Django Pentesting
Last modified: 2023-03-19
Web
Django is a web framework in Python.
SSTI (Server-Side Template Injection)
# XSS
{{ `<script>alert(1)</script>` }}
# Debug information
{% debug %}
Bypass ALLOWED_HOSTS
If we get the error “Invalid HTTP_HOST header: 'x.x.x.x:8000'. You may need to add 'x.x.x.x' to ALLOWED_HOSTS" when accessing the website written in Django, you need to intercept the value of the Host in the HTTP request header.
Then you should be able to access the website.
Host: 0.0.0.0:8000
# or
Host: 127.0.0.1:8000
Or if we can have the permission to edit the configuration of the website, add new IP address to ALLOWED_HOSTS in settings.py.
ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'x.x.x.x']
Create a New User
python3 manage.py createsuperuser