134A6_Thoughts Posted on May 30 MP3 - SQLi, XSS, and CSRF WriteUp # python # security # sql # webdev Introduction For Machine Problem 3, our group — Aki, Lark, and Carl — was tasked with finding and fixing security vulnerabilities in a sample web application written in Python (Flask) with sqlite3 as its database. The application has a login page and a posts page where users can view and create their own posts. Our scope was limited to SQL injection, CSRF, and XSS, though we also fixed related issues we came across. Going through the code, we found seven SQL injection vulnerabilities, two CSRF vulnerabilities, and one XSS vulnerability. Each one is documented below along with the fix we applied. SQL Injection The Problem The original application built SQL queries by concatenating user input directly into query strings. This means an attacker can type SQL code into any input field or manipulate cookies to change what the query does. SQLi-1 — Login Bypass via Password Field Vulnerable code: res = cur . execute ( " SELECT id from users WHERE username = '" + request . form [ " username " ] + "' AND password = '" + request . form [ " password " ] + "'" ) Enter fullscreen mode Exit fullscreen mode How an attacker does it: On the login page, the attacker enters alice as the username and ' OR '1'='1 as the password. The app pastes the input directly into the query, producing: WHERE ( username = 'alice' AND password = '' ) OR ( '1' = '1' ) Enter fullscreen mode Exit fullscreen mode '1'='1' is always true so the database returns alice's row and the attacker is logged in without ever knowing her password. Fix: res = cur . execute ( " SELECT id FROM users WHERE username = ? AND password = ? " , ( request . form [ " username " ], request . form [ " password " ]), ) Enter fullscreen mode Exit fullscreen mode SQLi-2 — Login Bypass Without Any Credentials Vulnerable code: Same as SQLi-1. How an attacker does it: The attacker enters ' OR 1=1 -- (with a trailing space) as the username
LIVE