Home > Blockchain >  Which version of Django REST Framework is affected by IP Spoofing?
Which version of Django REST Framework is affected by IP Spoofing?

Time:01-21

REF: https://portswigger.net/daily-swig/ip-spoofing-bug-leaves-django-rest-applications-open-to-ddos-password-cracking-attacks Reported Date: Jan 11 2022

  • Other than providing captcha, what security measure should be taken?
  • Which version of Django and/or Python is affected by IP Spoofing?

CodePudding user response:

I did some research into the link you shared, Django's source and Django REST Framework's source.

Bare-bones Django is not vulnerable to this, since it doesn't uses X-Forwarded-For, and neither is Python.

Virtually all versions of Django REST Framework are vulnerable, since this commit 9 years ago added the HTTP_X_FORWARDED_FOR check: https://github.com/encode/django-rest-framework/blob/d18d32669ac47178f26409f149160dc2c0c5359c/rest_framework/throttling.py#L155

For measures you can take to avoid this, since a patch is not yet available, you could implement your own ratelimitter, and replace get_ident to only use REMOTE_ADDR.

If your Djando REST Framework application is behind a proxy, you might not be vulnerable to this.

Page link:https//www.codepudding.com/Blockchain/270975.html

Prev:How to ensure that the user does not modify what he wants by changing the id of the object supposed
Next:I'm trying to make a .bat file that creates a .txt file with multiple lines of text and it'
  •  Tags:  
  • Related

About Us:  Contact Us      Terms of Service       Privacy Policy

Copyright © 2010-2023,Powered By CodePudding