Django CSRF test

This is a simple Django project to test CSRF protection against a CSRF attack using a simple redirect attack with victim's browser to a vulnerable website.

attacker.html is the attacker's website that will try to perform the CSRF attack on the Django server. The attacker HTML file is served by a separate Python server supporting POST requests (the default http.server doesn't support POST) configured in server.py.

The attack is performed by first stealing a CSRF token from a victim by redirecting the victim's browser to a CSRF token endpoint on the Django server. The attacker then uses the stolen CSRF token to perform a POST request to the Django server to a relevant endpoint.

Note that the endpoints also need to send a vulnerable CORS headers for the attack to be able to happen. That's why the following headers are sent during a response:

Access-Control-Allow-Origin: http://localhost:8001
Access-Control-Allow-Credentials: true

Name		Name	Last commit message	Last commit date
Latest commit History 3 Commits
project		project
.gitignore		.gitignore
.python-version		.python-version
LICENSE		LICENSE
README.md		README.md
attacker.html		attacker.html
manage.py		manage.py
pyproject.toml		pyproject.toml
server.py		server.py
uv.lock		uv.lock

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

Repository files navigation

Django CSRF test

About

Uh oh!

Releases

Packages

Uh oh!

Languages

License

paatre/django-csrf-test

Folders and files

Latest commit

History

Repository files navigation

Django CSRF test

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Languages

Packages