An app with 5 vulnerabilities from the OWASP top 10 2013.
-
A3: Reflected XSS on this page. Run:
- Expected use: http://localhost:8000/?referral=Organic Food Store
- Exploit: http://localhost:8000/?referral="); alert("Whoops, reflected XSS attack!"); console.log("
-
A5 + A6: Security misconfiguration leading to sensitive data exposure. Debug mode is always set to true in Settings.py. Visiting the following URL reveals very sensitive information http://localhost:8000/__debug__/render_panel/.
-
A7: Missing function level access control. Page http://localhost:8000/secret-info/ is exposed to all users.
-
A10: Unvalidated redirect. /redirect/{site} redirects to the site provided as a path (perhaps for clickthrough tracking or some other purpose). However, urls are not validated and any site may be input. E.g. localhost:8000/redirect/http://www.example.com/
Boilerplate for this app was generated using cookiecutter-django, and installation instructions are the same as in their docs.
Linux
git clone https://github.com/AndrewGHC/buggy_django_app.git && cd buggy_django_app
pip install -r requirements/local.txt
- Create a new Postgresql table with
createdb buggy_django_app
python manage.py migrate
python managy.py runserver
- Visit the site at http://localhost:8000