DjangoCon Europe 2023 | A Beginners Guide to Security Exploits in Action

A Beginners Guide to Security Exploits in Action by Ashley Mathew & Mario de la Ossa https://pretalx.com/djangocon-europe-2023/talk/9N97WM/

It’s one thing to read the Django security page and follow the recommendations. It’s something completely different to actually understand why those recommendations exist.

The talk will cover 5 different security vulnerabilities (spending ~5 mins on each) that are baked into a fake MySpace clone:

• HTML serialization: Why supporting custom HTML is cool, but also dangerous
• The penalties of using a guessable SECRET_KEY: How one might use it to abuse sessions
• The downfalls of stepping outside the ORM: How write a more complex query and accidentally make it vulnerable to SQL injection
• Consider setting ALLOWED_HOSTS: Injecting custom hosts in password reset emails
• No really, consider setting ALLOWED_HOSTS: Unsafe open redirects and the importance of url_has_allowed_host_and_scheme

Each step will introduce in detail how to exploit the vulnerability, followed by patching and validation.