollution attacks.
Note: This appears to be intentional for educational purposes (exploitation demos).
Requirements: beautifulsoup4, pycurl
Status: Standard libraries with no known critical vulnerabilities in recent versions.
| Severity | Count |
|---|---|
| Critical | 1 |
| High | 3 |
| Medium | 2 |
| Low | 0 |
This repository appears to be intentionally insecure for security education/training purposes (demonstrating web vulnerabilities). All identified vulnerabilities are exploitable and should only be used in controlled demo environments, NOT in production systems.
If this code is intended for educational purposes, the current implementation is effective for demonstrating:
- IDOR vulnerabilities
- CSRF attacks
- CORS misconfigurations
- Session management issues
- Prototype pollution concepts