Lock Restriction

Bypassing Django-Defender IP Based Restriction

Hi there

Few minutes ago, I saw one of  tweet. I love Django and community that supports with their open source modules such as Django-Defender thus I’ve decided to look at source code from security perspective. 

What is Django-Defender ?

A simple Django reusable app that blocks people from brute forcing login attempts. The goal is to make this as fast as possible, so that we do not slow down the login attempts.

https://github.com/kencochrane/django-defender

Vulnerabilities

 

To keep it short, I will directly jump into the codes. Following codes are responsible for getting client ip address from HTTP requests.

Trusting user controlled data is always threat for applications. One of these vector is X-Forwarded-For ( XFF ) which is can be spoofed by client by tampering HTTP request with local proxy such as Bupr Suite.

As you can see above code, get_ip_address_from_request function is directly getting IP address from request.

The functions is checking out a comma in XFF string at the first if statement. Let’s assume we have single IP address on XFF. Now we have IP validation phase.

First part of the if statement is related to private IP prefix like 10, 192, 172 etc.  Let’s check out is_valid_ip function.

Everything will be fine if we try to pass valid IP address to net_aton function. If you pass string or something else exception will thrown.

But what will be happened if you pass something different like following example ?

As you can see, function didn’t thrown exception and return AAAA.

  1. 0x41.0x41.0x41.0x41 does not start with one of the PRIVATE IPS PREFIX.
  2.  It also does not thrown exception. That means is_valid_ip return True.
  3. Application will do IP based stuff with 0x41.0x41.0x41.0x41 which is can be spoofed by client at first place.

Demo

Django-Defender’s read me file says; “https://hub.docker.com is using Django-Defender”

I’ve created a new a new users and capture login request.

I will use Burp Suite Intruder in order to simulate brute-force login. Web site blocked us after 10 failed login attempts and shows following error message when I try to reach login page.

Sorry, you have made too many failed login attempts with that username and have been locked out for 10 minutes.

This error maybe appeared because of same cookie. I’ve deleted the all cookies and try to reach login page one more time but result was same.

Now it’s time to do our trick that we’ve found earlier.

Django-defender bypass

Please look at grey row. I’ve put XFF string HTTP header.

Voila! We managed to bypass IP based ban. We are able to do brute-forcing again.

UPDATE:

25 Feb 2015 00:35 =Vulnerability reported to the developer team.

25 Feb 2015 01:00 = Ken Cochrane responded.

25  Feb 2015 08:00 = Patch is under the deportment. https://github.com/kencochrane/django-defender/pull/33

 

  • Michał Pasternak

    First the blog post, THEN the vulnerability report? Man…