How much of a Django application could be reverse-engineered if the owner forgot to turn debug mode off?

Question

I've been writing a Django app and almost published it with debug mode on. Django's documentation indicates

Never deploy a site into production with DEBUG turned on.

Did you catch that? NEVER deploy a site into production with DEBUG turned on.

One of the main features of debug mode is the display of detailed error pages. If your app raises an exception when DEBUG is True, Django will display a detailed traceback, including a lot of metadata about your environment, such as all the currently defined Django settings (from settings.py).

So I'm wondering how much information could a malicious attacker actually gain in a typical app? Users logins? All your code?

Answer 1

This is highly dependent on the application in question.

So let's say for example you have a django web app that has many programmatic errors (not vulnerabilities). In this case you would be able to generate a lot of highly verbose error messages. If you were able to actually disclose the full contents of settings.py then you would be in big trouble. Your database connection string, CSRF token, cache keys, possibly AWS keys etc are all stored there. You would also be able to, as you mention, reverse engineer some application logic. This behavior can lead to a more targeted attack such as making it easier for me to find XSS or SQL Injection.

Now let's take the opposite case. You deploy an app that is flawless: the impact is much lower, as you will not be disclosing quite as much data. However given the size of the code base your application is not and will not be flawless, so take care to never deploy in debug mode.