URL injection + Insecure security controls

Medium45MIN

Deepen your knowledge and try to bypass the built-in security mechanism in the application. After that, you can perform a classic URL injection attack and solve the lab. This lab is based on a real-life application where the developers used similar protection mechanisms without knowing that they could be completely breached.

Read the blog here if you get stuck!

The application source codes can be found below.

1import os
2import hmac
3import flask
4import requests
5
6from urllib.parse import urlparse
7from flask import Flask, render_template, request, flash, abort, jsonify
8from modules import database
9from modules import variables
10
11app = Flask(__name__)
12db = database.Database()
13
14@app.route("/internal-api/v1/recipes", methods=['GET'])
15def recipes_api():
16    ip_address = flask.request.remote_addr
17    if ip_address not in ('127.0.0.1', '::1', 'localhost'):
18        abort(404)
19    
20    return jsonify({
21        'recipes': [
22            {
23                'Secret Recipe': [
24                    'Sugar',
25                    'Flour',
26                    'Hacked flag %s' % os.environ['FLAG']
27                ]
28            }
29        ]
30    })
31
32@app.route("/api/user/<user_mail>")
33def user_api(user_mail):
34    ip_address = flask.request.remote_addr
35    if ip_address not in ('127.0.0.1', '::1', 'localhost'):
36      abort(404)
37    user_mail = request.view_args["user_mail"]
38    ret_user = db.get_user(user_mail)
39    if ret_user != None:
40      return jsonify({ 'Email free': 'False' })
41    else:
42      return jsonify({ 'Email free': 'True' })
43
44@app.route("/verify", methods=['POST'])
45def verify():
46  mail = request.form.get("mail")
47  signature = request.headers.get('X-Signature')
48  if calculateSignatureAndCompare(email, signature):
49    resp = requests.get("http://127.0.0.1:5000/api/user/"+sposti)
50    return jsonify(resp.json())
51  else:
52    return jsonify({'Signature':'Invalid'})
53
54@app.route("/", methods=['GET'])
55def index():
56  return render_template("index.html")
57
58# Helper function that calculates and compares the signature with the given value
59def calculateSignatureAndCompare(email, signature):
60  try:
61    key = variables.secret
62    hmac_value = hmac.new(key=key.encode(), msg=sposti.encode(), digestmod="sha256")
63    calculated_signature = hmac_value.digest().hex()
64    if calculated_signature == signature:
65      return True
66
67    return False
68  except Exception as e:
69    print
70    return False
71
72if __name__ == '__main__':
73  app.run(debug=False, host='0.0.0.0', port=5000)
74

1 / 2

Previous: Insecurely constructed URLs or URL injectionPrevious Back to course

Hakatemia Pro

Learn to hack — start here

Hundreds of interactive courses, virtual labs and CTF challenges in your browser. Start a free trial — no card required.