Skip to content

Latest commit

 

History

History
95 lines (80 loc) · 6.65 KB

threat-modeling.md

File metadata and controls

95 lines (80 loc) · 6.65 KB

Threat Model Analysis for encode/django-rest-framework

Threat: Data Exposure via Over-Serialization

  • Threat: Data Exposure via Over-Serialization
    • Description: An attacker requests data from an API endpoint. The serializer, due to misconfiguration (e.g., fields = '__all__' or inadequate fields/exclude definitions), returns more data than intended, including sensitive fields or internal data. The attacker gains access to this unintended information.
    • Impact: Information disclosure, privacy violation, potential for privilege escalation.
    • Affected Component: serializers.ModelSerializer (and custom serializers), specifically the fields, exclude, and Meta class configurations. Also affects nested serializers.
    • Risk Severity: High
    • Mitigation Strategies:
      • Explicitly define the fields attribute in ModelSerializer to include only necessary fields. Avoid fields = '__all__'.
      • Use different serializers for different API views (e.g., list vs. detail).
      • Use read_only_fields to prevent modification of sensitive fields.
      • Implement field-level permissions.
      • Carefully control nested serializer depth and fields.

Threat: Mass Assignment via Serializer Update

  • Threat: Mass Assignment via Serializer Update
    • Description: An attacker sends a PUT or PATCH request including data for fields they shouldn't modify (e.g., an is_admin flag). If the serializer doesn't restrict updates, the attacker successfully modifies these restricted fields.
    • Impact: Data corruption, privilege escalation, bypassing business logic.
    • Affected Component: serializers.ModelSerializer (and custom serializers), the update method, and read_only_fields.
    • Risk Severity: High
    • Mitigation Strategies:
      • Use read_only_fields to prevent specific fields from being updated.
      • Override the update method for custom validation and control.
      • Use separate serializers for creation and updating.
      • Thoroughly validate input data.

Threat: Deserialization of Untrusted Data (Object Injection)

  • Threat: Deserialization of Untrusted Data (Object Injection)
    • Description: An attacker sends a crafted request with a malicious payload. If DRF's deserialization (especially with custom parsers) is not secure, the attacker could trigger unintended code execution or manipulate the application's state.
    • Impact: Remote Code Execution (RCE), Denial of Service (DoS), data corruption.
    • Affected Component: Custom parsers (parsers.BaseParser), potentially serializers with complex, untrusted data formats.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Avoid custom parsers unless strictly necessary. Prefer standard JSON/form data.
      • If custom parsing is required, rigorously validate before deserialization.
      • Consider safer serialization formats and schema validation.
      • Limit the depth/complexity of accepted nested data.

Threat: Incorrect Permission Checks (Authorization Bypass)

  • Threat: Incorrect Permission Checks (Authorization Bypass)
    • Description: An attacker accesses an API endpoint or performs an action they are not authorized for, due to misconfigured permission classes, incorrect logic in custom permission classes, or failure to check object-level permissions.
    • Impact: Data leakage, unauthorized data modification, privilege escalation.
    • Affected Component: views.APIView, viewsets.ModelViewSet, permissions.BasePermission (and subclasses), get_object method.
    • Risk Severity: High
    • Mitigation Strategies:
      • Use appropriate built-in permission classes.
      • Implement and thoroughly test custom permission classes.
      • Apply permission_classes at both view/viewset and method levels.
      • Ensure object-level permissions are checked after get_object.
      • Regularly audit permission configurations.

Threat: Weak Authentication Mechanisms

  • Threat: Weak Authentication Mechanisms
    • Description: An attacker uses weak credentials or exploits vulnerabilities in the authentication process (e.g., basic auth over HTTP) to gain unauthorized API access.
    • Impact: Complete system compromise, data theft, unauthorized actions.
    • Affected Component: authentication.BaseAuthentication (and subclasses), DRF authentication settings.
    • Risk Severity: Critical
    • Mitigation Strategies:
      • Use strong authentication (JWT, OAuth 2.0, session authentication with CSRF).
      • Enforce strong password policies.
      • Use HTTPS.
      • Consider MFA.

Threat: Session Fixation (if using session authentication)

  • Threat: Session Fixation (if using session authentication)
    • Description: An attacker tricks a user into using a known session ID, then hijacks the user's session after they log in.
    • Impact: Account takeover.
    • Affected Component: Django's session management, DRF's authentication.SessionAuthentication.
    • Risk Severity: High
    • Mitigation Strategies:
      • Regenerate session IDs after login (ensure this Django default is enabled).
      • Use secure, HTTP-only cookies.
      • Implement proper CSRF protection.

Threat: Improper Token Validation (if using token authentication)

  • Threat: Improper Token Validation (if using token authentication)
    • Description: An attacker presents an invalid, expired, or forged token. Flawed validation logic (e.g., missing signature verification, no expiration check) allows unauthorized access.
    • Impact: Account takeover, unauthorized access.
    • Affected Component: authentication.BaseAuthentication (token-based subclasses), JWT library (if used).
    • Risk Severity: High
    • Mitigation Strategies:
      • Use a well-vetted JWT library.
      • Verify the token signature.
      • Check expiration (exp claim).
      • Check audience (aud) and issuer (iss) claims if applicable.
      • Implement token revocation.