netspi / django.nv Goto Github PK
View Code? Open in Web Editor NEWVulnerable Django Application
License: GNU General Public License v2.0
Vulnerable Django Application
License: GNU General Public License v2.0
Integrate XSS somehow. Stored XSS is probably relatively easy, just avoid validating on the outputted variable
Allows the user to change their username and password
Show a username and password text box and let the user login with their credentials. Incorporate login vulnerabilities ... SQL Injection
Convert manage_groups, manage_projects, and manage_tasks to use base_backend.html template. Cleanup look and feel.
Here are a few issues I noticed with the tutorials.
SQLi: Solution only seems to cover secure file creation. It does not provide mitigation techniques for SQLi.
IDOR: doesn't leverage syntax highlighting for the code snippets.
Components: Lacks linebreaks and formatting.
CSRF: Lacks formatting
Relatively easy to implement with some sort of dummy API within the app. Otherwise, could also work as some unprotected account action
Could be in the form of poor password hashing, enumeration on a password recovery form, weak tokens for password recovery, etc
Hi All,
I would like to see a password reset mechanism that generates a SecureRandom 6 digit token, and sends that via out-of-band communication (email). This token will be used to verify a users identity before allowing them to change the password. This token should last for 10 minutes before expiring.
The idea is that we can use this to train developers on the idea of distributed attacks. For example, even though the token is distributed out of band, it still lacks the required keyspace to make it considered cryptographically random. We can leverage this to enumerate the entire keyspace of the token, to reset a victims password.
Would also be worth checking how secure Django is out of the box, with regards to its configuration
Projects can currently be created, but there is not much high level control over editing or deleting projects. Implement this functionality and incorporate it with the current tasks feature.
Permissions should be based around roles, such as admin, project manager, or team member. Each role will have a set of actions they can perform, and a set of data they can view
Could possibly look at the password hashing algorithm being used, or use MD5 or some other weak hash for token generation somewhere.
Tasks can currently be created, but cannot be edited or deleted. Task "% completed" is also not editable currently.
Also, allow the creation of notes attached to the different tasks
Display current profile picture on the edit profile page.
Page where admin has the ability to change the roles of other admins, project managers and team members.
Clean up some inconsistencies in the code. At first glance:
Unauthenticated users can see the status of a project with out specific task details. Shows the title of the project and the percentage of tasks completed.
Integrate injection into the application somehow. Might be hard to do SQL injection, so maybe make a call out to the OS or email injection?
Not sure if this is part of the challenge and I'm just not getting it, but when I spin this up locally after populating the db I'm unable to register. There is no default value for the user_permissions form field, causing the post to fail silently.
Greetings,
I'm prepping for teaching a course on Python web development to begin in about 8 weeks. I would like very much to use this repository in a series of assignments about OWASP vulnerabilities. I want to start here by thanking you for making it available.
That being said, i'm noticing some issues that make it hard to use as a teaching tool.
One first example involves the Broken Authentication and Session Management tutorial step. In the text describing the bug the problem is described as an incomplete blacklist for form fields that omits is_superuser
. However, that's not actually the problem present in the user registration form which appears instead to be the 'inadvertent' inclusion of the user_permissions field in the form whitelist.
I think the incomplete blacklist problem is a better example, as allowing someone to assign themselves superuser status is a much clearer vulnerability to demonstrate than allowing them to get permissions they should not have. Is it possible to revert to using the blacklist problem instead? If not, can the description of the bug be updated to align correctly with the reality of the app vulnerability?
I'm still looking over other tutorial steps to see if I can find any other such issues. Thanks very much for any attention you can give to this issue. I certainly hope that development is ongoing and that this input is welcomed.
Add the ability for users to set and change their profile pictures. There's already existing file upload code for projects, so port it over
Add the project completion ETA and the ability to add notes or mark tasks and completed
After login as Team Member you can see the projects you are assigned to and the tasks you have to complete. You can comment on the tasks but not edit them in any way.
Implement task + project searches.
To begin with I want to thank you for your work on developing this vulnerable django application.
It is really helpful for me.
However, I have spent a lot of time trying to make the sql injection via file upload to work without any success. I have used the recommended 1.8.3 version of Django and a series of Python 3,4+ version without any success. It accepts the file upload but it returns nothing with the filename testPic',(select password from auth_user where username='admin'),8);--
What is more, I tried to get the password by executing directly sql, but I have found no way to crack the MD5 password in this format [for example: md5$c77N8n6nJPb1$3b35343aac5e46740f6e673521aa53dc]. It appears not recognizable by every tool that I know of. I suppose it is $md5(salt)$md5(pass), isn't it?
Any help will be very much appreciated.
Thank you in advance!
Thanks to the virtualenv, you could force an old and known vulnerable version of some library to be installed. Also, could use the requirements.txt file to demonstrate the important of making sure systems are updated.
While I don't know if demonstrating how to make a hackable Django site is a good or bad thing, I do know that the only place in the codebase where I'm explicitly told this is purposefully insecure is at the top of the README. While the other files may have 'insecure' spelled out in comments, there is no disclaimer at the top of each file.
From personal experience, if you post examples of bad code that shouldn't be used, it needs to be abundantly clear that this is the case. Otherwise people will find this code through searches, and implement it.
Please, please, please add an explicit warning at the top of each file.
Relatively easy to implement, simply don't validate user permissions on some pages or actions.
After login as a project manager all your projects are viewed and you can edit them. You also have the option to edit the project and add or remove team members.
I would love to make django.nV part of the w3af
test suite. This would help improve the scanner by making sure all the vulnerabilities in this application are identified by it on every push to the w3af repository. In order to do that I need django.nV running inside a docker image.
Other users will also benefit from this since they don't need to install any software (other than docker that they most likely already have) in their workstations, they just run:
docker run -it -p 8000:8000 --rm nVisium/django.nV
And they have a running django application on 127.0.0.1:8000
Project completion percentage needs to be calculated on the project details page.
For Grails.nV, I used an optional redirect to take you back to the last page after login. That would be pretty straightforward to implement and is also something easy to overlook on production websites
Add ability to complete task and link to add notes to the task
Upon submission of new user details (clicking "Register" button) I get the following error:
Forbidden (403)
CSRF verification failed. Request aborted.
Help
Reason given for failure:
CSRF token missing or incorrect.
I have tried various options but none of them seemed to have worked.
I have only tried registering for a new user because I could not find passwords for the ones you have pre-configured - that would have solved my problem if you included passwords of pre-configured users somewhere in the docs.
Implement role based access control functionality, including admin, project_manager, & team_member roles. Migrate manage_groups view and template to use base_backend.html. Finally, user should be admin or project manager to be able to delete or edit a project or delete associated tasks.
I could imagine something like this as just not validating that the user is allowed to access a task page on a project they don't own, or something similar.
Shows all active projects, have option to create new projects and edit current ones. Admin can add or remove project managers and team members from projects
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.