Error !
318 | <% 319 | tback = RichTraceback(error=error, traceback=traceback) 320 | src = tback.source 321 | line = tback.lineno 322 | if src: 323 | lines = src.split('\n') 324 | else: 325 | lines = None 326 | %> 327 |${tback.errorname}: ${tback.message|h}
328 | 329 | % if lines: 330 |
331 |
354 | % endif
355 |
356 |
332 | % for index in range(max(0, line-4),min(len(lines), line+5)):
333 | <%
334 | if pygments_html_formatter:
335 | pygments_html_formatter.linenostart = index + 1
336 | %>
337 | % if index + 1 == line:
338 | <%
339 | if pygments_html_formatter:
340 | old_cssclass = pygments_html_formatter.cssclass
341 | pygments_html_formatter.cssclass = 'error ' + old_cssclass
342 | %>
343 | ${lines[index] | syntax_highlight(language='mako')}
344 | <%
345 | if pygments_html_formatter:
346 | pygments_html_formatter.cssclass = old_cssclass
347 | %>
348 | % else:
349 | ${lines[index] | syntax_highlight(language='mako')}
350 | % endif
351 | % endfor
352 |
353 |
357 | % for (filename, lineno, function, line) in tback.reverse_traceback:
358 |
368 |
369 | % if full:
370 |
371 |
372 | % endif
373 | """, output_encoding=sys.getdefaultencoding(),
374 | encoding_errors='htmlentityreplace')
375 |
--------------------------------------------------------------------------------
/gae/mako/ext/__init__.py:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/Hacker0x01/Hacker101Coursework/822efa707eaca9094720c26dd183e0a1d8ba63e7/gae/mako/ext/__init__.py
--------------------------------------------------------------------------------
/gae/mako/ext/autohandler.py:
--------------------------------------------------------------------------------
1 | # ext/autohandler.py
2 | # Copyright (C) 2006-2012 the Mako authors and contributors ${filename}, line ${lineno}:
359 |
360 | <%
361 | if pygments_html_formatter:
362 | pygments_html_formatter.linenostart = lineno
363 | %>
364 |
366 | % endfor
367 | ${line | syntax_highlight(filename)}
365 | Level0
2 | 3 |Cross-Site Request Forgery
4 | 5 |Severity: Critical
6 | 7 |Description: The "Transfer Funds" functionality is vulnerable to CSRF due to no session-specific random token being attached to the form.
8 | 9 |Reproduction Steps:
10 | 11 |-
12 |
- Go to the Transfer Funds page 13 |
- Submit a funds transfer 14 |
- Note that the only data transmitted is the destination and the amount. 15 |
You can also use the following proof of concept to submit an automatic transfer:
18 | 19 |<body onload="document.forms[0].submit()">
20 | <form action="http://breaker-studentcenter.appspot.com/levels/0/" method="POST">
21 | <input type="hidden" name="amount" value="1000000">
22 | <input type="hidden" name="to" value="1625">
23 | </form>
24 | </body>
25 | Impact: Due to the simple nature of this vulnerability, it's possible for an attacker to transfer funds from any victim whom he can convince to access a page controlled by the attacker. In this proof of concept, it's done via form autosubmission in plain view, but this could be performed in a hidden IFrame, leaving the user no clue that an attack has happened at all.
28 | 29 |Mitigation: Proper CSRF tokens should be used on all forms. You can read more here: https://www.owasp.org/index.php/Cross-SiteRequestForgery_(CSRF)
30 | 31 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/0
32 | 33 |Reflected XSS
34 | 35 |Severity: Critical
36 | 37 |Description: The amount field of transfers is vulnerable to reflected XSS due to a lack of safe escaping.
38 | This can be triggered via GET (to auto-fill the to and amount fields) or via error cases on POST.
Reproduction Steps:
41 | 42 |-
43 |
- Go to the Transfer Funds page 44 |
- Enter anything into the
tofield and in the amount field enter"><script>alert(1);</script>
45 | - Submit the transfer 46 |
- Note that a script tag has been added to the page; depending on XSS protection settings, you may see an alert box as well 47 |
Impact: This vulnerability allows an attacker to perform any tasks she desires, as an arbitrary user whom she convinces to click a link containing an XSS payload. 50 | This means that an attacker could distribute a payload that causes any user to transfer money to her.
51 | 52 |Mitigation: All user input must be escaped before displaying to the page, in order to properly mitigate XSS issues. 53 | In this case, it may also be a good idea to convert the amount value to an integer first, as this would completely eliminate the possibility of user input compromising the page.
54 | 55 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/0
56 | 57 |Direct Object Reference
58 | 59 |Severity: Critical
60 | 61 |Description: In addition to the normal to field on transfers, the from field is also accepted, allowing you to specify the account you're transferring from; authentication for the accounts is not required.
Reproduction Steps:
64 | 65 |The following proof of concept performs an automatic transfer from account 1 to account 2, regardless of whether or not you are logged into either account:
66 | 67 |<body onload="document.forms[0].submit()">
68 | <form action="http://breaker-studentcenter.appspot.com/levels/0/" method="POST">
69 | <input type="hidden" name="amount" value="1000000">
70 | <input type="hidden" name="from" value="1">
71 | <input type="hidden" name="to" value="2">
72 | </form>
73 | </body>
74 | Impact: Due to the lack of authorization and the ability to directly reference accounts, this makes it trivial for an attacker to transfer funds between any account.
77 | 78 |Mitigation: The from field should be ignored or -- at the very least -- checked against the account(s) attached to the logged in user.
Affected Assets: http://breaker-studentcenter.appspot.com/levels/0
81 | 82 |Level1
83 | 84 |CSRF Tokens Validated Improperly
85 | 86 |Severity: Medium
87 | 88 |Description: While the application uses CSRF tokens, its only validation for them is to ensure that they are 32 characters long. This check is inadequate as any CSRF token (or, indeed, any string of the proper length) will pass the check.
89 | 90 |Reproduction Steps:
91 | 92 |-
93 |
- Submit a wall post 94 |
- Intercept the post with Burp Proxy 95 |
- Change the CSRF token to any other value 96 |
- Note that the post was successful 97 |
Impact: Due to the simple nature of this vulnerability, it's possible for an attacker to post to the wall of any victim whom he can convince to access a page controlled by the attacker.
100 | 101 |Mitigation: CSRF tokens must be compared in entirety, preferably in constant time to reduce the likelihood of timing attacks.
102 | 103 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/1
104 | 105 |CSRF Tokens Easily Guessed
106 | 107 |Severity: Medium
108 | 109 |Description: While the application uses CSRF tokens, they are not generated randomly, as per standard practice. Instead, they are generated as the MD5 of the user's account nickname. This makes it trivial to guess the CSRF token and falsify it for targeted attacks.
110 | 111 |Reproduction Steps:
112 | 113 |-
114 |
- Look at the CSRF token on the page 115 |
- Run the command
echo -n your.nickname | md5sumat the command line
116 | - Note that the output of this command matches the CSRF token 117 |
Impact: Due to the ease with which these tokens can be guessed, it is trivial for an attacker to perform targeted attacks against a given user.
120 | 121 |Mitigation: CSRF tokens must be generated randomly upon creation of each user's session.
122 | 123 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/1
124 | 125 |Stored XSS
126 | 127 |Severity: Medium
128 | 129 |Description: Due to improper handling of links, it's possible to embed stored XSS payloads in wall posts.
130 | 131 |Reproduction Steps:
132 | 133 |-
134 |
- Submit a wall post including the URL
http://google.com"onmousover="alert(1)
135 | - Hover over the link in the submitted post 136 |
- Note that an alert dialog is triggered 137 |
Impact: Stored XSS here makes it possible for an attacker to easily impersonate a user's behavior. Due to the fact that the attacker could force a user to make new posts, it's possible that self-sustaining malware could be distributed utilizing this vulnerability.
