Auth Bypass in Django with Mutual Tls
Auth Bypass in Django with Mutual Tls — how this specific combination creates or exposes the vulnerability
Mutual TLS (mTLS) requires both the client and server to present and validate certificates. In Django, mTLS is typically implemented at the reverse proxy or load balancer (e.g., Nginx, HAProxy, AWS ALB), which terminates TLS and forwards requests to Django over HTTP or HTTPS. If the proxy is misconfigured or Django is unaware of the proxy, the effective authentication state can be improperly derived, leading to an Auth Bypass.
Attack scenario: An attacker connects directly to the Django development server or a misconfigured app server that does not enforce mTLS. Because Django does not see a client certificate, it may fall back to an alternative authentication mechanism (e.g., session cookie, API key, or anonymous access). If the application treats missing client certificates as a non-fatal condition and still grants access, the effective authentication is weakened. For example, a view protected by mTLS at the proxy might still be reachable if the proxy fails to reject unauthenticated connections and Django’s decorators or middleware do not validate the presence of mTLS-derived metadata.
Another common pattern is relying on proxy headers (e.g., SSL_CLIENT_S_DN, X-SSL-CERT) to infer the client identity without verifying that the proxy itself enforced mTLS. If an attacker can reach Django without the proxy (for instance, by bypassing the ingress or exploiting a misconfigured firewall), these headers may be spoofed or missing, and Django may incorrectly treat the request as authenticated. This is especially risky when developers use ALLOWED_HOSTS or assume that HTTPS alone guarantees client identity, while not validating the certificate chain or mapping it to a user in Django’s authorization layer.
Middleware and decorator misuse can compound the issue. For instance, using @login_required without checking for a valid client certificate or a proxy-derived attribute means the view is protected by session authentication rather than mTLS. If session cookies are not properly protected (e.g., missing Secure and HttpOnly), an attacker may hijack a session and bypass the intended mTLS enforcement. Similarly, custom authentication backends that trust proxy headers without strict validation can be tricked into authenticating a request that lacks a proper client certificate.
Operational factors also contribute. If certificate revocation is not enforced (missing CRL/OCSP checks), a compromised client certificate may still be accepted. Additionally, failing to rotate certificates or using weak cipher suites can weaken the overall assurance provided by mTLS. The key takeaway is that mTLS in Django is only as strong as the integration between the proxy, the headers it sets, and how Django validates or derives authentication from those signals. Without explicit checks, the framework’s default behavior can permit access when it should deny it.
Mutual Tls-Specific Remediation in Django — concrete code fixes
Remediation focuses on ensuring Django is aware of the mTLS context and enforces client certificate validation at the application level when necessary. Below are concrete, realistic examples that you can adapt to your deployment.
1. Configure your reverse proxy to enforce mTLS and set trusted headers
Example Nginx snippet that requires client certificates and passes validated identity to Django:
server {
listen 443 ssl;
ssl_certificate /path/to/server.crt;
ssl_certificate_key /path/to/server.key;
ssl_client_certificate /path/to/ca.crt;
ssl_verify_client on;
location / {
proxy_pass http://django_app;
proxy_set_header X-SSL-Cert $ssl_client_escaped_cert;
proxy_set_header X-SSL-Issuer $ssl_client_i_dn;
proxy_set_header X-SSL-Subject $ssl_client_s_dn;
proxy_set_header X-SSL-Fingerprint $ssl_client_msec;
}
}
Key points: ssl_verify_client on ensures only clients with valid certs are proxied. The certificate details are forwarded as headers for Django to inspect. Avoid forwarding untrusted headers from clients; only use values set by the proxy.
2. Create a custom authentication backend that validates proxy headers
This backend checks the presence and format of the proxy-derived certificate fingerprint and optionally maps it to a Django user. It should be used alongside session authentication or as part of a hybrid approach.
import hashlib
import re
from django.conf import settings
from django.contrib.auth.backends import BaseBackend
from django.contrib.auth import get_user_model
User = get_user_model()
# A simple regex to match a hex fingerprint (e.g., SHA256:AB:CD...)
FINGERPRINT_RE = re.compile(r'^[A-Fa-f0-9:]+$')
def _normalize_fingerprint(value):
if not value:
return None
# Remove whitespace and normalize case
cleaned = ''.join(value.split(':')).upper()
return cleaned if re.fullmatch(r'^[A-F0-9]+$', cleaned) else None
class MutualTlsBackend(BaseBackend):
def authenticate(self, request, proxy_x_ssl_fingerprint=None):
if not proxy_x_ssl_fingerprint:
return None
fingerprint = _normalize_fingerprint(proxy_x_ssl_fingerprint)
if not fingerprint or not FINGERPRINT_RE.match(fingerprint):
return None
# Example mapping: store fingerprint in a model or use a claim/user mapping
try:
user = User.objects.get(mtls_fingerprint__iexact=fingerprint)
return user
except User.DoesNotExist:
return None
def get_user(self, user_id):
try:
return User.objects.get(pk=user_id)
except User.DoesNotExist:
return None
3. Add middleware to enforce mTLS-derived authentication for specific views
This middleware checks for the proxy header and ensures a user has been authenticated via mTLS when required. It can be combined with decorator usage.
from django.http import HttpResponseForbidden
class MutualTlsRequiredMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
# Only apply to paths where mTLS is required
if getattr(request, 'mtls_required', False):
user = getattr(request, 'user', None)
fingerprint = request.META.get('HTTP_X_SSL_FINGERPRINT')
if not fingerprint or not user or not user.is_authenticated:
return HttpResponseForbidden('Client certificate required')
response = self.get_response(request)
return response
4. Use a decorator for views that require mTLS authentication
Apply this decorator to views that should only be accessible when mTLS is verified via the proxy.
from functools import wraps
from django.http import HttpResponseForbidden
def mtls_required(view_func):
@wraps(view_func)
def _wrapped(request, *args, **kwargs):
fingerprint = request.META.get('HTTP_X_SSL_FINGERPRINT')
if not fingerprint:
return HttpResponseForbidden('Client certificate required')
# Optionally verify fingerprint against the database
# (relying on authentication middleware that used MutualTlsBackend)
if not request.user.is_authenticated:
return HttpResponseForbidden('Authentication required')
return view_func(request, *args, **kwargs)
return _wrapped
5. Settings and security hygiene
- Set SECURE_PROXY_SSL_HEADER only when the proxy is trusted, to avoid header spoofing:
SECURE_PROXY_SSL_HEADER = ('HTTP_X_FORWARDED_PROTO', 'https') - Do not rely on ALLOWED_HOSTS alone to enforce mTLS; it does not validate certificates.
- Store client fingerprints securely (e.g., hashed) in your user model if you need to map certificates to users.
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |