PYTHON WEB FRAMEWORK

Django

Implementation for the framework:

Django is a programming language that is used to create a variety of websites, including highly
customizable apps like social media websites. Django is a high-level Python Web framework that
promotes quick development and simple, practical design. Its goal is to create a solid foundation of the
fundamentals, allowing developers to focus on portions of their site that are specific to their project
rather than wasting time on template.

The Python source distribution has long adhered to the "batteries included" idea, which entails
providing a robust and adaptable standard library that is instantly available without requiring the user to
download additional packages. In many situations, this provides the Python language an advantage. It
makes the framework a fantastic alternative for any developer looking to create contemporary and
reliable web apps with less code. It's a well-organized framework.

The Django ORM acts as a link between relational database tables and models, removing the need for
massive databases to be maintained and updated. It also supports all major relational databases,
including MySQL and PostgreSQL. Since Django applications can handle enormous datasets, they are
ideal for constructing data-driven content management systems. It also has data-plotting and analysis
capabilities, which may be used to evaluate user data and plan marketing strategies.

Security features:

Django is concerned about security and assists developers in avoiding numerous frequent security
blunders. A Django program is safe and secure, encouraging developers to use appropriate security
practices. SQL injection, Cross-site request forgery, and cross-site scripting injection are all major
security vulnerabilities that it helps developers overcome.

The Django framework is updated with new security fixes on a regular basis, and it also protects against
cybersecurity threats like Clickjacking, CRLF injections, and timing attacks. Advantages come from
security features including user authentication, scanning of user-uploaded data, and multiple user logins
with predetermined access settings.

Security issues:

The Django team is releasing Django 3.2.5 and Django 3.1.13 in compliance with security release policy.
These updates address the "high" severity security problem. Unsensitized QuerySet.order by() input can
lead to a possible SQL injection, according to CVE-2021-35042. Even if a deprecation warning is emitted,
unsensitized user input passed to QuerySet.order by() might evade intended column reference
validation in a path labeled for deprecation, resulting in a possible SQL injection.
Web2py

Implementation for the framework:

web2py is a free, open-source web framework written in Python and programmable in Python for
developing secure database-driven web applications efficiently. web2py is a full-stack framework, which
means it includes everything need to create fully working web applications. The offered web interface
may be used for application development, deployment, debugging, testing, database management, and
maintenance. The Model-View-Controller design is used by the web2py framework to execute web
applications. Web2py's model-view-controller representation as follows:

Components Details
Model

 "db.py" is the model

 The Logic of Application Data is included in the
Model. As seen in the diagram, it connects to the
database. Consider the use of SQLite, which is kept
in storage. employee is a table that not yet defined
in a sqlite database. If the table doesn't exist,
web2py can help creating it.
Controller

 The program "default.py" is the Controller.

 URL mapping aids access to functions and modules
in web2py. Employees is a single function (or
"action") in the Controller in the sample above.
 The Controller's action returns a string or a Python
dictionary, which is a key-value combination that
includes a collection of local variables.
View

 "default/contacts.html" is the View.

 After the appropriate controller function has been
run, View displays the output.
 This View's objective is to render the variables in
the dictionary, which are in HTML format. The View
file is written in HTML, but it uses the and
delimiters to embed Python code.
 The HTML code is made up of Python code from the
dictionary.
web2py encourages programmers to keep data representation (model), data display (view), and
application workflow (controller) separated. web2py offers the ability to launch tasks at predetermined
intervals once specified actions are completed. This is possible using CRON. By encouraging the
developer to adopt software engineering standards that avoid code repetition, web2py fully respects
the Don't repeat yourself (DRY) principles. web2py helps the developer through practically all the steps
involved in developing a web application (creating and designing forms, managing sessions, cookies,
errors, etc.). User applications are not imported by web2py; instead, they are executed in a
predetermined context. By importing its own modules, it saves time and eliminates errors, according to
the DRY concept.

Security features:

web2py is designed to be secure. As a result, it automatically tackles many of the issues that might lead
to security flaws. web2py comes with a flexible and robust Role Based Access Control system (RBAC).
RBAC (Role-Based Access Control) is a method of limiting system access to only authorized users. The
web2py class that implements RBAC is called Auth. The AUTH database scheme:

The names of the roles and permissions are not restricted in general; the developer can construct them
to fix the roles and permissions in the organization. Web2py offers an API to check if a user is logged in,
if a user is a member of a particular group, or if a user is a member of any group with a specified
essential permission once they have been created. Decorators in web2py may be used to limit access to
any function depending on login, membership, and permissions.
Security Issues:

According to the Security Bulletin, various security vulnerabilities have been discovered in web2pay. The
previous version of web2py may contain authentication flaws. The "critical" severity security issue is
addressed by these releases(CVSS Version 3). This vulnerability has the CVE-id: CVE-2016-10321, which
means it may be exploited to bypass security measures. This enables a remote attacker to undertake
brute-force password attempts. The flaw exists because the program does not properly check if a host is
denied before requesting a password. A password brute-force assault on the targeted system can be
carried out by a remote non-authenticated attacker.
References

https://www.djangoproject.com/weblog/2021/jul/01/security-releases/

https://wiki.python.org/moin/WebFrameworks

https://www.monocubed.com/django-web-framework/

https://www.netguru.com/blog/why-use-django

https://djangostars.com/blog/why-we-use-django-framework/

http://web2py.com/books/default/chapter/29/09/access-control

https://www.tutorialspoint.com/web2py/web2py_quick_guide.htm

http://web2py.com/books/default/chapter/34/01/introduction

https://www.cybersecurity-help.cz/vdb/SB2019062810