# Django Pentesting

Django is a web framework in Python.

### SSTI (Server-Side Template Injection) <a href="#ssti-server-side-template-injection" id="ssti-server-side-template-injection"></a>

```
# XSS
{{ `<script>alert(1)</script>` }}

# Debug information
{% debug %}
```

### Bypass ALLOWED\_HOSTS <a href="#bypass-allowed_hosts" id="bypass-allowed_hosts"></a>

If we get the error **“Invalid HTTP\_HOST header: 'x.x.x.x:8000'. You may need to add 'x.x.x.x' to ALLOWED\_HOSTS"** when accessing the website written in Django, you need to intercept the value of the Host in the HTTP request header.\
Then you should be able to access the website.

```
Host: 0.0.0.0:8000
# or
Host: 127.0.0.1:8000
```

Or if we can have the permission to edit the configuration of the website, add new IP address to **ALLOWED\_HOSTS** in **`settings.py`**.

```
ALLOWED_HOSTS = ['0.0.0.0', '127.0.0.1', 'x.x.x.x']
```

### Create a New User <a href="#create-a-new-user" id="create-a-new-user"></a>

```
python3 manage.py createsuperuser
```