140 | 141 |Mitigation: All user input -- including these links -- must be properly HTML escaped before output.
142 | 143 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/1
144 | 145 |Forced Browsing/Enumerable Post IDs
146 | 147 |Severity: Low
148 | 149 |Description: Due to the use of incremental IDs and a lack of authorization checks, it's possible for users to enumerate the posts of others.
150 | 151 |Reproduction Steps:
152 | 153 |-
154 |
- View the page http://breaker-studentcenter.appspot.com/levels/1/post?id=0 155 |
- Note that you see a post by cody.brocious 156 |
- http://breaker-studentcenter.appspot.com/levels/1/post?id=1 157 |
- Note that you see a post by another user 158 |
- Continuing to increment the id will give you every post in the system. 159 |
Impact: An attacker can trivially read every single post in the system, regardless of the user's privacy.
162 | 163 |Mitigation: If the intention is for posts to be private by default, authorization checks should be put in place to ensure that users are unable to access posts outside their permissions. 164 | In addition, IDs generated in a pseudo-random fashion would eliminate the ability to increment the IDs. 165 | Note well that neither of these conditions is sufficient to completely mitigate the issue; if users are still able to access posts without proper authorization, they can do so even if they can't easily guess post IDs.
166 | 167 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/1
168 | 169 | -------------------------------------------------------------------------------- /gae/static/report01.md: -------------------------------------------------------------------------------- 1 | 2 | Level0 3 | ====== 4 | 5 | Cross-Site Request Forgery 6 | -------------------------- 7 | 8 | **Severity**: Critical 9 | 10 | **Description**: The "Transfer Funds" functionality is vulnerable to CSRF due to no session-specific random token being attached to the form. 11 | 12 | **Reproduction Steps**: 13 | 14 | 1. Go to the Transfer Funds page 15 | 2. Submit a funds transfer 16 | 3. Note that the only data transmitted is the destination and the amount. 17 | 18 | You can also use the following proof of concept to submit an automatic transfer: 19 | 20 | 21 | 25 | 26 | 27 | **Impact**: Due to the simple nature of this vulnerability, it's possible for an attacker to transfer funds from any victim whom he can convince to access a page controlled by the attacker. In this proof of concept, it's done via form autosubmission in plain view, but this could be performed in a hidden IFrame, leaving the user no clue that an attack has happened at all. 28 | 29 | **Mitigation**: Proper CSRF tokens should be used on all forms. You can read more here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) 30 | 31 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/0 32 | 33 | Reflected XSS 34 | ------------- 35 | 36 | **Severity**: Critical 37 | 38 | **Description**: The `amount` field of transfers is vulnerable to reflected XSS due to a lack of safe escaping. 39 | This can be triggered via GET (to auto-fill the `to` and `amount` fields) or via error cases on POST. 40 | 41 | **Reproduction Steps**: 42 | 43 | 1. Go to the Transfer Funds page 44 | 2. Enter anything into the `to` field and in the amount field enter `">` 45 | 3. Submit the transfer 46 | 4. Note that a script tag has been added to the page; depending on XSS protection settings, you may see an alert box as well 47 | 48 | **Impact**: This vulnerability allows an attacker to perform any tasks she desires, as an arbitrary user whom she convinces to click a link containing an XSS payload. 49 | This means that an attacker could distribute a payload that causes any user to transfer money to her. 50 | 51 | **Mitigation**: All user input must be escaped before displaying to the page, in order to properly mitigate XSS issues. 52 | In this case, it may also be a good idea to convert the amount value to an integer first, as this would completely eliminate the possibility of user input compromising the page. 53 | 54 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/0 55 | 56 | Direct Object Reference 57 | ----------------------- 58 | 59 | **Severity**: Critical 60 | 61 | **Description**: In addition to the normal `to` field on transfers, the `from` field is also accepted, allowing you to specify the account you're transferring from; authentication for the accounts is not required. 62 | 63 | **Reproduction Steps**: 64 | 65 | The following proof of concept performs an automatic transfer from account 1 to account 2, regardless of whether or not you are logged into either account: 66 | 67 | 68 | 73 | 74 | 75 | **Impact**: Due to the lack of authorization and the ability to directly reference accounts, this makes it trivial for an attacker to transfer funds between any account. 76 | 77 | **Mitigation**: The `from` field should be ignored or -- at the very least -- checked against the account(s) attached to the logged in user. 78 | 79 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/0 80 | 81 | Level1 82 | ======= 83 | 84 | CSRF Tokens Validated Improperly 85 | -------------------------------- 86 | 87 | **Severity**: Medium 88 | 89 | **Description**: While the application uses CSRF tokens, its only validation for them is to ensure that they are 32 characters long. This check is inadequate as any CSRF token (or, indeed, any string of the proper length) will pass the check. 90 | 91 | **Reproduction Steps**: 92 | 93 | 1. Submit a wall post 94 | 2. Intercept the post with Burp Proxy 95 | 3. Change the CSRF token to any other value 96 | 4. Note that the post was successful 97 | 98 | **Impact**: Due to the simple nature of this vulnerability, it's possible for an attacker to post to the wall of any victim whom he can convince to access a page controlled by the attacker. 99 | 100 | **Mitigation**: CSRF tokens must be compared in entirety, preferably in constant time to reduce the likelihood of timing attacks. 101 | 102 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/1 103 | 104 | CSRF Tokens Easily Guessed 105 | -------------------------- 106 | 107 | **Severity**: Medium 108 | 109 | **Description**: While the application uses CSRF tokens, they are not generated randomly, as per standard practice. Instead, they are generated as the MD5 of the user's account nickname. This makes it trivial to guess the CSRF token and falsify it for targeted attacks. 110 | 111 | **Reproduction Steps**: 112 | 113 | 1. Look at the CSRF token on the page 114 | 2. Run the command `echo -n your.nickname | md5sum` at the command line 115 | 3. Note that the output of this command matches the CSRF token 116 | 117 | **Impact**: Due to the ease with which these tokens can be guessed, it is trivial for an attacker to perform targeted attacks against a given user. 118 | 119 | **Mitigation**: CSRF tokens must be generated randomly upon creation of each user's session. 120 | 121 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/1 122 | 123 | Stored XSS 124 | ---------- 125 | 126 | **Severity**: Medium 127 | 128 | **Description**: Due to improper handling of links, it's possible to embed stored XSS payloads in wall posts. 129 | 130 | **Reproduction Steps**: 131 | 132 | 1. Submit a wall post including the URL `http://google.com"onmousover="alert(1)` 133 | 2. Hover over the link in the submitted post 134 | 3. Note that an alert dialog is triggered 135 | 136 | **Impact**: Stored XSS here makes it possible for an attacker to easily impersonate a user's behavior. Due to the fact that the attacker could force a user to make new posts, it's possible that self-sustaining malware could be distributed utilizing this vulnerability. 137 | 138 | **Mitigation**: All user input -- including these links -- must be properly HTML escaped before output. 139 | 140 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/1 141 | 142 | Forced Browsing/Enumerable Post IDs 143 | ----------------------------------- 144 | 145 | **Severity**: Low 146 | 147 | **Description**: Due to the use of incremental IDs and a lack of authorization checks, it's possible for users to enumerate the posts of others. 148 | 149 | **Reproduction Steps**: 150 | 151 | 1. View the page http://breaker-studentcenter.appspot.com/levels/1/post?id=0 152 | 2. Note that you see a post by cody.brocious 153 | 3. http://breaker-studentcenter.appspot.com/levels/1/post?id=1 154 | 4. Note that you see a post by another user 155 | 5. Continuing to increment the id will give you every post in the system. 156 | 157 | **Impact**: An attacker can trivially read every single post in the system, regardless of the user's privacy. 158 | 159 | **Mitigation**: If the intention is for posts to be private by default, authorization checks should be put in place to ensure that users are unable to access posts outside their permissions. 160 | In addition, IDs generated in a pseudo-random fashion would eliminate the ability to increment the IDs. 161 | Note well that neither of these conditions is sufficient to completely mitigate the issue; if users are still able to access posts without proper authorization, they can do so even if they can't easily guess post IDs. 162 | 163 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/1 164 | 165 | -------------------------------------------------------------------------------- /gae/static/report23.html: -------------------------------------------------------------------------------- 1 |Level2
2 | 3 |Reflected XSS
4 | 5 |Severity: Medium
6 | 7 |Description: The application receives an id field in the query string. In the case of viewing a non-existent profile, this field is not properly encoded before display to the user. In the case of editing profiles, it is ignored but reflected in a non-safe form to the browser as part of the form action.
