id: django-secret-key info: name: Django Secret Key Exposure author: geeknik,DhiyaneshDk severity: high description: | The Django settings.py file containing a secret key was discovered. An attacker may use the secret key to bypass many security mechanisms and potentially obtain other sensitive configuration information (such as database password) from the settings file. reference: https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key metadata: verified: true max-request: 7 shodan-query: html:settings.py comments: 'This template downloads the manage.py file to check whether it contains line such as: `os.environ.setdefault("DJANGO_SETTINGS_MODULE", "APP_NAME.settings")` if it does, we extract the APP_NAME to know in what folder to look for the settings.py file.' tags: django,exposure,files http: - method: GET path: - "{{BaseURL}}/manage.py" - "{{BaseURL}}/settings.py" - "{{BaseURL}}/app/settings.py" - "{{BaseURL}}/django/settings.py" - "{{BaseURL}}/settings/settings.py" - "{{BaseURL}}/web/settings/settings.py" - "{{BaseURL}}/{{app_name}}/settings.py" stop-at-first-match: true matchers-condition: and matchers: - type: word part: body words: - "SECRET_KEY =" - type: word part: header words: - "text/html" negative: true - type: status status: - 200 extractors: - type: regex part: body group: 1 regex: - '"DJANGO_SECRET_KEY", "(.*)"' - type: regex part: body internal: true name: app_name group: 1 regex: - "os.environ.setdefault\\([\"']DJANGO_SETTINGS_MODULE[\"'],\\s[\"']([a-zA-Z-_0-9]*).settings[\"']\\)" # digest: 4a0a00473045022100b9f99aa21141aff5a2e32d9d17a38a880455bee51e9d5cb86222bbadac6086b402203b18b6d4563233114ccc027031dd1a9e01f8d491147509d60836f496edee6d8b:922c64590222798bb761d5b6d8e72950