Update README.md

Add reference to debug tag for Jinja2
This commit is contained in:
Techbrunch 2020-08-19 14:46:43 +02:00 committed by GitHub
parent cc95f4e386
commit 502a8121b4
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

View File

@ -35,6 +35,7 @@
* [Jinja2](#jinja2)
* [Basic injection](#basic-injection)
* [Template format](#template-format)
* [Debug Statement](#debug-statement)
* [Dump all used classes](#dump-all-used-classes)
* [Dump all config variables](#dump-all-config-variables)
* [Read remote file](#read-remote-file)
@ -338,6 +339,16 @@ The above injections have been tested on Flask application.
```
### Debug Statement¶
If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump the current context as well as the available filters and tests. This is useful to see whats available to use in the template without setting up a debugger.
```python
<pre>{% debug %}</pre>
```
Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
### Dump all used classes
```python
@ -510,4 +521,4 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
* [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
* [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection)
* [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE)
* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)