Our last exercise found that the validation code surrounding the
account_password feature was not properly securing individual accounts. To understand why let’s dive into the
account_page_password methods. Additionally, we’ll look at the
account_secret_phrase method, as we know this function is properly restricting user’s access. Once we understand why the code is broken, the fix can be implemented easily.
Looking at the
validate_request() function, we see that the code will return a string value of either “Valid” or “Invalid”. Since we know that the
account_secret_phrase() function is working, let’s see how this method implements the validation feature. A quick review of the code shows that line 38 begins a basic IF statement. This IF statement calls the
validate_request() method and compares the returned value to the string “Valid”. If the returned value is “Valid”, the application will return the value of the secret phrase request.
Looking at the
account_password() function, we can also see a similar IF statement starting at line 48. However, there is a key difference between how
account_password() implement this IF statement. Unlike line 38, which compares the return value of “validate_request” to the known “Valid” string, line 48 does not.
This lack of a basic comparison is the culprit of our vulnerability!
An interesting fact will stand out if we look at how Python processes strings. Given a valid string in a boolean operation, the Python interpreter will treat a non-empty string as True!
To fix our code, we needed to implement the string comparison, as seen in
The fix has already been implemented, and the access control vulnerability is gone. However, please don’t take our word for it. Test it yourself.
While this is a minor mistake, we can see how damaging the impacts are. Even with a relatively simple application, we see how easy it is to create unintended vulnerabilities in our code. This further highlights the importance of creating code securely. Writing code shouldn’t be a one-step process. Rather, secure coding consists of many steps, including internal source code reviews, internal penetration tests, and even external validation processes such as third-party penetration tests.