Reproduction Steps:
10 | 11 |-
12 |
- Go to http://breaker-studentcenter.appspot.com/levels/2/?id=%3Cscript%3Ealert(1);%3C/script%3E 13 |
- Note that an alert dialog is shown 14 |
Impact: This vulnerability allows an attacker to perform any tasks she desires, as an arbitrary user whom she convinces to click a link containing an XSS payload.
17 | 18 |Mitigation: All user input must be escaped before displaying to the page, in order to properly mitigate XSS issues.
19 | In this case, it is also a good idea to convert the id parameter to an integer first, as this would completely eliminate the possibility of user input compromising the page.
Affected Assets:
22 | 23 |-
24 |
- http://breaker-studentcenter.appspot.com/levels/2 25 |
- http://breaker-studentcenter.appspot.com/levels/2/edit 26 |
Stored XSS
29 | 30 |Severity: Medium
31 | 32 |Description: The URL for profile photos is not escaped for display, making it vulnerable to stored XSS on both the profile view and edit pages.
33 | 34 |Reproduction Steps:
35 | 36 |-
37 |
- Go to the application's edit profile page 38 |
- In the
Profile picture URLfield, insert the following:http://breaker-studentcenter.appspot.com/favicon.png?"><script>alert(1);</script>.png
39 | - Note that the alert dialog is shown upon save 40 |
Impact: This vulnerability allows an attacker to perform any tasks she desires, as an arbitrary user whom she convinces to click a link containing an XSS payload.
43 | 44 |Mitigation: All user input must be escaped before displaying to the page, in order to properly mitigate XSS issues.
45 | 46 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/2/edit
47 | 48 |Stored XSS
49 | 50 |Severity: Medium
51 | 52 |Description: Colors embedded in the description field of profiles are not escaped when being converted for display.
53 | 54 |Reproduction Steps:
55 | 56 |-
57 |
- Go to the application's edit profile page 58 |
- In the
Descriptionfield, insert the following:[ red"><script>alert(1);</script> | Exploit ]
59 | - Note that the alert dialog is shown upon save 60 |
Impact: This vulnerability allows an attacker to perform any tasks she desires, as an arbitrary user whom she convinces to click a link containing an XSS payload.
63 | 64 |Mitigation: All user input must be escaped before displaying to the page, in order to properly mitigate XSS issues.
65 | 66 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/2/edit
67 | 68 |Notes
69 | 70 |The vulnerability count in this level is incorrect, with an actual total of 5, not 7 -- it was based on the number of outputs rather than inputs.
71 | 72 |The unrelated bonus was due to the handling of special characters in the description. If you're curious, check out https://gist.github.com/daeken/6703071 to see how \x00-\x02 are handled.
Level3
75 | 76 |Cross-Site Request Forgery
77 | 78 |Severity: High
79 | 80 |Description: The "Edit Page" functionality is vulnerable to CSRF due to no session-specific random token being attached to the form.
81 | 82 |Reproduction Steps:
83 | 84 |-
85 |
- Go to the admin page 86 |
- Submit a page edit 87 |
- Note that the only data transmitted is the title and the body. 88 |
Impact: Due to the simple nature of this vulnerability, it's possible for an attacker to perform edits on any page belonging to a victim whom he can convince to access a page controlled by the attacker.
91 | 92 |Mitigation: Proper CSRF tokens should be used on all forms. You can read more here: https://www.owasp.org/index.php/Cross-SiteRequestForgery_(CSRF)
93 | 94 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/3/admin
95 | 96 |Lack of Authorization on Admin Functionality
97 | 98 |Severity: Critical
99 | 100 |Description: The "Edit Page" functionality only checks admin authorization when accessing the form, but does not check on edits.
101 | 102 |Reproduction Steps:
103 | 104 |-
105 |
- As a non-admin, perform a POST to http://breaker-studentcenter.appspot.com/levels/3/admin containing the body
title=Vuln&body=No+Admin+Needed
106 | - Note that the page is edited to reflect these changes 107 |
Impact: Due to the lack of authorization, it's possible for any user to perform arbitrary changes to content. In conjunction with the XSS vulnerabilities, this could allow an attacker to compromise the sessions of every user.
110 | 111 |Mitigation: Proper authorization must be in place on all actions an administrator could perform.
112 | 113 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/3/admin
114 | 115 |Authorization by Client-Side Credential
116 | 117 |Severity: Critical
118 | 119 |Description: Authorization for the application is done via a cookie named admin. Changing this from 0 to 1 unlocks all admin functionality.
Reproduction Steps:
122 | 123 |-
124 |
- As a non-admin, visit the application while intercepting responses with Burp Proxy 125 |
- When the server sends the
admincookie, simply change the value to1
126 | - Note that the page contains admin functionality, which is fully usable 127 |
Impact: This enables any user to trivially enable administration functionality.
130 | 131 |Mitigation: User authorization should be stored purely on the server, tied to an authenticated session.
132 | 133 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/3/
134 | 135 |Stored XSS
136 | 137 |Severity: Medium
138 | 139 |Description: Due to improper sanitization of page bodies, it's possible to embed stored XSS payloads in pages.
140 | 141 |Reproduction Steps:
142 | 143 |-
144 |
- As an admin, visit the administration page 145 |
- Put the following in the body:
<a ONmouseover="alert(1)">Hover over me</a>
146 | - Save the page 147 |
- Hover over the inserted text and note that an alert dialog is shown 148 |
Impact: Stored XSS here makes it possible for an attacker to compromise user sessions.
151 | 152 |Mitigation: All user input must be properly HTML escaped before output. The use of a third-party, vetted library for HTML sanitization is recommended for tags that should be allowed.
153 | 154 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/3/admin
155 | 156 |Stored XSS
157 | 158 |Severity: Medium
159 | 160 |Description: Due to improper sanitization of page titles, it's possible to embed stored XSS payloads in pages.
161 | 162 |Reproduction Steps:
163 | 164 |-
165 |
- As an admin, visit the administration page 166 |
- Put the following in the title field:
</title><script>alert(1)</script>
167 | - Save the page 168 |
- Note that an alert dialog is shown 169 |
Impact: Stored XSS here makes it possible for an attacker to compromise user sessions.
172 | 173 |Mitigation: All user input must be properly HTML escaped before output.
174 | 175 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/3/admin
176 | 177 |DOM XSS
178 | 179 |Severity: Medium
180 | 181 |Description: Due to improper sanitization of page titles in the window hash, it's possible to inject arbitrary HTML into the page.
182 | 183 |Reproduction Steps:
184 | 185 |-
186 |
- As an admin, visit the page
http://breaker-studentcenter.appspot.com/levels/3/#home"><script>alert(1);</script>
187 | - Note that an alert dialog is shown 188 |
Impact: This makes it possible for an attacker to compromise the session of an admin user whom she can convince to visit the exploited page.
191 | 192 |Mitigation: All user input must be properly HTML escaped before output on the client side.
