Audit required: Use of md5 BAN-B303
Use of insecure MD2, MD4, MD5, or SHA1 hash functions should be avoided. Using more secure algorithms like SHA256 or SHA512.
Audit required: Use of insecure cipher BAN-B304
Use of insecure cipher or cipher mode. Replace with a known secure cipher such as AES.
Audit required: Use of insecure cipher mode BAN-B305
Use of insecure cipher or cipher mode. Replace with a known secure cipher such as AES.
Audit required: Insecure cipher BAN-W1004
Cipher used is not secure. It is recommended to replace with a known secure cipher such as AES.
Audit required: Insecure cipher mode BAN-W1005
Use of insecure cipher mode such as ECB is not recommended for use in cryptographic protocols at all. In case of ECB, it encrypts identical plaintext blocks into identical ciphertext blocks; and does not hide data patterns well. In some senses, it doesn't provide serious message confidentiality.
Audit required: Insecure hash function BAN-W1003
D2, MD4, MD5, SHA1 signature algorithms are known to be vulnerable to collision attacks. Attackers can exploit this to generate another certificate with the same digital signature, allowing them to masquerade as the affected service.
Audit required: Insecure hash function PTC-W1003
D2, MD4, MD5, SHA1 signature algorithms are known to be vulnerable to collision attacks. Attackers can exploit this to generate another certificate with the same digital signature, allowing them to masquerade as the affected service.
Use of an insecure expatreader method BAN-B315
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
Insecure pycryptodome library imported BAN-B414
pycryptodome is a direct fork of pycrypto that has not fully addressed the issues inherent in PyCrypto. It seems to exist, mainly, as an API compatible continuation of pycrypto and should be deprecated in favor of pyca/cryptography which has more support among the Python community.
Audit required: Starting a subprocess BAN-B606
Spawning of a subprocess in a way that doesn't use a shell is generally safe, but it maybe useful for penetration testing workflows to track where external system calls are used.
Audit required: Use of eval PYL-W0123
Use of possibly insecure function - consider using safer ast.literal_eval. Read more on why should eval be avoided here.
Django app detected with DEBUG mode enabled PY-S0900
Running a Django application with debug mode enabled may allow an attacker to gain access to sensitive information. Ensure that Django applications that are run in a production environment have DEBUG set to False.
Insecure lxml import detected BAN-B410
Using various methods to parse untrusted XML data is known to be vulnerable to XML attacks. Replace vulnerable imports with the equivalent defusedxml package.
Use of an insecure method from lxml.etree BAN-B320
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
Audit required: Use of exec PYL-W0122
Usage of exec function is strongly discouraged, since it opens up possibilities of unauthorized code execution if the statements are not escaped properly. Read more on why should exec be avoided here.
Detected calls to FTP-related functions BAN-B321
FTP-related functions are being called. FTP is considered insecure. Use SSH/SFTP/SCP or some other encrypted protocol.
Insecure xmlrpclib import detected BAN-B411
XMLRPC is particularly dangerous as it is also concerned with communicating data over a network. Use defused.xmlrpc.monkey_patch() function to monkey-patch xmlrpclib and mitigate remote XML attacks.
Use of an insecure method from xml.dom.pulldom detected BAN-B319
Using various XML methods to parse untrusted XML data is known to be vulnerable to XML attacks. Using the defusedxml module is recommended. Methods should be replaced with their defusedxml equivalents.
Security middleware not activated PY-S0909
MIDDLEWARE list in settings.py is missing django.middleware.security.SecurityMiddleware. Django's security middleware provides several security enhancements to the request/response cycle.
Insecure use of format_html detected PY-S0901
Django's format_html() function can be used to safely insert untrusted user data into HTML. However, passing an already formatting string to format_html() has no effect on the inputted string, and may be a security issue. This may expose cross-site scripting (XSS) vulnerabilities.