HIGH ssrf server sidedjangobasic auth

Ssrf Server Side in Django with Basic Auth

Scan for ssrf server side in django

Ssrf Server Side in Django with Basic Auth — how this specific combination creates or exposes the vulnerability

Server-side request forgery (SSRF) in Django becomes notably more complex when endpoints are protected with HTTP Basic Authentication. Basic Auth transmits credentials in each request, encoded in an Authorization header rather than a session cookie. When a backend service or internal endpoint is only reachable with a valid Basic Auth token, developers may be tempted to embed that token in client-side code or in requests generated by the server. Doing so can expose the credentials to SSRF: an attacker who can control an outbound URL may force the application to include the Authorization header when visiting internal or restricted hosts, revealing private services that would otherwise be invisible from the internet.

Consider a Django view that fetches data from a metadata service and appends a hardcoded Basic Auth header:

import base64
import requests
from django.http import JsonResponse
from django.views.decorators.http import require_http_methods

@require_http_methods(["GET"])
def fetch_metadata(request):
    url = request.GET.get("url")
    if not url:
        return JsonResponse({"error": "url parameter required"}, status=400)
    token = base64.b64encode(b"admin:SuperSecret123").decode()
    headers = {"Authorization": f"Basic {token}"}
    resp = requests.get(url, headers=headers, timeout=5)
    return JsonResponse({"status_code": resp.status_code, "body": resp.text[:200]})

If an attacker can supply the url parameter, they can point it to an internal address such as http://169.254.169.254/latest/meta-data/ (AWS instance metadata) or to an internal admin interface on 127.0.0.1. The injected Authorization header may grant access to otherwise restricted internal endpoints, turning an SSRF into a privileged internal reconnaissance path. Complications arise when the upstream service uses IP-based allowlists; the request appears to come from the Django host, but the Basic credentials may be required to reach a protected resource that would otherwise reject the call.

SSRF in this context can lead to several outcomes: retrieving sensitive metadata, interacting with internal management APIs, or bypassing network segregation. Because Basic Auth credentials are static, embedding them in application code or environment variables that the Django process can access increases the blast radius if SSRF is possible. MiddleBrick’s unauthenticated scan can surface endpoints that accept attacker-controlled URLs and include Authorization headers, highlighting the exposure without needing credentials to begin an assessment.

Basic Auth-Specific Remediation in Django — concrete code fixes

Remediation focuses on preventing untrusted input from influencing outbound requests, avoiding hardcoded credentials in request-building code, and applying the principle of least privilege to any downstream services.

  • Do not forward user-supplied URLs to requests that include Authorization headers. If you must call internal services, use a fixed, tightly scoped configuration for the target host and do not concatenate user input into the URL.
  • Use Django settings and environment variables for credentials, and avoid generating Basic Auth headers on a per-request basis for outbound calls. Instead, rely on service accounts with minimal permissions, and rotate credentials regularly.
  • Implement allowlists for protocols and hosts. For example, if you only need to call a known internal API, validate the parsed hostname and scheme before making the request.

Here is a safer pattern that avoids embedding Basic Auth in dynamic requests:

import requests
from django.conf import settings
from django.http import JsonResponse
from django.views.decorators.http import require_http_methods

# settings.py or environment:
# DOWNSTREAM_USER = "svc_reader"
# DOWNSTREAM_PASS = "********"
# ALLOWED_HOSTS = {"internal-api.example.com"}

@require_http_methods(["GET"])
def safe_fetch_metadata(request):
    target = request.GET.get("host")
    if not target:
        return JsonResponse({"error": "host parameter required"}, status=400)
    # Strict validation: only allow a specific internal host
    allowed = settings.ALLOWED_HOSTS
    if target not in allowed:
        return JsonResponse({"error": "host not allowed"}, status=403)
    # Use a fixed destination; do not build URLs from user input
    url = f"https://{target}/api/v1/metadata"
    creds = (settings.DOWNSTREAM_USER, settings.DOWNSTREAM_PASS)
    try:
        resp = requests.get(url, auth=creds, timeout=5)
        resp.raise_for_status()
    except requests.RequestException:
        return JsonResponse({"error": "unable to fetch"}, status=502)
    return JsonResponse({"status_code": resp.status_code, "body": resp.text[:200]})

If you must add an Authorization header dynamically (for example, when integrating with multiple downstream services), validate the target host rigorously and avoid concatenating any part of the URL that could be controlled by an attacker. Prefer using mutual TLS or service-specific tokens scoped to a single consumer instead of Basic Auth when feasible. MiddleBrick’s GitHub Action can be added to your CI/CD pipeline to fail builds if a scan detects endpoints that combine user-controlled URLs with Authorization headers, helping you enforce these rules before deployment.

Scan for ssrf server side in django Free API security scan

Frequently Asked Questions

Can SSRF be mitigated only by input validation in Django?
Input validation helps, but it is not sufficient on its own. You should also avoid forwarding user-supplied URLs to authenticated outbound requests, enforce strict allowlists for hosts and schemes, use runtime secrets management for credentials, and monitor outbound traffic for anomalies. Treat user-controlled URLs as untrusted network inputs.
How does middleBrick help with SSRF and Basic Auth exposure?
middleBrick scans unauthenticated attack surfaces and can identify endpoints that reflect or forward requests to internal hosts, including cases where Authorization headers are added. Its findings map to OWASP API Top 10 and include prioritized remediation guidance. You can run the CLI (middlebrick scan ) or add the GitHub Action to CI/CD to catch problematic patterns early.

Related Pages

Ssrf Server Side with Basic AuthLearn how SSRF attacks exploit Basic Auth endpoints through crafted credentials, metadata endpoint access, and timing atSsrf Server Side in Django (Python)Explore SSRF in Django with Python: how it arises and concrete Python-specific fixes with allowlists, safe request patteSsrf Server Side in Django on Fly IoSSRF in Django on Fly.io: how internal routing and unsafe HTTP clients create risk, and concrete remediation with allowlSsrf Server Side in Django on DigitaloceanSSRF server-side in Django on Digitalocean: causes, risks, and concrete remediation code examples with Digitalocean-specHipaa: Ssrf Server Side in DjangoExplore SSRF in Django under HIPAA: risks, examples, and remediation patterns with domain allowlists, proxy routing, andGdpr: Ssrf Server Side in DjangoGDPR in Django SSRF: risks and remediation with concrete Django code examples to block internal requests and prevent datIso 27001: Ssrf Server Side in DjangoExplore SSRF in Django aligned with ISO 27001. Understand risk patterns and apply concrete Django code fixes like URL alCis: Ssrf Server Side in DjangoCIS-focused SSRF risks in Django with concrete validation examples and safe patterns to prevent server-side request forgSsrf Server Side in Django with FirestoreSSRF in Django with Firestore: causes, secure code examples, and remediation guidance for document IDs, collections, andSsrf Server Side in Django with MongodbExplore SSRF in Django with MongoDB: understand how the stack exposes risks and apply concrete MongoDB-specific fixes wiSsrf Server Side in Django with DynamodbSSRF in Django/DynamoDB: how user-influenced server-side requests expose metadata and IAM risks, plus concrete validatioSsrf Server Side in Django with CockroachdbSSRF in Django with CockroachDB: causes and fixes, including validation, safe SQL, and network controls.