From 502a8121b43875df5812ab9d9d8b2c726eab97b6 Mon Sep 17 00:00:00 2001
From: Techbrunch <Techbrunch@users.noreply.github.com>
Date: Wed, 19 Aug 2020 14:46:43 +0200
Subject: [PATCH] Update README.md

Add reference to debug tag for Jinja2
---
 Server Side Template Injection/README.md | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/Server Side Template Injection/README.md b/Server Side Template Injection/README.md
index 2f88b82..feb6860 100644
--- a/Server Side Template Injection/README.md	
+++ b/Server Side Template Injection/README.md	
@@ -35,6 +35,7 @@
 * [Jinja2](#jinja2)
   * [Basic injection](#basic-injection)
   * [Template format](#template-format)
+  * [Debug Statement](#debug-statement)
   * [Dump all used classes](#dump-all-used-classes)
   * [Dump all config variables](#dump-all-config-variables)
   * [Read remote file](#read-remote-file)
@@ -338,6 +339,16 @@ The above injections have been tested on Flask application.
 
 ```
 
+### Debug Statement¶
+
+If the Debug Extension is enabled, a `{% debug %}` tag will be available to dump the current context as well as the available filters and tests. This is useful to see what’s available to use in the template without setting up a debugger.
+
+```python
+<pre>{% debug %}</pre>
+```
+
+Source: https://jinja.palletsprojects.com/en/2.11.x/templates/#debug-statement
+
 ### Dump all used classes
 
 ```python
@@ -510,4 +521,4 @@ Fixed by https://github.com/HubSpot/jinjava/pull/230
 * [Server-Side Template Injection (SSTI) in ASP.NET Razor - Clément Notin - 15 APR 2020](https://clement.notin.org/blog/2020/04/15/Server-Side-Template-Injection-(SSTI)-in-ASP.NET-Razor/)
 * [Expression Language injection - PortSwigger](https://portswigger.net/kb/issues/00100f20_expression-language-injection)
 * [Bean Stalking: Growing Java beans into RCE - July 7, 2020 - Github Security Lab](https://securitylab.github.com/research/bean-validation-RCE)
-* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)
\ No newline at end of file
+* [Remote Code Execution with EL Injection Vulnerabilities - Asif Durani - 29/01/2019](https://www.exploit-db.com/docs/english/46303-remote-code-execution-with-el-injection-vulnerabilities.pdf)