An IP spoofing vulnerability in Django REST allowed attackers to circumvent the framework’s throttling feature, which is supposed to protect applications against mass requests.
Django REST is a popular toolkit for developing web APIs and is used by Mozilla, Red Hat, and Heroku among others. It has a throttling feature that controls the rates of requests a client can make to the API.
This feature is meant to protect applications against bot activity, denial-of-service attacks, and malicious activities such as brute-force attempts on login pages, one-time passwords, and password reset pages.
Spoofing the IP address
Django REST uses IP addresses to identify clients and apply the throttling request limits. However, according to security researcher Hosein Vita, clients can trick the server and mask their IP address by changing their request headers.
“Django use WSGI (web server gateway interface) to communicate with web application and X-Forwarded-For HTTP header and REMOTE_ADDR WSGI variable are used to uniquely identify client IP addresses for throttling,” he told The Daily Swig.
An IP spoofing vulnerability in Django REST allowed attackers to circumvent the framework’s throttling feature, which is supposed to protect applications against mass requests.
Django REST is a popular toolkit for developing web APIs and is used by Mozilla, Red Hat, and Heroku among others. It has a throttling feature that controls the rates of requests a client can make to the API.
This feature is meant to protect applications against bot activity, denial-of-service attacks, and malicious activities such as brute-force attempts on login pages, one-time passwords, and password reset pages.
Spoofing the IP address
Django REST uses IP addresses to identify clients and apply the throttling request limits. However, according to security researcher Hosein Vita, clients can trick the server and mask their IP address by changing their request headers.
“Django use WSGI (web server gateway interface) to communicate with web application and X-Forwarded-For HTTP header and REMOTE_ADDR WSGI variable are used to uniquely identify client IP addresses for throttling,” he told The Daily Swig.
The Daily Swig reached out to the Django REST team for comments on the vulnerability. We will update this article if we hear back from them.
In the meantime, Vita has suggested relying on complementary techniques to secure applications against brute-force attacks.
“Always use other aspects of security measures as secondary methods,” he said. “Use Captcha or other related methods to reduce attacks like this in important endpoints. For OTPs, use a token for each generated OTPs.”
Source: https://portswigger.net/daily-swig/ip-spoofing-bug-leaves-django-rest-applications-open-to-ddos-password-cracking-attacks