DEV Community

Cover image for Hacking Django websites
Code Review Doctor
Code Review Doctor

Posted on • Edited on

Hacking Django websites

Django docs suggests SecurityMiddleware is placed near the top of your MIDDLEWARE settings for good reason: it performs a suite of security checks and enhancements that would otherwise leave your website to the mercy of some simple hacks.

Ready for a Django security challenge? Play our Django security challenge.

X-Content-Type-Options

SecurityMiddleware sets the X-Content-Type-Options header to nosniff to prevent hackers from tricking your website into executing a malicious javascript file that they uploaded.

This header indicate to the browser that the MIME types advertised in the Content-Type headers should not be changed (by "sniffing" the content). The sniffing feature is the browser being helpful when a developer or server misconfiguration misidentified the Content-Type. If the browser respected an incorrect MIME type then a javascript, css, or image file would not work and the website would break. Very helpful feature. But it can be abused, as the following simple proof of concept shows:




# settings.py
MIDDLEWARE = [
    # "django.middleware.security.SecurityMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    ...
]

SECURE_CONTENT_TYPE_NOSNIFF = False  # pre-Django 3.0 it was False by default. Post 3.0 it's True

# views.py
class HomePage(View):
    def get(self, *args, **kwargs):
        # simulate a misconfgured server that returns a response that has no content type
        response = HttpResponse("<script>alert('hello world')</script>")
        del response['Content-Type']
        return response


Enter fullscreen mode Exit fullscreen mode

The outcome when navigating to HomePage shows the "hack" worked:

Alt Text

This simple proof of concept simulated the following more complex situation:

  • A bad actor uploaded HTML containing javascript (maybe pretending to be an image file).
  • The file was served by your website but does not set MIME type in the Content-Type header
  • The browser inferred the MIME type based on the content
  • The browser executed the javascript

This would be avoided if we the SecurityMiddleware is present and the nosniff feature is active:



# settings.py
MIDDLEWARE = [
    "django.middleware.security.SecurityMiddleware",
    "django.middleware.common.CommonMiddleware",
    "django.contrib.sessions.middleware.SessionMiddleware",
    ...
]

SECURE_CONTENT_TYPE_NOSNIFF = True


Enter fullscreen mode Exit fullscreen mode

Then the browser does not fall for the trick:

Alt Text

X-XSS-Protection

SecurityMiddleware sets the X-XSS-Protection header to 1; mode=block when SECURE_BROWSER_XSS_FILTER is True to enable the browser's built-in XSS protection.

This XSS protection has been mostly superseded by CSP. Older browsers still support this feature, but many browsers have removed this feature. Users with older browsers are still important to cater for because security of your website cannot assume everyone is running the latest version of Chrome.

Without the SecurityMiddleware and SECURE_BROWSER_XSS_FILTER then the website will not receive the benefit of being protected against the many possible XSS attacks.

Referrer Policy

SecurityMiddleware sets the referer policy header based on SECURE_REFERRER_POLICY, which impacts user privacy and is an attack vector for bad actors that aim to dupe users into thinking they are still on your website.

The referer header can be abused by the target website: maybe secrets in the your website URL is leaked. More convolutedly, maybe a bad actor can add a link to their website. The target can then read the referer header and style their website to look like your website. A user not paying attention may think they're still on your website because:

  • your website linked to it
  • it looks like your website

So the user may then input credentials and personal details in the bad actor's website.

This can be prevented by not exposing the referer header by settings SECURE_REFERRER_POLICY, which is then handled by the SecurityMiddleware.

Clickjacking

See Hacking Django websites part 2: clickjacking

Cross Site Request Forgery

See Hacking Django websites part 3: CSRF

SSL Redirect

SecurityMiddleware can redirect HTTP connections to HTTPS if SECURE_SSL_REDIRECT is set to True.

If you do not redirect HTTP to HTTPS then passwords and personal information will be transported over plaintext, and a Man In The Middle could read them.

See Hacking Django websites part 4: Man In The Middle

Does your website have security vulnerabilities?

Over time it's easy for security vulnerabilities and tech debt to slip into your codebase. I can check that for you at django.doctor, or can review your GitHub PRs:

Alt Text

Or try out Django refactor challenges.

Top comments (1)

Collapse
 
codeninjausman profile image
Muhammad Usman

Cool