Framework and Application-Specific Vulnerabilities                          Chapter 9

            Checking for DEBUG = True

            It's a forehead-slapping mistake, but still a common onebleaving the Django developer-
            level logging on in production. Shipping an app with the %( setting enabled allows for
            a few problems to crop up, including comprehensive error tracebacks that can expose
            sensitive pages or data. If you suspect that %( has been enabled on the target Django
            application, try generating an error to trigger the display of a harmful traceback. Leaving
            the %( setting enabled is so common that, earlier this year, a single researcher
            conducted an investigation and within a week had discovered 28,165 Django apps with the
            setting enabled (IUUQT   XXX CMFFQJOHDPNQVUFS DPN OFXT TFDVSJUZ NJTDPOGJHVSFE
            EKBOHP BQQT BSF FYQPTJOH TFDSFU BQJ LFZT EBUBCBTF QBTTXPSET ). If it seems as if the
            damage you can to do with access to the debugging information is strictly limited, consider
            that, in 2018, a researcher was able to use the debug information from an unsecured Sentry
            server belonging to Facebook to get RCE. The payout was $5,000ba lower-than-usual-
            amount because the server was sandboxed and could not access user data (IUUQT   CMPH
            TDSU DI            SFNPUF DPEF FYFDVUJPO PO B GBDFCPPL TFSWFS ).



            Probing the Admin Page

            Django ships with a default admin page that is also often foregone in favor of a third-party
            plugin or other admin-related extension. If the default admin page has been neglected or
            the admin integration is incomplete, it can provide a fruitful attack surface to test and
            explore.



            Summary

            This chapter covered the basics of the CVE vulnerability identification system, how to build
            workflows around discovering WordPress, Ruby on Rails, or Django-related
            vulnerabilities, and why known vulnerability detection, despite all the caveats, can still be
            worth integrating into your security practice. You should be moving forward with a better
            understanding of the role application-specific vulnerabilities play in the security ecosystem
            and be confident building application-specific testing processes, where appropriate, into
            Burp-based, script-based, or any number of other workflow strategies.
            In the next chapter, we will cover the critical information that should be included in every
            report, optional information, the importance of including detailed steps to reproduce the
            bug, and how to write a good attack scenario.




                                                    [ 159 ]