Open sectroyer opened 1 year ago
vladko312
commented
1 year ago Django template engine lacks exploitable execution capabilities, so exploiting it is different from other engines and focuses more on extracting variables. I might add support in the future.
sectroyer
commented
1 year ago Yes but detection would be nice that least know that "something is up" :) Also you can print an "info" that it's "worth to check" stuff like debug or secret key :) Usually that's enough to report the issue to the client
Looks SSTImap is not able to detect Django template injection like in PortSwigger's Server-side template injection with information disclosure via user-supplied objects Lab.