Looking at the validate_request() function, we see that the code will return a string value of either “Valid” or “Invalid”. Since we know that the account_secret_phrase() function is working, let’s see how this method implements the validation feature. A quick review of the code shows that line 38 begins a basic IF statement. This IF statement calls the validate_request() method and compares the returned value to the string “Valid”. If the returned value is “Valid”, the application will return the value of the secret phrase request.

Looking at the account_password() function, we can also see a similar IF statement starting at line 48. However, there is a key difference between how account_secret_phrase() and account_password() implement this IF statement. Unlike line 38, which compares the return value of “validate_request” to the known “Valid” string, line 48 does not.

This lack of a basic comparison is the culprit of our vulnerability!

An interesting fact will stand out if we look at how Python processes strings. Given a valid string in a boolean operation, the Python interpreter will treat a non-empty string as True!

To fix our code, we needed to implement the string comparison, as seen in account_secret_phrase().

The fix has already been implemented, and the access control vulnerability is gone. However, please don’t take our word for it. Test it yourself.

While this is a minor mistake, we can see how damaging the impacts are. Even with a relatively simple application, we see how easy it is to create unintended vulnerabilities in our code. This further highlights the importance of creating code securely. Writing code shouldn’t be a one-step process. Rather, secure coding consists of many steps, including internal source code reviews, internal penetration tests, and even external validation processes such as third-party penetration tests.