0

A have a Django app using the built-in settings called ALLOWED_HOSTS that whitelists request Host headers. This is needed as Django uses the Host header provided by the client to construct URLs in certain cases.

ALLOWED_HOSTS=djangoapp.com,subdomain.djangoapp.com

I made ten requests with a fake host header (let's call it fakehost.com) to the Django endpoint: /example.

curl -i -s -k -X $'GET' \
    -H $'Host: fakehost.com' -H $'Accept-Encoding: gzip, deflate' -H $'Accept: */*' -H $'Accept-Language: en' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.88 Safari/537.36' -H $'Connection: close' \
    $'https://subdomain.djangoapp.com/example'

In the application logs I see the django.security.DisallowedHost error was raised ten times. However, according to the logs of fakehost.com, it did receive one request for /example.

As I understand, this is a server-side request forgery (SSRF) vulnerability as the Django server can be made to make requests to an arbitrary URL.

It makes debugging hard and is strange that the issue doesn't occur consistently. Also strange that the fake host seems to be recognised by Django, but one request still somehow reached fakehost.com.

Does anyone have any ideas what I could investigate further in order to fix the apparent vulnerability in this Django app? Is the problem potentially on the server level not the application level?

M3RS
  • 6,720
  • 6
  • 37
  • 47
  • How do you know that the request to “fakehost.com” originated from the Django process? Vanilla Django will not make any external requests, do you have anything installed that might? – Iain Shelvington Feb 25 '21 at 10:54
  • Good point, thanks. So the problem is probably not with the application. Can be server config or AWS load balancer, but these should be secure by default. Issue appears inconsistently... maybe there is some other component I haven't thought of. – M3RS Feb 25 '21 at 12:46
  • Can you see the source and type of request made to `fakehost.com` (GET/HEAD/OPTIONS)? – Iain Shelvington Feb 25 '21 at 12:53
  • It's a GET request just like my original request. Oh, just noticed something in the header: x-amzn-trace-id (!) so it's coming from the AWS load balancer!? – M3RS Feb 25 '21 at 13:00
  • The presence of the `X-Amzn-Trace-Id` header means that the request went through the load balancer not that it originated from it. It could be anything really, some Amazon service that pings all host headers that come in to see if they are real? Is there an IP? – Iain Shelvington Feb 25 '21 at 13:21
  • Yeah, one request to web app generates six requests on fakehost.com. This can't be reproduced more than once for a given fake host. Six requests come from three IP address, two IPS from the web app's country, one IP from where I am. Can't recognise these addresses and they are not in AWS IP ranges... seems like it's the "network"... – M3RS Feb 26 '21 at 08:07
  • Hi M3RS, I noticed that you posted this on multiple forums, have you found a solution to this problem? We're seeing something similar, but we don't have a load balancer. Our setup is a standard lamp. – user103052 Mar 04 '21 at 00:22
  • Haven’t found a solution. – M3RS Mar 04 '21 at 05:44

0 Answers0