Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Django template injection #15

Open
sectroyer opened this issue May 18, 2023 · 2 comments
Open

Django template injection #15

sectroyer opened this issue May 18, 2023 · 2 comments
Labels
delayed The issue will be fixed with a big update later template engine A template engine to add

Comments

@sectroyer
Copy link

sectroyer commented May 18, 2023
edited

Looks SSTImap is not able to detect Django template injection like in PortSwigger's
Server-side template injection with information disclosure via user-supplied objects Lab.
@vladko312
Copy link
Owner

Django template engine lacks exploitable execution capabilities, so exploiting it is different from other engines and focuses more on extracting variables. I might add support in the future.

@vladko312 vladko312 added the template engine A template engine to add label May 20, 2023
@sectroyer
Copy link
Author

Yes but detection would be nice that least know that "something is up" :) Also you can print an "info" that it's "worth to check" stuff like debug or secret key :) Usually that's enough to report the issue to the client

@vladko312 vladko312 added the delayed The issue will be fixed with a big update later label May 26, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
delayed The issue will be fixed with a big update later template engine A template engine to add
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sectroyer @vladko312