Skip to main content

django-xss-fuzzer: An XSS vulnerability fuzz tester for Django views.

Project description

Django XSS Fuzzer

An XSS vulnerability fuzz tester for Django views.

This tester will inject XSS patterns into the context data for a template before it is rendered, including:

  • Simple strings
  • Attributes of Django ORM objects in QuerySets

The goal of this tool is to quickly find any XSS vulnerabilities in Django templates.

Any successful injections will write a message to the browser JavaScript console.

Installation

Install via pip

$ pip install django-xss-fuzzer

Add ViewFuzzerMiddleware to your middleware list for a test environment.

MIDDLEWARE = [
    ...
    'django_xss_fuzzer.ViewFuzzerMiddleware'
]

Do not deploy this to a production server!

Configuration

Configure the middleware via the Django global settings.

  • XSS_FUZZER_PATTERNS : A list of XSS patterns to try. See XSS Cheatsheet for inspiration.
  • XSS_INJECT_KWARGS (Default False) : A switch to disable injecting XSS view function keyword arguments
  • XSS_INJECT_CONTEXT_DATA (Default True) : A switch to disable injecting XSS into class data

What about Django's builtin XSS protection?

In 99% of cases, Django will sanitize the injection strings and they will be unsuccessful.

However, there are some limitations, such as unquoted expressions of HTML tag attributes

<style class={{ var }}>...</style>

This extension would automatically replace var with x onafterscriptexecute=console.log('found attribute-based xss in {0}').

Django would render the following HTML:

<style class=x onafterscriptexecute=console.log('found attribute-based xss in {0}')>...</style>

The JavaScript code within the onafterscriptexecute would be run by the browser, demonstrating the vulnerability.

Other examples, would be the use of the |safe filter inside the Django template. This filter can be put into Django views without a full-understanding of the ramifications.

For example, in a permanent XSS attack, the database, or memory state could contain a dangerous string.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

django-xss-fuzzer-0.1.0.tar.gz (6.8 kB view hashes)

Uploaded Source

Built Distribution

django_xss_fuzzer-0.1.0-py3-none-any.whl (7.4 kB view hashes)

Uploaded Python 3

Supported by

AWS AWS Cloud computing and Security Sponsor Datadog Datadog Monitoring Fastly Fastly CDN Google Google Download Analytics Microsoft Microsoft PSF Sponsor Pingdom Pingdom Monitoring Sentry Sentry Error logging StatusPage StatusPage Status page