vladko312 / SSTImap

Automatic SSTI detection tool with interactive interface
GNU General Public License v3.0
860 stars 103 forks source link

Django template injection #15

Open sectroyer opened 1 year ago

sectroyer commented 1 year ago

Looks SSTImap is not able to detect Django template injection like in PortSwigger's Server-side template injection with information disclosure via user-supplied objects Lab.

vladko312 commented 1 year ago

Django template engine lacks exploitable execution capabilities, so exploiting it is different from other engines and focuses more on extracting variables. I might add support in the future.

sectroyer commented 1 year ago

Yes but detection would be nice that least know that "something is up" :) Also you can print an "info" that it's "worth to check" stuff like debug or secret key :) Usually that's enough to report the issue to the client