How to Hack a Django Website
2020-09-18, 17:10–17:50 (Europe/Lisbon), Virtual

Why did Facebook have a public Django-based site that got hacked? What was the flaw discovered in GitHub's password reset mechanism that was also found to affect Django auth? Are your projects vulnerable?

I'll walk you through some stories of common web vulnerabilities, and what they mean for Django. I've had the pleasure of working on over 50 Django projects so far, so I've seen some patterns emerge.

Security is boring. But it can suddenly get quite exciting... normally for the wrong reasons.

I'll talk through a few stories of security flaws and misconfigurations in Django projects, and what you can do about them for your own projects:

  • A Django-based site on with a remote code execution flaw
  • GitHub's broken password mechanism that was discovered to be a problem for much of the internet
  • How use of mark_safe is normally completely unsafe - and can lead to admin takeover
  • The one safe way to pass data to your JavaScript
  • How to help security researchers contact you directly about flaws, rather than get delayed by your confused but well-meaning support or sales staff

Each short story will be backed with short code snippets to make the problems concrete. I'll also try cover where the web, Python, and Django are moving to make such flaws rarer.

See also: pretalx-hack

Hi, I'm Adam Johnson. I'm a software engineer working with AWS, Ansible, Django, and Python. I have 13 years experience in web development and 4 years experience as DevOps lead.

I'm a core developer on the Django project, and a co-organizer of the The London Django Meetup.

I'm based in London but am often travelling around the world.