This security review analyzed the recent commits in the ~/git/pavanw3b/insecure-django/xploitAuthZ/ repository. The codebase contains intentionally vulnerable code designed to demonstrate security exploits. Several critical and high-severity security vulnerabilities were identified in the commit history.
Critical: 3
High: 1
Medium: 1
Low: 1
| File | Line | Severity |
|---|---|---|
| xploitPickl/views.py | ~27 | CRITICAL |
Description: The application uses pickle.loads() to deserialize user-controlled data from cookies without validation.
# Commit 92b781c - xploitPickl/views.py
user_cookie = b64decode(user_cookie)
user = pickle.loads(user_cookie, encoding='utf-8')Impact: Arbitrary code execution. An attacker can craft a malicious pickle payload that executes arbitrary OS commands when deserialized.
Recommended Fix: Never use pickle with untrusted data. Use JSON or Django's signed cookies instead.
| File | Line | Severity |
|---|---|---|
| serialize-deserialize-poc/attack.py | ~7 | CRITICAL |
Description: The repository contains actual working RCE exploit code:
# Commit 4b56209 - serialize-deserialize-poc/attack.py
class Exploit(object):
def __reduce__(self):
import os
return os.system, ("cat /etc/passwd",)Impact: Full system compromise.
Recommended Fix: Remove all PoC exploit code from production repositories.
| File | Line | Severity |
|---|---|---|
| xploitPickl/views.py | ~35 | CRITICAL |
Description: The vulnerable pattern uses pickle with base64 encoding:
response.set_cookie('user', b64encode(pickle.dumps(user)).decode("utf-8"))Impact: Remote code execution via cookie tampering.
Recommended Fix: Use Django's session framework or JSON serialization.
| File | Line | Severity |
|---|---|---|
| xploitAuthZ/views.py | 9 | HIGH |
Description: The todo_list view returns all todos without filtering by user:
@login_required
def todo_list(request):
todos = Todo.objects.all() # <-- Shows ALL users' todos!
return render(request, 'xploitAuthZ/todo_list.html', {'todos': todos})Impact: Any authenticated user can view all other users' private Todo items.
Recommended Fix: Filter by current user:
todos = Todo.objects.filter(user=request.user)| File | Line | Severity |
|---|---|---|
| xploitAuthZ/forms.py | 23-30 | MEDIUM |
Description: The abuse word filter uses simple substring matching:
def check_abuse(text):
text_lower = text.lower()
for word in ABUSE_WORDS:
if word in text_lower: # Simple substring match - easily bypassed
return True
return FalseBypasses:
- Character encoding:
st\u0075pid(Unicode escape) - Partials:
stupi+d - Obfuscation:
s-t-u-p-i-d
Recommended Fix: Use established libraries like better-profanity or implement proper text analysis.
| File | Line | Severity |
|---|---|---|
| models.py | - | LOW |
Description: The Todo model doesn't enforce any password complexity requirements.
Impact: Low (Django handles auth in core).
Recommended Fix: Use Django's built-in auth with password validation.
No requirements.txt was found in the current commit changes. For the full project, run:
pip check or safety check| Severity | Count |
|---|---|
| Critical | 3 |
| High | 1 |
| Medium | 1 |
| Low | 1 |
- Remove pickle deserialization - Replace with JSON or Django sessions
- Fix IDOR - Filter todos by authenticated user
- Remove exploit code - Delete PoC directories from repository
- 9371a79 Add xploitAuthZ to homepage, fix logout and template nesting issues
- 398a184 Add xploitAuthZ todo app with auth, abuse word filter
- 4b56209 Complete working RCE
- 92b781c Working django cookie pickle