Repository: ../insecure-django/xploitAuthZ
Review Date: April 18, 2026
Commits Reviewed: 398a184, 9371a79
This security review identified 6 security vulnerabilities in the recent commits for the xploitAuthZ Django todo application:
| Severity | Count |
|---|---|
| Critical | 1 |
| High | 2 |
| Medium | 2 |
| Low | 2 |
| Attribute | Value |
|---|---|
| Severity | Critical |
| File | insecure_django/settings.py |
| Line | 24 |
| CWE ID | CWE-798 |
SECRET_KEY = 'django-insecure-b0@$%a6ho7v2b(@_ac5xbduv$w@n3)bo!*g(0y6+dmj3ry8sm='Impact: Session forgery, CSRF bypass, password reset compromise
Fix: Use environment variable: os.environ.get('DJANGO_SECRET_KEY')
| Attribute | Value |
|---|---|
| Severity | High |
| File | xploitAuthZ/views.py |
| Line | 9 |
| CWE ID | CWE-639 |
def todo_list(request):
todos = Todo.objects.all() # BUG: All users can see ALL todos!Impact: Any user can view/edit/delete ALL users' todos
Fix: todos = Todo.objects.filter(user=request.user)
| Attribute | Value |
|---|---|
| Severity | High |
| File | insecure_django/settings.py |
| Line | 27 |
DEBUG = TrueFix: DEBUG = os.environ.get('DEBUG', 'False') == 'true'
| Attribute | Value |
|---|---|
| Severity | High |
| File | insecure_django/settings.py |
| Line | 29 |
ALLOWED_HOSTS = ["*"]Fix: ALLOWED_HOSTS = ['yourdomain.com']
| Attribute | Value |
|---|---|
| Severity | Medium |
| File | xploitAuthZ/forms.py |
| Lines | 23-30 |
Simple substring matching can be bypassed with "stupi d" or "STUPID123"
Fix: Use regex with word boundaries: r'\b(' + '|'.join(re.escape(w) for w in ABUSE_WORDS) + r')\b'
| Attribute | Value |
|---|---|
| Severity | Medium |
| File | requirements.txt |
Fix: Pin versions: django==4.2.9, requests==2.31.0, etc.
- Fix IDOR (data breach risk)
- Move SECRET_KEY to env vars
- Disable DEBUG in production
- Configure ALLOWED_HOSTS explicitly
- Improve input validation
- Pin dependency versions
Report generated: April 18, 2026