Skip to content

Instantly share code, notes, and snippets.

@pavanw3b
Created April 17, 2026 13:59
Show Gist options
  • Select an option

  • Save pavanw3b/39a19d66bd050118ba853c8712a105cd to your computer and use it in GitHub Desktop.

Select an option

Save pavanw3b/39a19d66bd050118ba853c8712a105cd to your computer and use it in GitHub Desktop.
Security Review Report - xploitAuthZ

Security Review Report: xploitAuthZ Django Application

Executive Summary

This security review analyzed the recent commits in the ~/git/pavanw3b/insecure-django/xploitAuthZ/ repository. The codebase contains intentionally vulnerable code designed to demonstrate security exploits. Several critical and high-severity security vulnerabilities were identified in the commit history.

Critical: 3
High: 1
Medium: 1
Low: 1


Vulnerabilities Found

1. Deserialization Vulnerability (CRITICAL)

File Line Severity
xploitPickl/views.py ~27 CRITICAL

Description: The application uses pickle.loads() to deserialize user-controlled data from cookies without validation.

# Commit 92b781c - xploitPickl/views.py
user_cookie = b64decode(user_cookie)
user = pickle.loads(user_cookie, encoding='utf-8')

Impact: Arbitrary code execution. An attacker can craft a malicious pickle payload that executes arbitrary OS commands when deserialized.

Recommended Fix: Never use pickle with untrusted data. Use JSON or Django's signed cookies instead.


2. Command Injection / RCE Exploit Code (CRITICAL)

File Line Severity
serialize-deserialize-poc/attack.py ~7 CRITICAL

Description: The repository contains actual working RCE exploit code:

# Commit 4b56209 - serialize-deserialize-poc/attack.py
class Exploit(object):
    def __reduce__(self):
        import os
        return os.system, ("cat /etc/passwd",)

Impact: Full system compromise.

Recommended Fix: Remove all PoC exploit code from production repositories.


3. Insecure Deserialization Pattern (CRITICAL)

File Line Severity
xploitPickl/views.py ~35 CRITICAL

Description: The vulnerable pattern uses pickle with base64 encoding:

response.set_cookie('user', b64encode(pickle.dumps(user)).decode("utf-8"))

Impact: Remote code execution via cookie tampering.

Recommended Fix: Use Django's session framework or JSON serialization.


4. Insecure Direct Object Reference (IDOR) - Information Disclosure (HIGH)

File Line Severity
xploitAuthZ/views.py 9 HIGH

Description: The todo_list view returns all todos without filtering by user:

@login_required
def todo_list(request):
    todos = Todo.objects.all()  # <-- Shows ALL users' todos!
    return render(request, 'xploitAuthZ/todo_list.html', {'todos': todos})

Impact: Any authenticated user can view all other users' private Todo items.

Recommended Fix: Filter by current user:

todos = Todo.objects.filter(user=request.user)

5. Bypassable Word Filter (MEDIUM)

File Line Severity
xploitAuthZ/forms.py 23-30 MEDIUM

Description: The abuse word filter uses simple substring matching:

def check_abuse(text):
    text_lower = text.lower()
    for word in ABUSE_WORDS:
        if word in text_lower:  # Simple substring match - easily bypassed
            return True
    return False

Bypasses:

  • Character encoding: st\u0075pid (Unicode escape)
  • Partials: stupi + d
  • Obfuscation: s-t-u-p-i-d

Recommended Fix: Use established libraries like better-profanity or implement proper text analysis.


6. Weak Password Handling (LOW)

File Line Severity
models.py - LOW

Description: The Todo model doesn't enforce any password complexity requirements.

Impact: Low (Django handles auth in core).

Recommended Fix: Use Django's built-in auth with password validation.


Dependency Vulnerabilities

No requirements.txt was found in the current commit changes. For the full project, run:

pip check or safety check

Summary

Severity Count
Critical 3
High 1
Medium 1
Low 1

Top 3 Priority Fixes:

  1. Remove pickle deserialization - Replace with JSON or Django sessions
  2. Fix IDOR - Filter todos by authenticated user
  3. Remove exploit code - Delete PoC directories from repository

Reviewed Commits

  • 9371a79 Add xploitAuthZ to homepage, fix logout and template nesting issues
  • 398a184 Add xploitAuthZ todo app with auth, abuse word filter
  • 4b56209 Complete working RCE
  • 92b781c Working django cookie pickle
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment