Djnago Template Server Side Template INjection [SSTI]

Log in and edit one of the product description templates. Change one of the template expressions to something invalid, such as a fuzz string ${{%[%'"}}%\, and save the template. The error message in the output hints that the Django framework is being used. Study the Django documentation and notice that the built-in template tag debug can be called to display debugging information. In the template, remove your invalid syntax and enter the following statement to invoke the debug built-in: {% debug %} Save the template. The output will contain a list of objects and properties to which you have access from within this template. Crucially, notice that you can access the settings object. Study the settings object in the Django documentation and notice that it contains a SECRET_KEY property, which has dangerous security implications if known to an attacker. In the template, remove the {% debug %} statement and enter the expression {{settings.SECRET_KEY}} Save the template to output the framework's secret key. Click the "Submit solution" button and submit the secret key to solve the lab.

Видео Djnago Template Server Side Template INjection [SSTI] автора Молодежный Python-мир