© All rights reserved. Cyber Struggle 2022
Cyber Struggle
  • Company
    • About Us
    • CS Internals
    • CS Manifesto
    • Open Letter for Ranger Grads
    • Careers
    • Press and Media
    • GDPR Notification
    • Contact Us
  • Products
    • S-46 Platform
  • Certifications
    • Ranger Certification
      • Ranger Certification Details
      • Ranger Testimonials
    • Aegis Certification
      • Aegis Certification
      • Aegis Testimonials
    • Contemprorary Certifications
      • Cyber Struggle Tactical Pistol Operator
  • For Corporates
  • Resources
    • Articles
    • Threat Reports
    • Tools
    • Announcements
  • Community
    • Community Programs
      • Ribbon Program
    • Delta Group
0
Cyber Struggle
Home / Blog / Articles / Preventing IDOR in Django

Preventing IDOR in Django

By cyberstruggle inArticles, Delta Group

Basically I got some basic internals about Django framework since most of my code reviews operations are with web applications written in Django, in this blog you will get the required knowledge in order to

  • Find IDORS in your Django project
  • Patch it

Insecure Direct Object Reference aka IDOR, as we know Django is “secure web framework” for example you won’t find any kind of SQL Injections vulnerabilities within the project till the developer is executing custom SQL directly in the low level which could lead to SQL Injection within the app , also Django templates escape the HTML in order to prevent XSS , till the user use “safe” flag in the render engine with untrusted data , this also could lead to XSS

 

execution custom SQL directly in the low level

all of the abovementioned scenarios are not common to see in Django projects, because simply it won’t pass from QA review or even normal code review 

What’s IDORs 

it’s not the blog topic but you can check other resources explaining about how you can exploit IDORS and how you can Exploit it and find it in a black-box testing environment 

Common Reasons 

you can check any bug bounty platform programs history about what kind of bugs researchers always find, probably it will be an IDOR based modern web frameworks now are kinds safe by default till someone miss the core point and just passing things into functions without any knowledge about how this function work

normal query calling object from project model based on the ID of that project

the Query above looks too common thing to see within Django apps according to official Django Documentation

you can call get() but it raises HTTP 404 instead of the model’s DoesNotExist exception same as “Project.objects.get(pk=id)” but developers are using it for less HTTP 500 Server error 🙂 and also it’s better than using DoesNotExist exception which requires more lines of code 

this line casing an IDOR Bug since if you wanted to restrict access this object to a specific user stored in the database as Foreign Key this query won’t work because simply it’s just checking for the project ID, and it will return the object till it’s exist 

the same thing applies to Project.objects.get(pk=id) 

Patch it 

the patch is a really simple thing to do and we still on the same line 🙂

exploring get_object_or_404

since the function take *args, **kwargs you can pass user condition which’s probably going to be like this one

looks better without IDORs

but is that really effective? going with all of the views within the project and patching them? with big projects, that’s could be a problem 

Secure By Default

in this section, I will share my personal experience about securing Django projects against IDORs using Django using decorators

custom decorators

How It’s Work 

  • Take the target Model in our example is Project
  • it can work with normal views functions well as class-based views 
  • trying to get fields related to the user foreign key 
  • getting URL parameters in our example is “id”
  • building a query that trying to get the object with the user at the same time
  • if the query failed it should log the request and return PermissionDenied view
DjangoIDORInsecure Direct Object ReferenceSecure development
32 Posts
cyberstruggle
  • Bosphorus Chapter Class 12 is Over
    Previous PostBosphorus Chapter Class 12 is Over
  • Next PostCyber Struggle and Ideal Performance State
    Bosphorus Chapter Class 12 is Over

Related Posts

COM Hijacking for Persistence
Articles Delta Group

COM Hijacking for Persistence

Ratelimit Bypass Tool: Whitepass
Announcements Articles Delta Group

Ratelimit Bypass Tool: Whitepass

Credential Dumping Tool: Chalumeau
Announcements Articles Delta Group

Credential Dumping Tool: Chalumeau

Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796
Articles Delta Group

Microsoft SMBv3 Remote Code Execution Vulnerability Overview CVE-2020-0796

Leave a Reply (Cancel reply)

Your email address will not be published. Required fields are marked *

*
*

four + 5 =

Certifications

About
CS Manifesto
Letter to Ranger Grads
Contact Us

About Company

Cyber Struggle Ranger
Cyber Struggle Aegis
Cyber Struggle TPO

For Corporates

Cyber Range Platform
SOC Maturity Certification
In-House SOC Mngmt
Outsource SOC Mngmt
Head Hunting Partnership

Subscribe to newsletter

cs_logo_son

© 2023 Cyber Struggle

in
F.A.Q
Support Forum
Video Tutorials

Search panel can contain any widgets and shortcodes.

Call us: 0 800 255 22 55
Copy