django.nV Tutorials

#	Username	Password
1	admin	djangobango
2	seth	soccerlover
3	chris	ilovedjango
4	ken	koala1234
5	dade	hacktheplanet

Broken Authentication and Session Management

Description

User credentials may be stolen, sessions hijacked, and privileges escalated through implementation flaws in the authentication process, poor protections on session credentials, and insecure practices during the registration process.

Bug

The application is vulnerable to a mass assignment attack on the registration page. This is due to the UserForm found within the forms.py file. It includes an incomplete blacklist of the User model attributes that cannot be set via this form; is_superuser is not included. Due to this, an attacker could manually enable the is_superuser flag by appending it to the form prior to submitting it to the application.

Furthermore, the application uses an insecure method of session storage. CookieStorage is used as the session backend, meaning signed session information is used. This allows any attacker to read session information right from the cookie. The information is also stored with the PickleSerializer. If the SECRET_KEY is ever compromised, the attacker can not only modify values in the session, but they can also exploit the pickle module for arbitrary code execution on the server

Solution

It is almost always better to leverage a whitelist over a blacklist when restricting valid values. In this case, the 'exclude' blacklist array should be replaced with the 'fields' whitelist array. This array should include only the User model attributes which can be modified by a user. For this application, it may include the following attributes: fields = ('username', 'first_name', 'last_name', 'email', 'password')

Avoid using CookieStorage for user session storage. It is best to store all session information on the server, and pass only a session token to the user, so session variables cannot be read without accessing the server first. Furthermore, the default in Django 1.6+ (JSONSerializer) is much more secure and does not suffer from code execution vulnerabilities like PickleSerializer, so it should be used instead.

Hint

Mass assignment is the hip new auth bypass. Surprisingly enough, there's some of it in this app too.