193 | 194 |Affected Assets: http://breaker-studentcenter.appspot.com/levels/3/
195 | -------------------------------------------------------------------------------- /gae/static/report23.md: -------------------------------------------------------------------------------- 1 | Level2 2 | ====== 3 | 4 | Reflected XSS 5 | ------------- 6 | 7 | **Severity**: Medium 8 | 9 | **Description**: The application receives an `id` field in the query string. In the case of viewing a non-existent profile, this field is not properly encoded before display to the user. In the case of editing profiles, it is ignored but reflected in a non-safe form to the browser as part of the form action. 10 | 11 | **Reproduction Steps**: 12 | 13 | 1. Go to http://breaker-studentcenter.appspot.com/levels/2/?id=%3Cscript%3Ealert(1);%3C/script%3E 14 | 2. Note that an alert dialog is shown 15 | 16 | **Impact**: This vulnerability allows an attacker to perform any tasks she desires, as an arbitrary user whom she convinces to click a link containing an XSS payload. 17 | 18 | **Mitigation**: All user input must be escaped before displaying to the page, in order to properly mitigate XSS issues. 19 | In this case, it is also a good idea to convert the `id` parameter to an integer first, as this would completely eliminate the possibility of user input compromising the page. 20 | 21 | **Affected Assets**: 22 | 23 | 1. http://breaker-studentcenter.appspot.com/levels/2 24 | 2. http://breaker-studentcenter.appspot.com/levels/2/edit 25 | 26 | Stored XSS 27 | ----------------------- 28 | 29 | **Severity**: Medium 30 | 31 | **Description**: The URL for profile photos is not escaped for display, making it vulnerable to stored XSS on both the profile view and edit pages. 32 | 33 | **Reproduction Steps**: 34 | 35 | 1. Go to the application's edit profile page 36 | 2. In the `Profile picture URL` field, insert the following: `http://breaker-studentcenter.appspot.com/favicon.png?">.png` 37 | 3. Note that the alert dialog is shown upon save 38 | 39 | **Impact**: This vulnerability allows an attacker to perform any tasks she desires, as an arbitrary user whom she convinces to click a link containing an XSS payload. 40 | 41 | **Mitigation**: All user input must be escaped before displaying to the page, in order to properly mitigate XSS issues. 42 | 43 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/2/edit 44 | 45 | Stored XSS 46 | ----------------------- 47 | 48 | **Severity**: Medium 49 | 50 | **Description**: Colors embedded in the description field of profiles are not escaped when being converted for display. 51 | 52 | **Reproduction Steps**: 53 | 54 | 1. Go to the application's edit profile page 55 | 2. In the `Description` field, insert the following: `[ red"> | Exploit ]` 56 | 3. Note that the alert dialog is shown upon save 57 | 58 | **Impact**: This vulnerability allows an attacker to perform any tasks she desires, as an arbitrary user whom she convinces to click a link containing an XSS payload. 59 | 60 | **Mitigation**: All user input must be escaped before displaying to the page, in order to properly mitigate XSS issues. 61 | 62 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/2/edit 63 | 64 | Notes 65 | ----- 66 | 67 | The vulnerability count in this level is incorrect, with an actual total of 5, not 7 -- it was based on the number of *outputs* rather than *inputs*. 68 | 69 | The unrelated bonus was due to the handling of special characters in the description. If you're curious, check out https://gist.github.com/daeken/6703071 to see how `\x00-\x02` are handled. 70 | 71 | Level3 72 | ====== 73 | 74 | Cross-Site Request Forgery 75 | -------------------------- 76 | 77 | **Severity**: High 78 | 79 | **Description**: The "Edit Page" functionality is vulnerable to CSRF due to no session-specific random token being attached to the form. 80 | 81 | **Reproduction Steps**: 82 | 83 | 1. Go to the admin page 84 | 2. Submit a page edit 85 | 3. Note that the only data transmitted is the title and the body. 86 | 87 | **Impact**: Due to the simple nature of this vulnerability, it's possible for an attacker to perform edits on any page belonging to a victim whom he can convince to access a page controlled by the attacker. 88 | 89 | **Mitigation**: Proper CSRF tokens should be used on all forms. You can read more here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) 90 | 91 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/3/admin 92 | 93 | Lack of Authorization on Admin Functionality 94 | -------------------------------------------- 95 | 96 | **Severity**: Critical 97 | 98 | **Description**: The "Edit Page" functionality only checks admin authorization when accessing the form, but does not check on edits. 99 | 100 | **Reproduction Steps**: 101 | 102 | 1. As a non-admin, perform a POST to http://breaker-studentcenter.appspot.com/levels/3/admin containing the body `title=Vuln&body=No+Admin+Needed` 103 | 2. Note that the page is edited to reflect these changes 104 | 105 | **Impact**: Due to the lack of authorization, it's possible for any user to perform arbitrary changes to content. In conjunction with the XSS vulnerabilities, this could allow an attacker to compromise the sessions of every user. 106 | 107 | **Mitigation**: Proper authorization must be in place on all actions an administrator could perform. 108 | 109 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/3/admin 110 | 111 | Authorization by Client-Side Credential 112 | --------------------------------------- 113 | 114 | **Severity**: Critical 115 | 116 | **Description**: Authorization for the application is done via a cookie named `admin`. Changing this from `0` to `1` unlocks all admin functionality. 117 | 118 | **Reproduction Steps**: 119 | 120 | 1. As a non-admin, visit the application while intercepting responses with Burp Proxy 121 | 2. When the server sends the `admin` cookie, simply change the value to `1` 122 | 3. Note that the page contains admin functionality, which is fully usable 123 | 124 | **Impact**: This enables any user to trivially enable administration functionality. 125 | 126 | **Mitigation**: User authorization should be stored purely on the server, tied to an authenticated session. 127 | 128 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/3/ 129 | 130 | Stored XSS 131 | ---------- 132 | 133 | **Severity**: Medium 134 | 135 | **Description**: Due to improper sanitization of page bodies, it's possible to embed stored XSS payloads in pages. 136 | 137 | **Reproduction Steps**: 138 | 139 | 1. As an admin, visit the administration page 140 | 2. Put the following in the body: `Hover over me` 141 | 3. Save the page 142 | 4. Hover over the inserted text and note that an alert dialog is shown 143 | 144 | **Impact**: Stored XSS here makes it possible for an attacker to compromise user sessions. 145 | 146 | **Mitigation**: All user input must be properly HTML escaped before output. The use of a third-party, vetted library for HTML sanitization is recommended for tags that should be allowed. 147 | 148 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/3/admin 149 | 150 | Stored XSS 151 | ---------- 152 | 153 | **Severity**: Medium 154 | 155 | **Description**: Due to improper sanitization of page titles, it's possible to embed stored XSS payloads in pages. 156 | 157 | **Reproduction Steps**: 158 | 159 | 1. As an admin, visit the administration page 160 | 2. Put the following in the title field: `` 161 | 3. Save the page 162 | 4. Note that an alert dialog is shown 163 | 164 | **Impact**: Stored XSS here makes it possible for an attacker to compromise user sessions. 165 | 166 | **Mitigation**: All user input must be properly HTML escaped before output. 