You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository was archived by the owner on May 17, 2022. It is now read-only.
I'm prepping for teaching a course on Python web development to begin in about 8 weeks. I would like very much to use this repository in a series of assignments about OWASP vulnerabilities. I want to start here by thanking you for making it available.
That being said, i'm noticing some issues that make it hard to use as a teaching tool.
One first example involves the Broken Authentication and Session Management tutorial step. In the text describing the bug the problem is described as an incomplete blacklist for form fields that omits is_superuser. However, that's not actually the problem present in the user registration form which appears instead to be the 'inadvertent' inclusion of the user_permissions field in the form whitelist.
I think the incomplete blacklist problem is a better example, as allowing someone to assign themselves superuser status is a much clearer vulnerability to demonstrate than allowing them to get permissions they should not have. Is it possible to revert to using the blacklist problem instead? If not, can the description of the bug be updated to align correctly with the reality of the app vulnerability?
I'm still looking over other tutorial steps to see if I can find any other such issues. Thanks very much for any attention you can give to this issue. I certainly hope that development is ongoing and that this input is welcomed.
Greetings,
I'm prepping for teaching a course on Python web development to begin in about 8 weeks. I would like very much to use this repository in a series of assignments about OWASP vulnerabilities. I want to start here by thanking you for making it available.
That being said, i'm noticing some issues that make it hard to use as a teaching tool.
One first example involves the Broken Authentication and Session Management tutorial step. In the text describing the bug the problem is described as an incomplete blacklist for form fields that omits
is_superuser. However, that's not actually the problem present in the user registration form which appears instead to be the 'inadvertent' inclusion of the user_permissions field in the form whitelist.I think the incomplete blacklist problem is a better example, as allowing someone to assign themselves superuser status is a much clearer vulnerability to demonstrate than allowing them to get permissions they should not have. Is it possible to revert to using the blacklist problem instead? If not, can the description of the bug be updated to align correctly with the reality of the app vulnerability?
I'm still looking over other tutorial steps to see if I can find any other such issues. Thanks very much for any attention you can give to this issue. I certainly hope that development is ongoing and that this input is welcomed.