.png)
4 months ago
34 BOOK THIS SPACE FOR AD
ARTICLE AD
Before I start with this blog post, I’d like to announce that the book is finally finished and to get it for free you must either follow me on Instagram or be subscribed to my YouTube channel. Then just email me asking for the book, and I will gladly send it to you within a short period of time, depends if I’m sleeping or not. Another thing I would like to announce is that I have started the game hacking series on my YouTube channel and you can find the first episode regarding Among Us hacking here: https://www.youtube.com/watch?v=w0XktSE21GI
Other than that, let’s start with this crazy story!
Socials:
Instagram: https://instagram.com/deadoverflow
Youtube: https://youtube.com/@deadoverflow
Email: ihusanovic3@gmail.com
So most of you know what my hacking platform is, HackrHub. I made that platform so you can find hacking tutorials and much more and it’s initial goal was to help everyone who is starting out in hacking. One day I received an email from someone saying that they have allegedly found a vulnerability on my own website. So let me show you what the vulnerability was all about on my own website!
Hello,
I want to share a recent discovery regarding a security vulnerability in a Django application. This issue highlights the importance of disabling debug mode in production. Here is an overview of how I found this vulnerability and the associated risks.
The Discovery
While browsing through blog number 7 on HackrHub, I encountered an error caused by an unencodable Unicode character:
UnicodeEncodeError at /blog/7/'ascii' codec can't encode character '\u2026' in position 19: ordinal not in range(128)
The complete error provided detailed information:
Request Method: GETRequest URL: https://hackrhub.com/blog/7/Django Version: 4.2.13Exception Type: UnicodeEncodeErrorException Location: /home/ekiipa/HackrHub/Home/views.py, line 44, in blogPython Executable: /home/ekiipa/virtualenv/HackrHub/3.9/bin/pythonPython Version: 3.9.19The Impact of Debug Mode
At the bottom of the error page, a message clearly indicated the cause of the sensitive information disclosure:
You’re seeing this error because you have DEBUG = True in your Django settings file. Change that to False, and Django will display a standard page generated by the handler for this status code.Enabling debug mode in production exposes critical information such as file paths, application configurations, and even sensitive variables. Here are some examples of the information I was able to extract thanks to debug mode:
File pathsApplication configurationsEnvironment variablesBy delving deeper, I was also able to access the routes defined in the Django application, which can be extremely useful for an attacker. For example, accessing URLs like https://hackrhub.com/blogad returned a detailed response indicating that the URL did not match any defined routes, along with a list of existing routes:
Page not found (404)Request Method: GET
Request URL: https://hackrhub.com/blogad
Using the URLconf defined in NewsPaper.urls, Django tried these URL patterns, in this order:admin/
privacy/
search/
about/
tutoring/
tutoring/free/
blog/<id>/
^static/(?P<path>.*)$
The current path, blogad, didn’t match any of these
Why Is This a Problem?
Debug mode in production can lead to the disclosure of sensitive information, allowing an attacker to better understand the application’s structure and potentially exploit other vulnerabilities.
My Recommendations
Disable Debug Mode: Ensure that debug mode is always disabled in production by setting DEBUG = False in your Django configuration file.Regular Checks: Perform regular checks of your deployment configurations to ensure no sensitive information is exposed.Error Handling: Implement proper error handling to avoid exposing technical details to end-users.Even I, as an experienced hacker, can forget some stuff and make a silly mistake like this one. To be honest, I just forgot to turn off the debug mode, I was working to push out an update and completely forgot about it, which is again my mistake only. So lesson here is to be careful when writing your own code or even hacking because a lot of stuff can go unnoticed.
Bengali (Bangladesh) · 
English (United States) ·