167 | 168 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/3/admin 169 | 170 | DOM XSS 171 | ------- 172 | 173 | **Severity**: Medium 174 | 175 | **Description**: Due to improper sanitization of page titles in the window hash, it's possible to inject arbitrary HTML into the page. 176 | 177 | **Reproduction Steps**: 178 | 179 | 1. As an admin, visit the page `http://breaker-studentcenter.appspot.com/levels/3/#home">` 180 | 2. Note that an alert dialog is shown 181 | 182 | **Impact**: This makes it possible for an attacker to compromise the session of an admin user whom she can convince to visit the exploited page. 183 | 184 | **Mitigation**: All user input must be properly HTML escaped before output on the client side. 185 | 186 | **Affected Assets**: http://breaker-studentcenter.appspot.com/levels/3/ 187 | -------------------------------------------------------------------------------- /gae/static/report47.md: -------------------------------------------------------------------------------- 1 | Level4 2 | ====== 3 | 4 | Improper Identity Handling 5 | -------------------------- 6 | 7 | **Severity**: Low 8 | 9 | **Description**: Due to a lack of control over usernames, it is possible for multiple usernames to conflict, appearing as the same user. 10 | 11 | **Reproduction Steps**: 12 | 13 | 1. In your Google Account, change your nickname to `daeken` 14 | 2. Make a post on the site 15 | 3. Note that it shows up under the name `daeken`, the administrator for the site 16 | 17 | **Impact**: It is possible for a malicious user to impersonate another user, leading to confusion. 18 | 19 | **Mitigation**: User names should be made unique by storing them locally along with other user data. 20 | 21 | **Affected Assets**: Systemic 22 | 23 | Systemic Information Disclosures 24 | -------------------------------- 25 | 26 | **Severity**: Low 27 | 28 | **Description**: The application is configured to show tracebacks upon unhandled exceptions, revealing system information. 29 | 30 | **Impact**: An attacker may be able to see system paths, code snippets, and other bits of data that could make other attacks easier or viable. 31 | 32 | **Mitigation**: Unhandled exceptions should show an "Internal Error" page rather than a traceback. 33 | 34 | **Affected Assets**: Systemic 35 | 36 | Unchecked Redirects 37 | ------------------- 38 | 39 | **Severity**: Low 40 | 41 | **Description**: The application redirects after submission of votes and deletes using a `from` field in the request. This can be set to any URL, allowing arbitrary redirection. 42 | 43 | **Reproduction Steps**: 44 | 45 | 1. Go to the delete page for a story you have submitted 46 | 2. Change the `from` field in the form to: `http://google.com/` 47 | 3. Submit the deletion 48 | 4. Note that you are redirected to Google's homepage 49 | 50 | **Impact**: An attacker could trick a user into utilizing a fake site, potentially compromising their login credentials. 51 | 52 | **Affected Assets**: 53 | 54 | 1. http://example.com/levels/4/delete 55 | 2. http://example.com/levels/4/vote 56 | 57 | 58 | Reflected XSS 59 | ------------- 60 | 61 | **Severity**: Medium 62 | 63 | **Description**: The application's delete function contains a number of inputs that are not properly escaped: `id`, `type`, and `from`. 64 | 65 | **Reproduction Steps**: 66 | 67 | 1. Go to http://example.com/levels/4/delete?id=4892534685827072&type=Story&from=%22%3E%3Cscript%3Ealert(1)%3B%3C/script%3E 68 | 2. Note that an alert dialog is shown 69 | 70 | **Impact**: This vulnerability allows an attacker to perform any tasks she desires, as an arbitrary user whom she convinces to click a link containing an XSS payload. 71 | 72 | **Mitigation**: All user input must be escaped before displaying to the page, in order to properly mitigate XSS issues. 73 | 74 | **Affected Assets**: http://example.com/levels/4/delete 75 | 76 | Cross-Site Request Forgery 77 | -------------------------- 78 | 79 | **Severity**: High 80 | 81 | **Description**: The voting and deletion functionality are vulnerable to CSRF due to no session-specific random token being attached to the form. 82 | 83 | **Reproduction Steps**: 84 | 85 | 1. Go to the delete page for a story or comment 86 | 2. Note that no CSRF token is included in the request 87 | 88 | **Impact**: Due to the simple nature of this vulnerability, it's possible for an attacker to add students to the account of a victim whom he can convince to access a page controlled by the attacker. 89 | 90 | **Mitigation**: Proper CSRF tokens should be used on all forms and validated upon submission. In addition, in the case of voting, state-changing behavior should not be performed via GET. You can read more here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) 91 | 92 | **Affected Assets**: 93 | 94 | 1. http://example.com/levels/4/delete 95 | 1. http://example.com/levels/4/vote 96 | 97 | Stored XSS 98 | ---------- 99 | 100 | **Severity**: High 101 | 102 | **Description**: The domain field of submitted stories is not properly escaped when being displayed, making it possible to embed stored XSS payloads in pages. In addition, user nicknames are not escaped for output. 103 | 104 | **Reproduction Steps**: 105 | 106 | 1. Go to http://example.com/levels/4/submit 107 | 2. Enter a title and the following URL: `http://google.comBreakerbank
17 | Your account number: ${ acct_num }18 | % if message: 19 |
20 | ${ message | h } 21 | % endif 22 | % if error: 23 |
24 | ${ error | h } 25 | % endif 26 |
27 | 35 |
36 | You can send friends your personal payment link to allow them to easily send you money!
37 |
38 | % if error == 'Amounts must be greater than zero': 39 | Sample bug report for this level 40 | % else: 41 | 42 | % endif 43 | 44 | -------------------------------------------------------------------------------- /gae/templates/level1/home.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |
Breakbook
17 | 24 |Feed
25 | |
29 | ${ post.by.nickname() | h } | 30 |${ post.contents } | 31 |Permalink | 32 |
|
36 | Admin | 37 |Don't forget to check out https://hackerone.com/ for all the latest news! | 38 |
Breakbook
9 | |
12 | ${ post.by.nickname() | h } | 13 |${ post.contents } | 14 |
Breakbook
9 | Post succeeded.10 | % if message != None: 11 |
${ message | h }
12 | % endif 13 | Return 14 | 15 | -------------------------------------------------------------------------------- /gae/templates/level2/edit.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |Edit Breaker Profile
9 | 17 | 18 | -------------------------------------------------------------------------------- /gae/templates/level2/home.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |Your Breaker Profile
17 |${ profile.nickname | h }
19 |Description: ${ profile.html_desc() }
20 | % if editable: 21 | Edit your profile 22 | % endif 23 | Link to your profile 24 | 25 | -------------------------------------------------------------------------------- /gae/templates/level3/admin.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |Edit Page
9 | 15 | 16 | -------------------------------------------------------------------------------- /gae/templates/level3/home.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |${ page.title | h }
17 |${ page.html_body }
18 | 31 | 32 | -------------------------------------------------------------------------------- /gae/templates/level4/comments.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |
11 |
|
21 | ||||
24 |
|
41 | ||||
| 44 | 49 | | 50 |||||
54 |
|
79 |
11 |
|
21 | |||
|
24 | 25 | Delete the requested content? 26 | 27 | 33 | |
34 |
26 |
|
36 | ||||||||||||||||||||||||||||||||||||||
39 |
