Security Misconfiguration

Description

Security misconfiguration is a class of vulnerability that occurs when software is set up incorrectly and left insecure. Misconfiguration can happen at any level of an application stack, including the platform, web server, application server, database, framework, or any custom code. Features such as debug pages, unused paths, unprotected files or directories, and default system logins are all classifed as security misconfigurations. Unfortunately, many applications and servers do not come secure out-of-the-box, so it is important to fully understand how to configure the software you use. Developers and system administrators both need to work together to ensure that the entire stack is configured properly. Automated scanners are useful in many cases for detecting this class of vulnerability, but it is also important to keep track of any features you enable in your own application.

Bug

Debug mode is enabled within the settings.py config file. CookieStorage is also used as the default session store

Solution

Disable debug mode whenever pushing an application to a production or staging server. Also, use a server-side session storage backend. CookieStorage allows malicious users to read any session data, and if your SECRET_KEY is compromised they can also manipulate sesion data.

Hint

A common misconfiguration across many frameworks is to leave verbose error messaging enabled. Try submitting bad data to the application in an attempt to get an error page to display.