Python | 7 Tricks to Teach You to Identify Whether a Website Is a Django Backend

Django backend

Django backend.Today we will talk about how to test the backend of a website is written by Django.
1.Django backend.The easiest way to use the Debug mode exception page to judge is that when the DEBUG mode is turned on, a special exception will be thrown when accessing a non-existent page or an error page.
I call a page like this yellow code ( haha, the person who wrote Django knows, does it happen often), you can be sure that it is Django

1.Django backend.Verified by CSRF Token


Visit a page containing a form, there will be a hidden input in the form, which is used to store the Token for CSRF detection, and its name is relatively

unique .
if the developer changes the name of csrfmiddlewaretoken ?
We can delete the hidden input just now, and then log in. Because of the lack of CSRF TOKEN, a Django CSRF TOKEN error page will be returned to you:

1.Django-Admin
When you install Django, it will come with a background, the address is /admin (but most websites will replace the background address): When you

encounter this style of background interface, you can be sure that it is Django.
1.via HTTP headers
Some Django sites will return the Server header:

although this method cannot be 100% sure that it is the Django backend, but the scope is narrowed down, it is Python, and only those sets of Web.

1.Django backend.Piece together the details


For example, Django's default password recovery link is / password_reset / , the mail is successfully sent / password_reset /done/ , and the password recovery link is reset/(?P[0-9A-Za-z_-]+)/(?P [0-9A-Za-z]{1,13}-[0-9A-Za-z]{1,20})/ , the password is successfully retrieved is /reset/done/, the normal password is / password_change / , the modification is successful is / password_change /done/ .
However, these links can be changed and can only be used for reference.
another example, the directory where django files are uploaded is usually called media, the password for registration requires more than 8 digits and letters, the pagination is usually ?page=2 instead of /page/2/, and the id of the form input box is usually id_xxxx , Chinese In the case of , there will also be some specific translation sentences, such as please upload a valid image. The file you uploaded is not an image or is a corrupted image. , CSRF verification failed. Correspondingly interrupted. etc.
1.Judging from the characteristics of some third-party modules,
Django is easy to use because its code coupling is very low, so there are rich third-party modules that can be used directly. The characteristics of these modules can also determine whether the target website is Django.
Commonly used third-party modules include django -rest-framework, django -debug -toolbar, django-bootstrap3, django -filter, django-cron , django-allauth , django - simple-captcha, etc.
example, django -rest-framework will have a debug page:

another example, the captcha generated by django -simple-captcha will contain a hidden input box with the name captcha_0 and the value of 40-digit hex.
these third-party libraries can also help you judge, that is, you need to collect and observe carefully.

1.Django backend.Analysis of static files


Some websites may have modified Django's background address, but the static file address used by Django's background is usually not modified, and it is difficult to modify.
Visit these static file addresses to see if the content is Django's set, and you can determine whether the target is Django, such as: http://0.0.0.0:8001/static/admin/css/dashboard.css

But this method has A limitation, if the target website does not use the django -admin that comes with Django (which is not included in the INSTALLED_APPS of settings.py), there is no such static file.

Related Articles

Explore More Special Offers

  1. Short Message Service(SMS) & Mail Service

    50,000 email package starts as low as USD 1.99, 120 short messages start at only USD 1.00