Skip to content

Instantly share code, notes, and snippets.

@pavanw3b
Created April 18, 2026 07:53
Show Gist options
  • Select an option

  • Save pavanw3b/32a9eb097382184f6490ba855bd6b10e to your computer and use it in GitHub Desktop.

Select an option

Save pavanw3b/32a9eb097382184f6490ba855bd6b10e to your computer and use it in GitHub Desktop.
Security Review: xploitAuthZ Django Application - April 18 2026

Security Review Report: xploitAuthZ Django Application

Repository: ../insecure-django/xploitAuthZ
Review Date: April 18, 2026
Commits Reviewed: 398a184, 9371a79


Executive Summary

This security review identified 6 security vulnerabilities in the recent commits for the xploitAuthZ Django todo application:

Severity Count
Critical 1
High 2
Medium 2
Low 2

Findings Detail

1. Hardcoded Secret Key Exposed (CRITICAL)

Attribute Value
Severity Critical
File insecure_django/settings.py
Line 24
CWE ID CWE-798
SECRET_KEY = 'django-insecure-b0@$%a6ho7v2b(@_ac5xbduv$w@n3)bo!*g(0y6+dmj3ry8sm='

Impact: Session forgery, CSRF bypass, password reset compromise

Fix: Use environment variable: os.environ.get('DJANGO_SECRET_KEY')


2. IDOR - Broken Access Control (HIGH)

Attribute Value
Severity High
File xploitAuthZ/views.py
Line 9
CWE ID CWE-639
def todo_list(request):
    todos = Todo.objects.all()  # BUG: All users can see ALL todos!

Impact: Any user can view/edit/delete ALL users' todos

Fix: todos = Todo.objects.filter(user=request.user)


3. Debug Mode Enabled (HIGH)

Attribute Value
Severity High
File insecure_django/settings.py
Line 27
DEBUG = True

Fix: DEBUG = os.environ.get('DEBUG', 'False') == 'true'


4. Wildcard ALLOWED_HOSTS (HIGH)

Attribute Value
Severity High
File insecure_django/settings.py
Line 29
ALLOWED_HOSTS = ["*"]

Fix: ALLOWED_HOSTS = ['yourdomain.com']


5. Weak Abuse Word Filter (MEDIUM)

Attribute Value
Severity Medium
File xploitAuthZ/forms.py
Lines 23-30

Simple substring matching can be bypassed with "stupi d" or "STUPID123"

Fix: Use regex with word boundaries: r'\b(' + '|'.join(re.escape(w) for w in ABUSE_WORDS) + r')\b'


6. Unpinned Dependencies (MEDIUM)

Attribute Value
Severity Medium
File requirements.txt

Fix: Pin versions: django==4.2.9, requests==2.31.0, etc.


Priority Fixes

  1. Fix IDOR (data breach risk)
  2. Move SECRET_KEY to env vars
  3. Disable DEBUG in production
  4. Configure ALLOWED_HOSTS explicitly
  5. Improve input validation
  6. Pin dependency versions

Report generated: April 18, 2026

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment