Ethical Hacking Automation

Automate Recon and scanning process with Vidoc. All security teams in one place

Django Secret Key Exposure

By kannthu

High
Vidoc logoVidoc Module
#django#exposure#files
Description

What is the "Django Secret Key Exposure" module?

The "Django Secret Key Exposure" module is designed to detect the exposure of Django secret keys. Django is a popular Python web framework used for building web applications. This module focuses on identifying misconfigurations that may lead to the exposure of sensitive information.

This module has a high severity level, indicating that the exposure of secret keys can have significant security implications for Django applications.

Author: geeknik, DhiyaneshDk

Impact

If the Django secret key is exposed, it can potentially allow unauthorized access to sensitive data and compromise the security of the application. The secret key is used for cryptographic signing and should be kept confidential to ensure the integrity and security of the Django application.

How does the module work?

The "Django Secret Key Exposure" module works by sending HTTP requests to specific paths commonly associated with Django configuration files, such as "/settings.py" and "/app/settings.py". It then applies matching conditions to identify if the response contains the "SECRET_KEY =" string and if the response status is 200 (OK).

Example HTTP request:

GET /settings.py

The module matches the response body for the presence of the "SECRET_KEY =" string, ensuring that the secret key is not exposed. It also verifies that the response status is 200, indicating a successful request.

By detecting the presence of the secret key in the response, the module helps identify potential misconfigurations that may lead to security vulnerabilities.

Reference: https://docs.gitguardian.com/secrets-detection/detectors/specifics/django_secret_key

Metadata: verified: true, shodan-query: html:settings.py

Module preview

Concurrent Requests (1)
1. HTTP Request template
GET/settings.py/app/settings.py/django/settings.py(+2 paths)
Matching conditions
word: SECRET_KEY =and
NOT word: text/htmland
status: 200
Passive global matcher
No matching conditions.
On match action
Report vulnerability