') 51 | 52 | def getsettings(): 53 | return dict((k, v) for k, v in db.query('SELECT _key, value FROM el11_settings WHERE owner=%s', session['userid'])) 54 | 55 | def savesettings(settings): 56 | for k, v in settings.items(): 57 | if len(db.query('SELECT value FROM el11_settings WHERE owner=%s AND _key=%s', session['userid'], k)): 58 | db.query('UPDATE el11_settings SET value=%s WHERE owner=%s AND _key=%s', v, session['userid'], k) 59 | else: 60 | db.query('INSERT INTO el11_settings (owner, _key, value) VALUES (%s, %s, %s)', session['userid'], k, v) 61 | 62 | if not db.hastable('el11_settings'): 63 | db.maketable('el11_settings', 64 | owner='INT', 65 | _key='VARCHAR(1024)', 66 | value='VARCHAR(1024)' 67 | ) 68 | -------------------------------------------------------------------------------- /levels58/handlers/el12.py: -------------------------------------------------------------------------------- 1 | from handler import * 2 | from handler import exam1_auth as auth 3 | import os, re 4 | 5 | def format(body): 6 | def rep(match): 7 | title = match.group(1) 8 | return '%s' % (title, title) 9 | body = body.replace('&', '&').replace('"', '"').replace('<', '<').replace('>', '>') 10 | body = re.sub(r'\[\[(.*?)\]\]', rep, body) 11 | return body.replace('\n', ' ') 12 | 13 | @handler('exam1/el12/index') 14 | @auth(2) 15 | def get_index(page='Home'): 16 | path = 'el12_sandbox/%i/%s' % (session['userid'], page) 17 | if page == 'Home' and not os.path.exists(path): 18 | try: 19 | os.mkdir('el12_sandbox/%i' % session['userid']) 20 | except: 21 | pass 22 | with file(path, 'w') as fp: 23 | fp.write('Welcome to [[BreakerWiki]]!\n\nEnjoy your time here.') 24 | if os.path.exists(path): 25 | return dict(found=True, page=page, body=format(file(path, 'r').read())) 26 | else: 27 | return dict(found=False, page=page) 28 | 29 | @handler('exam1/el12/edit') 30 | @auth(2) 31 | def get_edit(page): 32 | path = 'el12_sandbox/%i/%s' % (session['userid'], page) 33 | if not os.path.exists(path): 34 | redirect(get_create.url(page=page)) 35 | return dict(body=file(path).read()) 36 | 37 | @handler 38 | @auth(2) 39 | def post_edit(page, body): 40 | if '../' in page: 41 | if db.query('SELECT level FROM exam1_users WHERE id=%s', session['userid'])[0][0] == 2: 42 | db.query('UPDATE exam1_users SET level=3 WHERE id=%s', session['userid']) 43 | return 'Writing to files outside the sandbox is forbidden. But level 3 is now unlocked!' 44 | 45 | with file('el12_sandbox/%i/%s' % (session['userid'], page), 'w') as fp: 46 | fp.write(body) 47 | 48 | redirect(get_index.url(page=page)) 49 | 50 | @handler('exam1/el12/create') 51 | @auth(2) 52 | def get_create(page=''): 53 | pass 54 | -------------------------------------------------------------------------------- /levels58/handlers/el13.py: -------------------------------------------------------------------------------- 1 | from handler import * 2 | from handler import exam1_auth as auth 3 | 4 | @handler('exam1/el13/index') 5 | @auth(3) 6 | def get_index(message=None): 7 | pass 8 | 9 | @handler 10 | @auth(3) 11 | def post_message(name, message): 12 | db.query("INSERT INTO el13_messages (owner, name, message) VALUES (%i, '%s', '%s')" % (session['userid'], name, message)) 13 | 14 | redirect(get_index.url(message='Message received!')) 15 | 16 | @handler('exam1/el13/login') 17 | @auth(3) 18 | def get_login(): 19 | pass 20 | 21 | @handler 22 | @auth(3) 23 | def post_login(username, password): 24 | if len(db.query("SELECT id FROM el13_admins WHERE username=%s AND password=%s", username, password)): 25 | redirect(get_feedback) 26 | else: 27 | redirect(get_login) 28 | 29 | @handler('exam1/el13/feedback') 30 | @auth(3) 31 | def get_feedback(): 32 | return dict(messages=db.query('SELECT name, message FROM el13_messages ORDER BY id DESC')) 33 | 34 | if not db.hastable('el13_messages'): 35 | db.maketable('el13_messages', 36 | owner='INT', 37 | name='VARCHAR(1024)', 38 | message='VARCHAR(1024)' 39 | ) 40 | 41 | if not db.hastable('el13_admins'): 42 | db.maketable('el13_admins', 43 | username='VARCHAR(1024)', 44 | password='VARCHAR(1024)' 45 | ) 46 | -------------------------------------------------------------------------------- /levels58/handlers/exam1.py: -------------------------------------------------------------------------------- 1 | from handler import * 2 | from handler import exam1_auth as auth 3 | 4 | @handler('exam1/index') 5 | def get_index(error=None): 6 | if auth(0, check=True): 7 | redirect(get_authed) 8 | return dict(error=error) 9 | 10 | @handler 11 | def post_create_user(username, password, confirm): 12 | if db.query('SELECT COUNT(id) FROM exam1_users WHERE username=%s', username)[0][0] == 1: 13 | redirect(get_index.url(error='Username is taken')) 14 | 15 | if password != confirm: 16 | redirect(get_index.url(error='Passwords do not match')) 17 | 18 | db.query('INSERT INTO exam1_users (username, password, creation, level) VALUES (%s, %s, %s, 0)', username, password, datetime.now().isoformat()) 19 | 20 | session['userid'] = db.query('SELECT id FROM exam1_users WHERE username=%s', username)[0][0] 21 | 22 | redirect(get_authed) 23 | 24 | @handler 25 | def post_login(username, password): 26 | data = db.query('SELECT id FROM exam1_users WHERE username=%s AND password=%s', username, password) 27 | if len(data) == 1: 28 | session['userid'] = data[0][0] 29 | redirect(get_authed) 30 | else: 31 | redirect(get_index.url(error='Username/password incorrect')) 32 | 33 | @handler('exam1/authed') 34 | @auth(0) 35 | def get_authed(): 36 | iso, level = db.query('SELECT creation, level FROM exam1_users WHERE id=%s', session['userid'])[0] 37 | try: 38 | date = datetime.strptime(iso, '%Y-%m-%dT%H:%M:%S') 39 | except: 40 | date = datetime.strptime(iso, '%Y-%m-%dT%H:%M:%S.%f') 41 | delta = 14400 - (datetime.now() - date).seconds 42 | return dict(hours=delta // 60 // 60, minutes=(delta // 60) % 60, level=level) 43 | 44 | if not db.hastable('exam1_users'): 45 | db.maketable('exam1_users', 46 | username='VARCHAR(1024)', 47 | password='VARCHAR(1024)', 48 | creation='VARCHAR(1024)', 49 | level='INT', 50 | ) 51 | -------------------------------------------------------------------------------- /levels58/handlers/level5.py: -------------------------------------------------------------------------------- 1 | import commands, os 2 | from handler import * 3 | from glob import glob 4 | from os.path import isfile, isdir 5 | 6 | @handler('level5/index') 7 | def get_index(path='/'): 8 | if not isdir('level5_docs/' + path): 9 | return 'No such directory: ' + path 10 | 11 | if not path.endswith('/'): 12 | path += '/' 13 | dirs = [] 14 | files = [] 15 | for fn in glob('level5_docs/' + path + '*'): 16 | if isdir(fn): 17 | dirs.append(fn.rsplit('/', 1)[1]) 18 | else: 19 | files.append(fn.rsplit('/', 1)[1]) 20 | 21 | return dict(path=path, dirs=dirs, files=files) 22 | 23 | @handler 24 | def get_read(path): 25 | path = path.replace('../', '') 26 | try: 27 | return Response(file('level5_docs/' + path).read(), mimetype='text/plain') 28 | except: 29 | return 'No such file: ' + path 30 | 31 | @handler 32 | def post_search(path, text): 33 | old = os.getcwd() 34 | try: 35 | os.chdir('level5_docs/' + path) 36 | out = commands.getoutput('grep -r "%s" .' % text) 37 | finally: 38 | os.chdir(old) 39 | return out.replace('<', '<').replace('>', '>').replace('\n', ' ') 40 | -------------------------------------------------------------------------------- /levels58/handlers/level6.py: -------------------------------------------------------------------------------- 1 | from handler import * 2 | 3 | @handler('level6/index') 4 | def get_index(filter=''): 5 | if db.query('SELECT COUNT(id) FROM students WHERE sessid=%s;', handler.sessid())[0][0] == 0: 6 | def add(firstname, lastname): 7 | db.query('INSERT INTO `students` (firstname, lastname, sessid) VALUES (%s, %s, %s);', firstname, lastname, handler.sessid()) 8 | 9 | add('John', 'Doe') 10 | add('Cody', 'Brocious') 11 | add('Testy', 'McTesterson') 12 | 13 | print filter 14 | return dict(filter=filter, students=db.query("SELECT id, lastname, firstname FROM students WHERE sessid='%s' AND (firstname LIKE '%%%%%s%%%%' OR lastname LIKE '%%%%%s%%%%');" % (handler.sessid(), filter, filter))) 15 | 16 | @handler('level6/edit') 17 | def get_edit(id): 18 | return dict(student=db.query("SELECT id, lastname, firstname FROM students WHERE id='%s';" % id)[0]) 19 | 20 | @handler 21 | def post_edit(id, firstname, lastname): 22 | student = db.query('SELECT sessid FROM students where id=%s', id) 23 | if student[0][0] != handler.sessid(): 24 | return 'Student does not belong to your account.' 