id: django-secret-key info: name: Django Secret Key Exposure author: geeknik,DhiyaneshDk severity: high description: The Django settings.py file containing a secret key was discovered. An attacker may use the secret key to bypass many security mechanisms and potentially obtain other sensitive configuration information (such as database password) from the settings file. reference: https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key metadata: verified: true shodan-query: html:settings.py tags: django,exposure,files requests: - method: GET path: - "{{BaseURL}}/settings.py" - "{{BaseURL}}/app/settings.py" - "{{BaseURL}}/django/settings.py" - "{{BaseURL}}/settings/settings.py" - "{{BaseURL}}/web/settings/settings.py" stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "SECRET_KEY =" - type: word part: header words: - "text/html" negative: true - type: status status: - 200 extractors: - type: regex part: body group: 1 regex: - '"DJANGO_SECRET_KEY", "(.*)"'