rules/application/django/appframework_django_exceptions.yml

title: Django Framework Exceptions
id: fd435618-981e-4a7c-81f8-f78ce480d616
status: stable
description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts
references:
    - https://docs.djangoproject.com/en/1.11/ref/exceptions/
    - https://docs.djangoproject.com/en/1.11/topics/logging/#django-security
author: Thomas Patzke
date: 2017-08-05
modified: 2020-09-01
tags:
    - attack.initial-access
    - attack.t1190
logsource:
    category: application
    product: django
detection:
    keywords:
        - SuspiciousOperation
        # Subclasses of SuspiciousOperation
        - DisallowedHost
        - DisallowedModelAdminLookup
        - DisallowedModelAdminToField
        - DisallowedRedirect
        - InvalidSessionKey
        - RequestDataTooBig
        - SuspiciousFileOperation
        - SuspiciousMultipartForm
        - SuspiciousSession
        - TooManyFieldsSent
        # Further security-related exceptions
        - PermissionDenied
    condition: keywords
falsepositives:
    - Application bugs
level: medium
fix: fixed casing and long rule titles 2020-01-30 17:26:09 +01:00			`title: Django Framework Exceptions`
Added UUIDs to rules 2019-11-12 23:12:27 +01:00			`id: fd435618-981e-4a7c-81f8-f78ce480d616`
Fixed my git issue 2020-09-13 22:03:04 -06:00			`status: stable`
Fixed description 2017-08-06 23:22:31 +02:00			`description: Detects suspicious Django web application framework exceptions that could indicate exploitation attempts`
Change "reference" to "references" to match new schema 2018-01-28 02:12:19 +03:00			`references:`
Django security errors 2017-08-05 00:56:05 +02:00			`- https://docs.djangoproject.com/en/1.11/ref/exceptions/`
			`- https://docs.djangoproject.com/en/1.11/topics/logging/#django-security`
$frack113$ Order yaml field 2022-10-25 06:48:55 +02:00			`author: Thomas Patzke`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`date: 2017-08-05`
			`modified: 2020-09-01`
$frack113$ Order yaml field 2022-10-25 06:48:55 +02:00			`tags:`
Merge PR #4950 from @nasbench - Comply With v2 Spec Changes 2024-08-12 12:02:50 +02:00			`- attack.initial-access`
$frack113$ Order yaml field 2022-10-25 06:48:55 +02:00			`- attack.t1190`
Django security errors 2017-08-05 00:56:05 +02:00			`logsource:`
Application security rules 2017-08-12 00:43:10 +02:00			`category: application`
Django security errors 2017-08-05 00:56:05 +02:00			`product: django`
			`detection:`
			`keywords:`
			`- SuspiciousOperation`
			`# Subclasses of SuspiciousOperation`
			`- DisallowedHost`
			`- DisallowedModelAdminLookup`
			`- DisallowedModelAdminToField`
			`- DisallowedRedirect`
			`- InvalidSessionKey`
			`- RequestDataTooBig`
			`- SuspiciousFileOperation`
			`- SuspiciousMultipartForm`
			`- SuspiciousSession`
			`- TooManyFieldsSent`
			`# Further security-related exceptions`
			`- PermissionDenied`
			`condition: keywords`
			`falsepositives:`
			`- Application bugs`
			`level: medium`