Skip to main content

django-xss-fuzzer: An XSS vulnerability fuzz tester for Django views.

Project description

Django XSS Fuzzer

An XSS vulnerability fuzz tester for Django views.

This tester will inject XSS patterns into the context data for a template before it is rendered, including:

  • Simple strings
  • Attributes of Django ORM objects in QuerySets

The goal of this tool is to quickly find any XSS vulnerabilities in Django templates.

Any successful injections will write a message to the browser JavaScript console.

Installation

Install via pip

$ pip install django-xss-fuzzer

Add ViewFuzzerMiddleware to your middleware list for a test environment.

MIDDLEWARE = [
    ...
    'django_xss_fuzzer.ViewFuzzerMiddleware'
]

Do not deploy this to a production server!

Configuration

Configure the middleware via the Django global settings.

  • XSS_FUZZER_PATTERNS : A list of XSS patterns to try. See XSS Cheatsheet for inspiration.
  • XSS_INJECT_KWARGS (Default False) : A switch to disable injecting XSS view function keyword arguments
  • XSS_INJECT_CONTEXT_DATA (Default True) : A switch to disable injecting XSS into class data

What about Django's builtin XSS protection?

In 99% of cases, Django will sanitize the injection strings and they will be unsuccessful.

However, there are some limitations, such as unquoted expressions of HTML tag attributes

<style class={{ var }}>...</style>

This extension would automatically replace var with x onafterscriptexecute=console.log('found attribute-based xss in {0}').

Django would render the following HTML:

<style class=x onafterscriptexecute=console.log('found attribute-based xss in {0}')>...</style>

The JavaScript code within the onafterscriptexecute would be run by the browser, demonstrating the vulnerability.

Other examples, would be the use of the |safe filter inside the Django template. This filter can be put into Django views without a full-understanding of the ramifications.

For example, in a permanent XSS attack, the database, or memory state could contain a dangerous string.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Files for django-xss-fuzzer, version 0.1.0
Filename, size File type Python version Upload date Hashes
Filename, size django_xss_fuzzer-0.1.0-py3-none-any.whl (7.4 kB) File type Wheel Python version py3 Upload date Hashes View
Filename, size django-xss-fuzzer-0.1.0.tar.gz (6.8 kB) File type Source Python version None Upload date Hashes View

Supported by

Pingdom Pingdom Monitoring Google Google Object Storage and Download Analytics Sentry Sentry Error logging AWS AWS Cloud computing DataDog DataDog Monitoring Fastly Fastly CDN DigiCert DigiCert EV certificate StatusPage StatusPage Status page