Display current profile picture on the edit profile page.

Project completion percentage needs to be calculated on the project details page.

Could be in the form of poor password hashing, enumeration on a password recovery form, weak tokens for password recovery, etc

Would also be worth checking how secure Django is out of the box, with regards to its configuration

To begin with I want to thank you for your work on developing this vulnerable django application.
It is really helpful for me.
However, I have spent a lot of time trying to make the sql injection via file upload to work without any success. I have used the recommended 1.8.3 version of Django and a series of Python 3,4+ version without any success. It accepts the file upload but it returns nothing with the filename testPic',(select password from auth_user where username='admin'),8);--
What is more, I tried to get the password by executing directly sql, but I have found no way to crack the MD5 password in this format [for example: md5$c77N8n6nJPb1$3b35343aac5e46740f6e673521aa53dc]. It appears not recognizable by every tool that I know of. I suppose it is $md5(salt)$md5(pass), isn't it?
Any help will be very much appreciated.
Thank you in advance!

Integrate injection into the application somehow. Might be hard to do SQL injection, so maybe make a call out to the OS or email injection?

Clean up some inconsistencies in the code. At first glance:

• Columns in model have inconsistent naming
• Functions in code don't follow single naming pattern
• Organize code better
• Add more comments

Tasks can currently be created, but cannot be edited or deleted. Task "% completed" is also not editable currently.

Also, allow the creation of notes attached to the different tasks

For Grails.nV, I used an optional redirect to take you back to the last page after login. That would be pretty straightforward to implement and is also something easy to overlook on production websites

Integrate XSS somehow. Stored XSS is probably relatively easy, just avoid validating on the outputted variable

I could imagine something like this as just not validating that the user is allowed to access a task page on a project they don't own, or something similar.

Allows the user to change their username and password

Hi am trying to install on Debian Jessie Vm but am met with errors, i have python 3.4+ installed on system,i cannot pip install -r requirements.txt as its asking for a directory, in which directory it should be installed ?& from where to start ./reset_db.sh ? kindly suggest
Regards
skorpinok

.

Page where admin has the ability to change the roles of other admins, project managers and team members.

Add the project completion ETA and the ability to add notes or mark tasks and completed

After login as Team Member you can see the projects you are assigned to and the tasks you have to complete. You can comment on the tasks but not edit them in any way.

Relatively easy to implement with some sort of dummy API within the app. Otherwise, could also work as some unprotected account action

Permissions should be based around roles, such as admin, project manager, or team member. Each role will have a set of actions they can perform, and a set of data they can view

Greetings,

I'm prepping for teaching a course on Python web development to begin in about 8 weeks. I would like very much to use this repository in a series of assignments about OWASP vulnerabilities. I want to start here by thanking you for making it available.

That being said, i'm noticing some issues that make it hard to use as a teaching tool.

One first example involves the Broken Authentication and Session Management tutorial step. In the text describing the bug the problem is described as an incomplete blacklist for form fields that omits is_superuser. However, that's not actually the problem present in the user registration form which appears instead to be the 'inadvertent' inclusion of the user_permissions field in the form whitelist.

I think the incomplete blacklist problem is a better example, as allowing someone to assign themselves superuser status is a much clearer vulnerability to demonstrate than allowing them to get permissions they should not have. Is it possible to revert to using the blacklist problem instead? If not, can the description of the bug be updated to align correctly with the reality of the app vulnerability?

I'm still looking over other tutorial steps to see if I can find any other such issues. Thanks very much for any attention you can give to this issue. I certainly hope that development is ongoing and that this input is welcomed.

Projects can currently be created, but there is not much high level control over editing or deleting projects. Implement this functionality and incorporate it with the current tasks feature.

Could possibly look at the password hashing algorithm being used, or use MD5 or some other weak hash for token generation somewhere.

Add ability to complete task and link to add notes to the task

Shows all active projects, have option to create new projects and edit current ones. Admin can add or remove project managers and team members from projects

While I don't know if demonstrating how to make a hackable Django site is a good or bad thing, I do know that the only place in the codebase where I'm explicitly told this is purposefully insecure is at the top of the README. While the other files may have 'insecure' spelled out in comments, there is no disclaimer at the top of each file.

From personal experience, if you post examples of bad code that shouldn't be used, it needs to be abundantly clear that this is the case. Otherwise people will find this code through searches, and implement it.

Please, please, please add an explicit warning at the top of each file.

Show a username and password text box and let the user login with their credentials. Incorporate login vulnerabilities ... SQL Injection

Hi All,

I would like to see a password reset mechanism that generates a SecureRandom 6 digit token, and sends that via out-of-band communication (email). This token will be used to verify a users identity before allowing them to change the password. This token should last for 10 minutes before expiring.

The idea is that we can use this to train developers on the idea of distributed attacks. For example, even though the token is distributed out of band, it still lacks the required keyspace to make it considered cryptographically random. We can leverage this to enumerate the entire keyspace of the token, to reset a victims password.

Upon submission of new user details (clicking "Register" button) I get the following error:

Forbidden (403)
CSRF verification failed. Request aborted.

Help
Reason given for failure:

    CSRF token missing or incorrect.

I have tried various options but none of them seemed to have worked.

I have only tried registering for a new user because I could not find passwords for the ones you have pre-configured - that would have solved my problem if you included passwords of pre-configured users somewhere in the docs.

Implement role based access control functionality, including admin, project_manager, & team_member roles. Migrate manage_groups view and template to use base_backend.html. Finally, user should be admin or project manager to be able to delete or edit a project or delete associated tasks.

Unauthenticated users can see the status of a project with out specific task details. Shows the title of the project and the percentage of tasks completed.

After login as a project manager all your projects are viewed and you can edit them. You also have the option to edit the project and add or remove team members.

Relatively easy to implement, simply don't validate user permissions on some pages or actions.

I would love to make django.nV part of the w3af test suite. This would help improve the scanner by making sure all the vulnerabilities in this application are identified by it on every push to the w3af repository. In order to do that I need django.nV running inside a docker image.

Other users will also benefit from this since they don't need to install any software (other than docker that they most likely already have) in their workstations, they just run:

docker run -it -p 8000:8000 --rm nVisium/django.nV

And they have a running django application on 127.0.0.1:8000

Convert manage_groups, manage_projects, and manage_tasks to use base_backend.html template. Cleanup look and feel.

Add the ability for users to set and change their profile pictures. There's already existing file upload code for projects, so port it over

Thanks to the virtualenv, you could force an old and known vulnerable version of some library to be installed. Also, could use the requirements.txt file to demonstrate the important of making sure systems are updated.

Implement task + project searches.

Not sure if this is part of the challenge and I'm just not getting it, but when I spin this up locally after populating the db I'm unable to register. There is no default value for the user_permissions form field, causing the post to fail silently.

Here are a few issues I noticed with the tutorials.

SQLi: Solution only seems to cover secure file creation. It does not provide mitigation techniques for SQLi.

IDOR: doesn't leverage syntax highlighting for the code snippets.

Components: Lacks linebreaks and formatting.

CSRF: Lacks formatting