CSRF in Django: how hidden forms ride the victim's session cookie, why @csrf_exempt is dangerous, and how CsrfViewMiddleware stops it. OWASP A01:2021.
Read more →
Privilege escalation in Django: how fields='__all__' exposes is_staff and is_superuser, and how explicit field lists stop it. OWASP A01:2021.
Read more →
IDOR in Django: how swapping a URL ID leaks another user's data, why login_required is not authorization, and how to scope querysets. OWASP A01:2021.
Read more →
XXE in Django: how external entities read files and reach the metadata endpoint, Billion Laughs exhausts memory, and defusedxml is the fix. OWASP A03:2021.
Read more →
OS Command Injection in Django: how shell=True turns user input into RCE, why shell=False with an argument list stops it. OWASP A03:2021, CVE-2016-3714.
Read more →
SSTI in Django: how Jinja2 MRO traversal achieves RCE, why Django's DTL is safe by design, and where that guarantee evaporates. OWASP A03:2021, CVE-2022-22954.
Read more →
XSS in Django: how stored, reflected and DOM-based attacks work, why mark_safe() and unsafe Markdown open the same hole, and how to migrate to nh3.
Read more →
SQL Injection: how attackers exploit unsanitised queries, why Django's ORM stops them, and where the protection ends. OWASP A03:2021, CySA+ VM.
Read more →