25 | 26 | db.query('UPDATE students SET lastname=%s, firstname=%s WHERE id=%s', lastname, firstname, id) 27 | 28 | redirect(get_index) 29 | 30 | @handler('level6/add') 31 | def get_add(): 32 | pass 33 | 34 | @handler(CSRFable=True) 35 | def post_add(firstname, lastname): 36 | db.query("INSERT INTO `students` (firstname, lastname, sessid) VALUES ('%s', '%s', '%s');" % (firstname, lastname, handler.sessid())) 37 | 38 | redirect(get_index) 39 | 40 | if not db.hastable('students'): 41 | db.maketable('students', 42 | lastname='VARCHAR(1024)', 43 | firstname='VARCHAR(1024)', 44 | sessid='CHAR(16)' 45 | ) 46 | -------------------------------------------------------------------------------- /levels58/handlers/level7.py: -------------------------------------------------------------------------------- 1 | from handler import * 2 | 3 | @handler('level7/index') 4 | def get_index(error=None, username='admin', password=''): 5 | return dict(error=error, username=username, password=password) 6 | 7 | @handler 8 | def post_index(username, password): 9 | try: 10 | user = db.query("SELECT password FROM users WHERE username='%s'" % username) 11 | except Exception, e: 12 | import traceback 13 | return Response(traceback.format_exc() + '\n' + e[1], mimetype='text/plain') 14 | 15 | if len(user) == 0: 16 | redirect(get_index.url(error='User does not exist', username=username, password=password)) 17 | elif user[0][0] == password: 18 | redirect(get_success.url(username=username)) 19 | else: 20 | redirect(get_index.url(error='Invalid password', username=username, password=password)) 21 | 22 | @handler('level7/success') 23 | def get_success(username): 24 | return dict(username=username) 25 | 26 | if not db.hastable('users'): 27 | db.maketable('users', 28 | username='VARCHAR(1024)', 29 | password='VARCHAR(1024)' 30 | ) 31 | -------------------------------------------------------------------------------- /levels58/handlers/level8.py: -------------------------------------------------------------------------------- 1 | from handler import * 2 | 3 | @handler('level8/index') 4 | def get_index(): 5 | return dict(docs=db.query('SELECT id, name, mimetype FROM documents WHERE sessid=%s', handler.sessid())) 6 | 7 | @handler 8 | def post_index(name, doc): 9 | fn, mime = doc.filename, doc.mimetype 10 | 11 | doc.save('level8_sandbox/' + fn) 12 | 13 | db.query("INSERT INTO documents (name, filename, mimetype, sessid) VALUES ('%s', '%s', '%s', '%s')" % (name, fn, mime, handler.sessid())) 14 | 15 | redirect(get_index) 16 | 17 | inlinable = 'image/jpeg image/png text/plain'.split(' ') 18 | 19 | @handler 20 | def get_view(id, download='None'): 21 | download = eval(download) 22 | 23 | (filename, mimetype), = db.query('SELECT filename, mimetype FROM documents WHERE sessid=%s AND id=%s', handler.sessid(), id) 24 | 25 | if download == None and mimetype not in inlinable: 26 | download = True 27 | 28 | if download: 29 | handler.header('Content-Disposition', 'attachment; filename=' + filename) 30 | 31 | handler.header('Content-Type', mimetype) 32 | 33 | return file('level8_sandbox/' + filename, 'rb').read() 34 | 35 | if not db.hastable('documents'): 36 | db.maketable('documents', 37 | name='VARCHAR(1024)', 38 | filename='VARCHAR(1024)', 39 | mimetype='VARCHAR(1024)', 40 | sessid='CHAR(16)' 41 | ) 42 | -------------------------------------------------------------------------------- /levels58/level5_docs/42.txt: -------------------------------------------------------------------------------- 1 | Lorem ipsum dolor sit amet, consectetur adipiscing elit. Quisque pellentesque est vitae adipiscing tincidunt. Curabitur ut mattis neque. Integer sed tellus ac nisl dapibus vestibulum. Phasellus eget mattis lectus. Praesent quis bibendum nulla. Proin pulvinar dui vitae quam porttitor, non sagittis est vehicula. Duis porta risus id dictum varius. Suspendisse elementum ac nisl quis commodo. Curabitur luctus nisl quis orci tristique, a iaculis quam molestie. Vestibulum ante ipsum primis in faucibus orci luctus et ultrices posuere cubilia Curae; Sed dignissim dui in elit fermentum commodo quis quis quam. Aliquam massa nibh, accumsan nec consectetur at, consectetur tincidunt orci. Vivamus euismod venenatis congue. Quisque cursus hendrerit commodo. Donec ut tempor odio. 2 | 3 | Sed pellentesque, felis sit amet bibendum pharetra, dui sem posuere ligula, at iaculis nulla risus ut lorem. Phasellus mattis tristique malesuada. Aliquam sodales odio non nulla consectetur, nec facilisis diam euismod. Aliquam pretium tincidunt magna, non iaculis sapien varius vel. Phasellus ornare leo vitae ullamcorper pulvinar. In a nisl volutpat felis luctus malesuada a eu sem. Vestibulum bibendum, purus quis vehicula ultricies, lectus urna molestie nulla, suscipit fermentum massa odio pharetra elit. Maecenas eget vestibulum nisi. 4 | 5 | Proin aliquet interdum felis, nec ultrices augue fermentum nec. Praesent est felis, pellentesque non ornare id, ultricies sit amet ante. Quisque feugiat enim non ante euismod convallis. Pellentesque tempus hendrerit massa, et tempus nibh pellentesque et. Vestibulum viverra ante libero, eu bibendum quam suscipit ac. Cras molestie sem ut turpis sodales elementum a in lorem. Aliquam erat volutpat. Proin quis vulputate eros. Quisque pretium purus quis nunc volutpat, ac rutrum turpis vestibulum. 6 | 7 | Curabitur sagittis ullamcorper massa a gravida. Phasellus non eros quis purus rhoncus sodales. Suspendisse a tellus at tortor dapibus vehicula a sit amet neque. Morbi bibendum luctus laoreet. In hac habitasse platea dictumst. Maecenas pulvinar congue hendrerit. Etiam at leo libero. 8 | 9 | Vivamus varius felis quis metus tristique, ac auctor libero lobortis. Nam vel imperdiet elit. Maecenas laoreet nisl tortor, sit amet facilisis nibh feugiat in. Nam aliquam massa ac justo tempor, sit amet semper lorem laoreet. Aliquam condimentum lacinia faucibus. Morbi scelerisque facilisis bibendum. Ut id ipsum quis augue dignissim ornare at et risus. Sed egestas neque eu tortor molestie, nec pretium velit ultrices. Praesent tincidunt leo id ligula pharetra bibendum. Ut nisi neque, malesuada a eros in, rhoncus tristique eros. Curabitur et lectus sed lorem iaculis fringilla vitae sit amet dolor. 10 | 11 | Pellentesque lacinia, urna et consequat tempus, neque magna fermentum sapien, a tempor urna arcu at sem. Pellentesque eu leo quis nisl elementum ullamcorper nec a magna. Praesent nibh nibh, sagittis ut turpis eget, vestibulum vehicula nunc. Aliquam ut convallis velit, ac placerat ante. Suspendisse ut nisi vel dolor cursus laoreet id sed erat. Proin consequat cursus sem, sed varius massa ultricies at. Nunc eu lorem quis justo cursus sodales. Donec consectetur luctus nisi ac blandit. Proin vel lorem molestie, vestibulum enim non, luctus justo. 12 | 13 | Praesent at sem ligula. Nulla condimentum nisl at neque pellentesque iaculis. Donec sed vehicula dolor. In imperdiet sapien mi, quis luctus arcu dignissim vel. Mauris id congue nisi. Pellentesque habitant morbi tristique senectus et netus et malesuada fames ac turpis egestas. Nulla et tortor bibendum, tempus nibh id, hendrerit massa. Maecenas volutpat ligula quam, non pharetra velit aliquam luctus. 