Collaborate Disseminate
I have a startup working on Django app, that will be processing sensitive personal and financial information. We’re just finalizing a prototype of the product (no paying clients, no investors), so we’re under-staffed on a lim… Continue reading VPN as a temporary layer of security?
During a penetration test, I found server side template injection in a Django application that sends templated emails. As far as I can tell, apart from some sensitive information disclosure (thanks to {% debug %} ) and the po… Continue reading Can server side template injection lead to RCE or other severe consquences in Django?
I’d like to redirect a visitor to the login page if he’s not authenticated and she/he wants to access a protected page.
I can handle this via the backend code, but it’s easier to make it using HTML. My question is: Is it secu… Continue reading Is <meta> http-equiv secure?
I am new to Django and I am working on a website, where you can filter some articles using a normal GET url query string param. Theese params can be made from some input fields. I have found two different ways to approach thi… Continue reading URL query string params Django security
I am trying to fix this finding on my django application but I can’t seem to find resources to read on.
I am already using daemon mode. Besides that, what other items shall I do to make the app protected from buffer overflo… Continue reading how to prevent buffer overflow on apache mod_wsgi
My Django application sets a set-cookie: sessionid=xxxx; expires=Thu, 16-May-2019 18:54:59 (and some more, like max-age and path) on every response. The sessionid remains the same until the session ends. I can see the purpose of this: By s… Continue reading Is sending a cookie with a sessionid in every HTTP response considered a bad practice?
Last night, I read a PDF detailing a privilege escalation attack a researcher had performed on a Django admin site. I’m curious- was the unfortunate application susceptible to this attack due to a misconfiguration, or rather … Continue reading Django admin site privilege escalation
I found following security notice on Django website:
Django’s media upload handling poses some vulnerabilities when that media is served in ways that do not follow security best practices. Specifically, an HTML file can b… Continue reading Malicious PNG (html with png header)
I developed a Django application for a school project and I hosted it at an EC2 instance to test and learn the environment.
During inspecting logs, I found the following GET request,
“GET /index.php?s=/index/\think\app/invok… Continue reading Strange GET request to my web application
I was at a code jam today for 12 hours. At the end of the day as I was leaving, one of the programmers claimed his computer was hit with a reverse shell attack. He was voicing this as I was finishing up and I stuck around t… Continue reading A computer on the public network I was using was penetrated at a codejam. Am I at risk?