id: django-secret-key

info:
  name: Django Secret Key Exposure
  author: geeknik,DhiyaneshDk
  severity: high
  reference: https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key
  metadata:
    verified: true
    shodan-query: html:settings.py
  tags: django,exposure

requests:
  - method: GET
    path:
      - "{{BaseURL}}/settings.py"
      - "{{BaseURL}}/app/settings.py"
      - "{{BaseURL}}/django/settings.py"
      - "{{BaseURL}}/settings/settings.py"
      - "{{BaseURL}}/web/settings/settings.py"

    stop-at-first-match: true
    matchers-condition: and
    matchers:

      - type: word
        part: body
        words:
          - "SECRET_KEY ="

      - type: word
        part: header
        words:
          - "text/html"
        negative: true

      - type: status
        status:
          - 200

    extractors:
      - type: regex
        part: body
        group: 1
        regex:
          - '"DJANGO_SECRET_KEY", "(.*)"'