14 | 15 | Nunc imperdiet tortor ut nulla mollis aliquet. Mauris lobortis luctus commodo. Nam id nisl et massa luctus mattis in id nisl. Cum sociis natoque penatibus et magnis dis parturient montes, nascetur ridiculus mus. Quisque aliquet vitae augue ut commodo. Praesent id elit sed odio faucibus consectetur. Sed quis sapien quis est hendrerit blandit posuere non urna. Praesent gravida nulla mauris, sit amet semper odio sodales vel. Vestibulum in sem aliquet amet. -------------------------------------------------------------------------------- /levels58/level8_sandbox/keep_me: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/Hacker0x01/Hacker101Coursework/822efa707eaca9094720c26dd183e0a1d8ba63e7/levels58/level8_sandbox/keep_me -------------------------------------------------------------------------------- /levels58/main.py: -------------------------------------------------------------------------------- 1 | import os 2 | from flask import Flask, request 3 | import handler 4 | import handlers 5 | from handlers import * 6 | 7 | app = Flask(__name__) 8 | app.debug = False 9 | app.secret_key = key = 'aspdfojdpojsdapfowjfpoajpeopjafpowejcapocjpeo' 10 | 11 | def reroute(noId, withId): 12 | def sub(id=None, *args, **kwargs): 13 | try: 14 | if id == None: 15 | return noId(*args, **kwargs) 16 | else: 17 | return withId(id, *args, **kwargs) 18 | except: 19 | import traceback 20 | traceback.print_exc() 21 | sub.func_name = '__reroute_' + noId.func_name 22 | return sub 23 | 24 | for module, sub in handler.all.items(): 25 | for name, (method, args, rpc, (noId, withId)) in sub.items(): 26 | if module == 'index': 27 | route = '/' 28 | trailing = True 29 | else: 30 | route = '/%s' % module 31 | trailing = False 32 | if name != 'index': 33 | if not trailing: 34 | route += '/' 35 | route += '%s' % name 36 | trailing = False 37 | 38 | if noId != None and withId != None: 39 | func = reroute(noId, withId) 40 | elif noId != None: 41 | func = noId 42 | else: 43 | func = withId 44 | 45 | if withId != None: 46 | iroute = route 47 | if not trailing: 48 | iroute += '/' 49 | iroute += ' Exam 19 |Time remaining: {{ hours }} hours, {{ minutes }} minutes. 10 |11 | I recommend that you go level-by-level, but if you find yourself getting hung up on one of the levels, skip around. Levels are unlocked by certain actions in each one, but that doesn't necessarily mean that you found all the bugs in that level, especially XSS, CSRF, and the like. 12 | 13 |14 | Due to the nature of the vulnerabilities you're testing, it's entirely possible that you could compromise the integrity of pretty much every control that's in place here. That means that you could extend the timeframe you have for the exam, and things like that. Please don't do that! 15 | 16 |17 | You can email your report to cody.brocious+course@gmail.com with the subject [Coursework] Exam 1. Thanks! 18 | 19 |
Breaker 101 Guestbook9 | 15 | 16 | -------------------------------------------------------------------------------- /levels58/templates/exam1/el10/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |Breaker 101 Guestbook9 | {% if message %} 10 |{{ message | safe }}11 | {% endif %} 12 | 19 | {% for id, name, email, body, date in posts %} 20 |21 |
47 | {% if 'el10_admin' not in session or session['el10_admin'] == False %} 48 | Admin login 49 | {% else %} 50 | Admin logout 51 | {% endif %} 52 | 53 | -------------------------------------------------------------------------------- /levels58/templates/exam1/el11/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Breaksys Router Login9 | {% if message %} 10 |{{ message }}11 | {% endif %} 12 | {% if not admin %} 13 | 19 | {% else %} 20 |Logged in as {{ settings['admin_username'] | safe }}. Log out 21 | {% endif %} 22 |Status23 |
Diagnostics51 | 57 | 61 | 62 | {% endif %} 63 | 64 | -------------------------------------------------------------------------------- /levels58/templates/exam1/el12/create.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |Create Page9 | 14 | 15 | -------------------------------------------------------------------------------- /levels58/templates/exam1/el12/edit.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |Edit {{ page }}9 | 14 | 15 | -------------------------------------------------------------------------------- /levels58/templates/exam1/el12/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |{{ page }}10 | {% if not found %} 11 | Page does not exist. Create it 12 | {% else %} 13 | {{ body | safe }} 14 |15 | 16 | Edit this page or create a new page 17 | {% endif %} 18 | 19 | -------------------------------------------------------------------------------- /levels58/templates/exam1/el13/feedback.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Breaker Feedback9 | 10 | {% for name, message in messages %} 11 |
21 | {% endfor %} 22 | 23 | -------------------------------------------------------------------------------- /levels58/templates/exam1/el13/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Breaker Feedback9 | {% if message %} 10 |{{ message | safe }}11 | {% endif %} 12 | 13 | Leave feedback for the admins below:14 | 19 | 20 | Log in to read submitted feedback 21 | 22 | -------------------------------------------------------------------------------- /levels58/templates/exam1/el13/login.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Breaker Feedback9 | 15 | 16 | -------------------------------------------------------------------------------- /levels58/templates/exam1/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |Exam 19 |Welcome to the first exam. Create a user or login to continue. The user system is not known to be buggy (not that I expect that will deter any of you from trying to break it!) 10 |Note well: Once you create an account, you only have 4 hours of testing before you get locked out of the system! Make your time count, and make sure that you do all the coursework before attempting the exam. 11 | {% if error != None %} 12 | {{ error }} 13 | {% endif %} 14 |Create user15 | 22 |Log In23 | 28 | 29 | -------------------------------------------------------------------------------- /levels58/templates/level5/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |Document Repository -- {{ path }}17 |18 |
27 | 32 | 33 | -------------------------------------------------------------------------------- /levels58/templates/level6/add.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Add Student9 |10 | 16 | 17 | -------------------------------------------------------------------------------- /levels58/templates/level6/edit.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Edit student {{ student[1] }}, {{ student[2] }}9 |10 | 16 | 17 | -------------------------------------------------------------------------------- /levels58/templates/level6/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Student Center19 | Add Student 20 |21 |
Guardian16 |21 | 22 | {% if error is not none %} 23 | {{ error }} 24 | {% endif %} 25 | 26 | -------------------------------------------------------------------------------- /levels58/templates/level7/success.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 | Guardian9 | Successfully logged in as user {{ username }}! Congrats on beating level7. 10 | 11 | -------------------------------------------------------------------------------- /levels58/templates/level8/index.html: -------------------------------------------------------------------------------- 1 | 2 | 3 | 4 |Document Exchange20 | 26 |
| ||||||||||||||||||||||||||||||||||||||