Server-side template injection with information disclosure via user-supplied objects


This lab is vulnerable to server-side template injection due to the way an object is being passed into the template. This vulnerability can be exploited to access sensitive data.

Reproduction and proof of concept

  1. Log in with content-manager:C0nt3ntM4n4g3r and edit one of the product description templates.

  2. Change one of the template expressions to something invalid, such as a fuzz string ${{<%[%'"}}%\, and save the template.

Internal Server Error

Traceback (most recent call last): File "<string>", line 11, in <module> File "/usr/local/lib/python2.7/dist-packages/django/template/", line 191,...

The error message in the output hints that the Django framework is being used.

  1. Study the Django documentation and notice that the built-in template tag debug can be called to display debugging information.

  2. In the template, remove your invalid syntax and enter the following statement to invoke the debug built-in:

{% debug %}
  1. Save the template. The output will contain a list of objects and properties to which you have access from within this template. Crucially, notice that you can access the settings object.

{'product': {'name': 'Pest Control Umbrella', 'price': '$48.16', 'stock': 80}, 'settings': } ... 'django.conf.global_settings': , ... }
  1. Study the settings object in the Django documentation and notice that it contains a SECRET_KEY property, which has dangerous security implications if known to an attacker.

  2. In the template, remove the {% debug %} statement and enter the expression



  1. Save the template to output the framework’s secret key.

  2. Click the “Submit solution” button and submit the secret key to solve the lab.


An attacker will need to steal and submit the framework’s secret key.