Description
A Cross-site Request Forgery (CSRF) attack is one in which the user's browser is hijacking in order to submit a request to another website they are authenticated on. For example, if a form/request on a bank website to add money to their bank account is not protected by CSRF, an attacker could create an unrelated page, and submit a request to that endpoint when the user loads the attacker's page. Since the user's browser has a valid session cookie, the request would occur without the user even being aware anything had happened!
The
profile_by_id() function (in addition to several others) have the @csrf_exempt decorator. As the name indicates, Django will not check the validity or presence of the CSRF nonce when these functions are called.
Remove the
@csrf_exempt decorator from all sensitive functionality. An anti-CSRF nonce can be enabled application wide by including the django.middleware.csrf.CsrfViewMiddleware
module in the MIDDLEWARE_CLASSES array within the settings.py config file.
Try altering or removing the CSRF nonce on different requests to test if it truly is validated or not. This is easier to achieve with a client side proxy such as Burp or Fiddler.