Django Pentesting

Django is a web framework in Python.

SSTI (Server-Side Template Injection)

# XSS
{{ `<script>alert(1)</script>` }}

# Debug information
{% debug %}

Bypass ALLOWED_HOSTS

If we get the error “Invalid HTTP_HOST header: 'x.x.x.x:8000'. You may need to add 'x.x.x.x' to ALLOWED_HOSTS" when accessing the website written in Django, you need to intercept the value of the Host in the HTTP request header.
Then you should be able to access the website.

Host: 0.0.0.0:8000
# or
Host: 127.0.0.1:8000

Or if we can have the permission to edit the configuration of the website, add new IP address to ALLOWED_HOSTS in settings.py.

ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'x.x.x.x']

Create a New User

python3 manage.py createsuperuser