HIGH missing authenticationdjango
Missing Authentication in Django
How Missing Authentication Manifests in Django
Missing authentication in Django APIs creates critical security gaps that attackers can exploit. Here are the most common Django-specific manifestations:
- URL patterns without @login_required or @permission_required decorators - Django view functions exposed without authentication checks, allowing anyone to access admin interfaces, user data, or administrative endpoints.
- Class-based views missing authentication mixins - CBVs like APIView or View without LoginRequiredMixin or PermissionRequiredMixin expose endpoints to unauthenticated users.
- DRF views without authentication classes - Django REST Framework views that omit authentication_classes or use empty tuples, allowing anonymous access to sensitive data.
- Middleware bypass - Django's built-in authentication middleware only protects views that explicitly check authentication. Views without proper decorators bypass this protection entirely.
- CSRF token omission - POST endpoints missing @csrf_protect or @csrf_exempt (when inappropriate) allow CSRF attacks against authenticated users.
- Admin interface exposure - Django admin URLs accessible without authentication, exposing database management capabilities.
These vulnerabilities often appear in Django projects where developers assume middleware provides blanket protection or where rapid development leads to authentication being forgotten on new endpoints.
Django-Specific Detection
Detecting missing authentication in Django requires both static analysis and runtime scanning. Here's how to identify these vulnerabilities:
Static Code Analysis
# Scan views.py for missing authentication
import ast
def find_unprotected_views(filepath):
with open(filepath) as f:
tree = ast.parse(f.read(), filename=filepath)
unprotected = []
for node in ast.walk(tree):
if isinstance(node, ast.FunctionDef):
# Check for decorators
has_auth = any(dec.id in {'login_required', 'permission_required'}
for dec in node.decorator_list)
if not has_auth:
unprotected.append(node.name)
elif isinstance(node, ast.ClassDef):
# Check for authentication mixins in CBVs
base_classes = [base.id for base in node.bases]
if 'APIView' in base_classes or 'View' in base_classes:
# Look for authentication_classes or mixins
has_auth = any(
isinstance(n, ast.Assign) and
'authentication_classes' in n.targets[0].id
for n in node.body
)
if not has_auth:
unprotected.append(node.name)
return unprotected
Runtime Scanning with middleBrick
middleBrick's black-box scanning approach is particularly effective for Django applications because it tests the actual runtime behavior without requiring source code access. The scanner:
- Attempts authenticated vs unauthenticated requests to all discovered endpoints
- Checks for admin interface exposure at common Django paths (/admin/, /django-admin/)
- Tests DRF endpoints for missing authentication_classes
- Detects CSRF protection bypass by attempting state-changing operations without tokens
# Scan a Django API with middleBrick CLI
middlebrick scan https://your-django-app.com/api/ --format json
# In CI/CD with GitHub Action
- name: Scan Django API Security
uses: middlebrick/middlebrick-action@v1
with:
url: https://staging.your-django-app.com
fail-on-severity: high
The middleBrick dashboard provides a security score (0-100) with specific findings for missing authentication, categorized by severity and mapped to OWASP API Top 10 risks.
Django-Specific Remediation
Fixing missing authentication in Django requires systematic application of Django's built-in security features. Here's how to remediate common issues:
Function-Based Views
# BAD - Missing authentication
from django.http import JsonResponse
def user_profile(request):
user = request.user
return JsonResponse({'username': user.username})
# GOOD - With authentication
from django.contrib.auth.decorators import login_required
def user_profile(request):
user = request.user
return JsonResponse({'username': user.username})
# GOOD - With permission checks
from django.contrib.auth.decorators import permission_required
@permission_required('app.view_sensitive_data', raise_exception=True)
def sensitive_data(request):
data = get_sensitive_data()
return JsonResponse(data)
Class-Based Views
# BAD - Missing authentication
from rest_framework.views import APIView
class UserAPI(APIView):
def get(self, request):
return Response({'users': User.objects.all()})
# GOOD - With authentication
from rest_framework.permissions import IsAuthenticated
class UserAPI(APIView):
authentication_classes = [SessionAuthentication, BasicAuthentication]
permission_classes = [IsAuthenticated]
def get(self, request):
return Response({'users': User.objects.all()})
# GOOD - With mixins
from django.contrib.auth.mixins import LoginRequiredMixin
class AdminView(LoginRequiredMixin, View):
login_url = '/login/'
redirect_field_name = 'redirect_to'
def get(self, request):
# Only accessible to authenticated users
return render(request, 'admin.html')
DRF Settings
# settings.py - Global authentication defaults
REST_FRAMEWORK = {
'DEFAULT_AUTHENTICATION_CLASSES': [
'rest_framework.authentication.SessionAuthentication',
'rest_framework.authentication.TokenAuthentication',
],
'DEFAULT_PERMISSION_CLASSES': [
'rest_framework.permissions.IsAuthenticated',
],
'UNAUTHENTICATED_USER': None,
'UNAUTHENTICATED_STATUS': 401,
}
# Override for public endpoints
class PublicAPI(APIView):
authentication_classes = []
permission_classes = []
def get(self, request):
return Response({'public': 'data'})
Middleware Configuration
# settings.py - Ensure authentication middleware is enabled
MIDDLEWARE = [
# ... other middleware
'django.contrib.auth.middleware.AuthenticationMiddleware',
'django.contrib.auth.middleware.RemoteUserMiddleware',
# ... other middleware
]
# Custom middleware for API endpoints
class APITokenAuthenticationMiddleware:
def __init__(self, get_response):
self.get_response = get_response
def __call__(self, request):
if request.path.startswith('/api/'):
token = request.headers.get('Authorization')
if not token:
return JsonResponse({'error': 'Authentication required'},
status=401)
return self.get_response(request)
Related CWEs: authentication
| CWE ID | Name | Severity |
|---|---|---|
| CWE-287 | Improper Authentication | CRITICAL |
| CWE-306 | Missing Authentication for Critical Function | CRITICAL |
| CWE-307 | Brute Force | HIGH |
| CWE-308 | Single-Factor Authentication | MEDIUM |
| CWE-309 | Use of Password System for Primary Authentication | MEDIUM |
| CWE-347 | Improper Verification of Cryptographic Signature | HIGH |
| CWE-384 | Session Fixation | HIGH |
| CWE-521 | Weak Password Requirements | MEDIUM |
| CWE-613 | Insufficient Session Expiration | MEDIUM |
| CWE-640 | Weak Password Recovery | HIGH |
Frequently Asked Questions
How can I audit my Django project for missing authentication?
Use a combination of static analysis and runtime scanning. Static analysis with tools like bandit or custom AST scripts can find missing decorators in your views.py files. For runtime verification, middleBrick's black-box scanning tests all endpoints without requiring source code access, attempting both authenticated and unauthenticated requests to identify gaps. The middleBrick CLI can be integrated into your CI/CD pipeline to catch authentication regressions before deployment.
What's the difference between @login_required and permission_required in Django?
The @login_required decorator only checks if a user is authenticated, while @permission_required checks for specific permissions. Use @login_required for endpoints that any authenticated user should access, and @permission_required for role-based access control where users need specific capabilities. For Django REST Framework, use permission_classes like IsAuthenticated or custom permissions for similar functionality. middleBrick's scanning identifies both types of authentication gaps and provides severity ratings based on the sensitivity of exposed data.