Security Beginner 6 tests

Security Misconfiguration

Insecure default settings left in place - DEBUG mode on, the admin panel exposed, missing security headers, and an open ALLOWED_HOSTS. Each test probes a separate configuration failure. All 6 tests are Postman-compatible.

What is Security Misconfiguration?

Security misconfiguration is one of the most prevalent vulnerability classes (OWASP A05:2021). It covers any setting that was left at an insecure default or was never configured at all - verbose error pages in production, exposed admin interfaces, missing HTTP security headers, overly permissive host validation, and unused features left enabled. Unlike injection bugs, these require no exploit logic - the misconfiguration itself is the vulnerability.

What is hidden here

Test 1	`DEBUG=True` - error endpoint returns a full stack trace with internal paths and settings values (bug)
Test 2	Django admin panel is reachable at `/admin/` with no additional auth layer or IP restriction (bug)
Test 3	`X-Frame-Options` header is absent - page can be embedded in an iframe (bug)
Test 4	`Content-Security-Policy` header is absent - no script source restrictions (bug)
Test 5	`ALLOWED_HOSTS=['*']` - injected Host header is reflected in a generated password reset link (bug)
Test 6	A hardened endpoint correctly sets all four security headers (true positive)

Test 1

DEBUG Mode - Stack Trace Exposure

Trigger an unhandled server error and observe whether the response leaks internal file paths, settings, and database credentials.

GET /qa-sandbox/security-misconfig/?action=debug-error

Test 2

Admin Panel Exposed at Default Path

Check whether the Django admin interface is accessible at /admin/ without any extra restriction.

GET /qa-sandbox/security-misconfig/?action=check-admin

Test 3

Missing X-Frame-Options Header

Request the endpoint and verify that no X-Frame-Options header is returned. Without it the page can be embedded in a transparent iframe.

GET /qa-sandbox/security-misconfig/?action=check-xframe

Test 4

Missing Content-Security-Policy Header

Request the endpoint and confirm that no Content-Security-Policy header is present. Absence of CSP removes the last line of defense against XSS.

GET /qa-sandbox/security-misconfig/?action=check-csp

Test 5

ALLOWED_HOSTS = ['*'] - Host Header Injection

The server uses the Host header to build password reset links without validation. Postman users: set a custom Host header to see your value reflected in the generated link. The button below simulates sending the current host.

GET /qa-sandbox/security-misconfig/?action=host-inject
Host: <your injected value> (Host header can only be set natively in Postman/curl - the button simulates the reflected value)

Test 6

Hardened Endpoint - All Headers Present

This endpoint correctly sets X-Frame-Options, Content-Security-Policy, X-Content-Type-Options, and Referrer-Policy.

GET /qa-sandbox/security-misconfig/?action=check-secure

Trigger Test 1 and look inside debug_info.settings_leak - note the leaked SECRET_KEY and DATABASE_URL.

For Test 2, also manually navigate to /admin/ in the browser to confirm the login form loads without any challenge.

For Tests 3 and 4, open browser DevTools Network tab after clicking the button and inspect the response headers directly to confirm the headers are absent.

For Test 5 in Postman: add a custom Host header set to evil.attacker.com and check that value appears in generated_reset_link in the response.

For Test 6: inspect the response headers in DevTools or Postman and confirm all four security headers are present with correct values.

Postman / API Guide

All tests use GET /qa-sandbox/security-misconfig/?action=<action>. No auth or body required.

Test 1 - DEBUG stack trace

GET /qa-sandbox/security-misconfig/?action=debug-error

Test 2 - Admin panel check

GET /qa-sandbox/security-misconfig/?action=check-admin

Test 3 - X-Frame-Options missing

GET /qa-sandbox/security-misconfig/?action=check-xframe
# Inspect response headers tab - X-Frame-Options should be absent

Test 4 - CSP missing

GET /qa-sandbox/security-misconfig/?action=check-csp
# Inspect response headers tab - Content-Security-Policy should be absent

Test 5 - Host header injection

GET /qa-sandbox/security-misconfig/?action=host-inject
Host: evil.attacker.com

# Expected: generated_reset_link contains evil.attacker.com

Test 6 - Hardened endpoint

GET /qa-sandbox/security-misconfig/?action=check-secure
# Response headers should include:
#   X-Frame-Options: DENY
#   Content-Security-Policy: default-src 'self'
#   X-Content-Type-Options: nosniff
#   Referrer-Policy: strict-origin-when-cross-origin