Auditing Object-Level Permissions (BOLA/IDOR)
Django REST Framework implements general permission classes like IsAuthenticated to check if a user is logged in. However, it does not enforce object-level validation by default.
If your viewset retrieves records using primary keys, we test if we can modify the request parameter to access another user's profile or transactions. This is known as Broken Object Level Authorization (BOLA). To prevent this, you must override the get_queryset method or use custom permission classes:
# SECURE: Queryset restricted to the active user session
class TransactionViewSet(viewsets.ModelViewSet):
serializer_class = TransactionSerializer
permission_classes = [IsAuthenticated]
def get_queryset(self):
# Only return records belonging to the logged-in user
return Transaction.objects.filter(user=self.request.user) Missing queryset restriction leaks invoice records
During an audit of a B2B platform built on Django, we found that the invoice detail view inherited from generics.RetrieveAPIView but defined queryset = Invoice.objects.all(). Any authenticated user could download any other company's invoice by changing the UUID parameter in the URL. We recovered 18,000 corporate records.
Testing serializer validation and parameter injection
Django serializers validate incoming JSON payloads. But developers sometimes write custom validate_ methods that bypass integrity checks or trust input fields too much.
We check if serializers allow write access to read-only fields. For example, if your user profile serializer permits updates to fields like is_staff or role, an attacker can modify their role status by injecting these parameters into a profile update request.
Raw SQL queries and ORM Injection
While Django's ORM protects against SQL injection, developers occasionally write raw queries using the extra() method or connection.cursor() to execute complex database operations.
If user input is concatenated directly into these raw query strings, SQL injection occurs. We test all parameters with injection payloads to identify database weaknesses.
Django API Pentest Checklist
To secure your Django backend, verify these items:
- Check get_queryset configurations: Ensure all detail views filter resources by the authenticated user's ID.
- Read-only serializer fields: Explicitly configure fields like
balance,user_id, androleas read-only. - Harden CORS settings: Avoid using wildcards in your
CORS_ALLOW_ALL_ORIGINSconfiguration. Only allow trusted domains.
Let Simpa Labs audit your Django stack
We specialize in finding complex logic and authorization issues in Django web applications. We will review your viewsets, test your database queries, and audit your configuration files.