-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathflask_app.py
More file actions
119 lines (87 loc) · 2.32 KB
/
Copy pathflask_app.py
File metadata and controls
119 lines (87 loc) · 2.32 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
# This is an intentionaly vulnerable Flask application
# Vulnerabilites here are used to test the taint analysis sytem
import flask
from . import taint_import
app = flask.Flask("ratata")
class Unsecure():
def __init__(self):
self.code = None
@classmethod
def eval_arg(cls):
eval(flask.request.args.get('src', 'pass'))
return True
def run(self):
if self.code is None:
return False
else:
eval(self.code)
return True
@app.route("/vuln1")
def xss_arg():
"""
XSS via URL parameter
"""
data = flask.request.args.get('data')
resp = flask.make_response(data, 200)
resp.headers['Content-Type'] = 'text/html'
return resp
@app.route("/vuln2")
def xss_form():
"""
XSS via form parameter
"""
data = flask.request.form['input_data']
return data
@app.route('/vuln3')
def drive_by():
"""
Arbitrary redirect via URL parameter
"""
return flask.redirect(flask.request.args.get('secret_value'), 302)
@app.route('/vuln4')
def vuln4():
"""
XSS via string concatenation
"""
return "<h1>" + flask.request.args.get('name', 'John Doe') + '!</h1>'
@app.route('/vuln5')
def vuln5():
"""
Tainted input defined at the end of the for-loop
"""
name = None
for _ in range(5): # TODO: handle this case
if name is not None:
eval(name)
else:
name = flask.request.args.get('src', 'pass')
@app.route('/vuln6')
def vuln6():
obj = Unsecure()
obj.eval_arg()
obj.code = flask.request.args.get('src', 'pass')
obj.run()
return "Hello world"
@app.route('/vuln7/<command>')
def vuln7(command):
eval(command)
@app.route('/vuln8')
def vuln8():
name = flask.request.args.get('name', 'Spiderman')
return flask.render_template("main_xss.html", name=name)
@app.route('/vuln9')
def vuln9():
# Test that the taint is passed from a different module
name = taint_import.get_username()
return flask.render_template('main_xss.html', name=name)
@app.route('/not_vuln1/<int:command>')
def not_vuln1(command):
eval(command)
@app.route('/not_vuln2/<command>')
def not_vuln2(command):
c = int(command)
eval(c)
@app.route('/test1')
def test1():
return flask.render_template('doesn_not_exists.html')
app.run(debug=True)