13 Aug, 2015

Introducing Django.nV: An Intentionally Vulnerable Django Application

by nVisium Team

nVisium is proud to announce the release of Django.nV, an intentionally vulnerable project management application. As with all of the ‘nV’ suite of applications, Django.nV demonstrates a series of common vulnerabilities in the context of a modern application. The flaws within the application include vulnerabilities ranging from the OWASP Top 10 (Injection, Insecure Direct Object Reference) to some Django-specific issues (Mass Assignment and Insecure Settings).

The project is hosted on Github and can be found here: Django.nV.

Django.nV contains all the functionality expected from a project management application, with the ability to create projects, submit tasks, and track completion of both. In addition, the application supports uploading and attaching files to projects and tasks. It also features user action tracking and the ability to manage rights to any given project.

Embedded within the application is a “tutorials” section where a number of Django.nV vulnerabilities are documented (along with recommended remediation strategies). These tutorials address some common vulnerabilities that are found during application assessments but are not a complete list of all the vulnerabilities within Django.nV.

Each tutorial has generic descriptions of vulnerabilities, hints on where to find them, and documentation of the software flaws and how to fix them. We recommend trying to find them all on your own before checking the write-ups!

The Github page has the instructions to get the application set up and running.

Django.nV will be kept up to date with new vulnerabilities and framework releases over time, including improvements to the tutorials. It is our intention to make Django.nV useful for developers and security practitioners, allowing them to explore common security and Django-related problems from both an attacker’s and developer’s perspectives.

Submit bugs and new ideas to the issues page on Github.