Before we can identify any vulnerabilities within our code, we need to obtain a proper understanding of the code. Let’s discuss the intended flow of the code, starting with the login function.
Instructions
When a user submits their credentials, the login()
function, defined on line 60, will execute. This function takes a username and password, hashes the password, and compares those to the creds dictionary, defined on line 10. As mentioned, this is a simple application. Thus the data storage method in use is relatively basic. In a larger application, this dictionary would likely be replaced by a database of some sort.
Assuming the credentials provided match the stored records, the application will return a session cookie, which is used by the application to determine if a user is logged in and who that user is logged in as.
Once the cookie is created, the user is redirected to the /account_secret_phrase
endpoint.
This endpoint, much like the /account_password
endpoint, is designed to be restricted to the user related to their ID. In this case, user1 should have access to all attributes associated with id = 1, and admin should have access to all attributes associated with id = 2. Neither user should be able to access the other’s data.
To ensure that these controls are enforced, we have the validate_request()
function on line 13. This function will take the id parameter and the session cookie and check to see if the provided cookie aligns with the requested id. If the request is valid, the code returns the string “Valid”. However, if the requested combination is invalid, the code returns the string “Not Valid”. The account_secret_phrase()
and the account_password()
codes leverage this function.
This application is relatively simple. Two of these provided endpoints are designed to be protected; one is designed to be publicly accessible. The following table helps map out these attributes in a summarized manner.
Endpoint | Purpose | Access Type | Expected Parameter |
---|---|---|---|
account_user | Display a Username Based on the Provided ID | Unauthenticated/Public | id |
- | - | - | - |
acount_secret_phrase | Display a User’s Secret Phrase | Authenticated/Private (Accessible only to user) | id |
- | - | - | - |
account_password | Display a Password Hash | Authenticated/Private (Accessible only to user) | id |
Take some time to explore the code and the application.
Next, we’ll look at how this code is vulnerable and exploit the vulnerability!