2022-06-05 21:05:46 +00:00
id : django-secret-key
info :
2022-06-06 11:52:25 +00:00
name : Django Secret Key Exposure
author : geeknik,DhiyaneshDk
2022-06-05 21:05:46 +00:00
severity : high
2023-03-27 08:12:04 +00:00
description : The Django settings.py file containing a secret key was discovered. An attacker may use the secret key to bypass many security mechanisms and potentially obtain other sensitive configuration information (such as database password) from the settings file.
2022-06-05 21:05:46 +00:00
reference : https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key
metadata :
2023-11-07 15:12:40 +00:00
max-request : 7
2022-06-05 21:05:46 +00:00
verified : true
shodan-query : html:settings.py
2023-11-07 15:12:40 +00:00
comments: 'We download the manage.py file to check whether it contains line such as : `os.environ.setdefault("DJANGO_SETTINGS_MODULE", "APP_NAME.settings")` if it does, we extract the APP_NAME to know in what folder to look for the settings.py file.'
2022-10-13 10:12:07 +00:00
tags : django,exposure,files
2022-06-05 21:05:46 +00:00
2023-04-27 04:28:59 +00:00
http :
2022-06-05 21:05:46 +00:00
- method : GET
path :
2023-11-06 19:53:30 +00:00
- "{{BaseURL}}/manage.py"
2022-06-05 21:05:46 +00:00
- "{{BaseURL}}/settings.py"
- "{{BaseURL}}/app/settings.py"
- "{{BaseURL}}/django/settings.py"
- "{{BaseURL}}/settings/settings.py"
- "{{BaseURL}}/web/settings/settings.py"
2023-11-06 19:53:30 +00:00
- "{{BaseURL}}/{{app_name}}/settings.py"
2022-06-05 21:05:46 +00:00
2023-11-06 19:53:30 +00:00
stop-at-first-match : true
2022-06-05 21:05:46 +00:00
matchers-condition : and
matchers :
- type : word
part : body
words :
- "SECRET_KEY ="
2022-06-06 11:52:25 +00:00
2022-06-05 21:05:46 +00:00
- type : word
part : header
words :
- "text/html"
negative : true
2022-06-06 11:52:25 +00:00
- type : status
status :
- 200
extractors :
- type : regex
part : body
group : 1
regex :
- '"DJANGO_SECRET_KEY", "(.*)"'
2023-11-07 15:12:40 +00:00
2023-11-06 19:53:30 +00:00
- type : regex
part : body
internal : true
name : app_name
group : 1
regex :
- "os.environ.setdefault\\([\"']DJANGO_SETTINGS_MODULE[\"'],\\s[\"']([a-zA-Z-_0-9]*).settings[\"']\\)"