(All hints are encoded in base64)
Q1 Here's a Django view that serves an HTML response, whose content depends on a request query parameter:
def hello_view(request, name):
return HttpResponse(f'<html><body><p>Hello {name}</p></body></html>')
What's the security hole? If this code were running on a third party server, how would you exploit it?
Hint: Q3Jvc3Mgc2l0ZSBzY3JpcHRpbmcgKFhTUykK
Q2 Consider a SQL database with a students
table:
CREATE TABLE students (
id serial primary key,
first_name text,
last_name text
);
Now consider a Django view that takes the first name and last name as query parameters, and inserts the given student into the table:
def insert_view(request, first_name, last_name):
connection = get_sql_connection()
connection.execute(f"INSERT INTO STUDENTS (first_name, last_name) VALUES ('{first_name}', '{last_name}')")
return HttpResponse()
What's the security hole and how to exploit it?
Hint: U1FMIEluamVjdGlvbgo=
Q3 Consider the following Django model:
class User(models.Model):
is_superuser = models.BooleanField()
username = models.CharField()
An important requirement of the system is that only a superuser can designate another user as a superuser.
This requirement is implemented using the following code.
In the backend using a Django view:
def set_superuser(request):
user_id = request.data['user_id']
is_superuser = request.data['is_superuser']
if is_superuser:
user = User.objects.get(user_id)
user.is_superuser = True
user.save()
return HttpResponse()
And in the frontend using Javascript:
function setSuperuser(userId) {
// Assume that details of the current user are stored locally
currentUser = getCurrentUser()
if (currentUser.isSuperuser) {
httpClient.post('/set-superuser', { 'is_superuser': true, 'user_id': userId })
}
}
What's the security hole and how do you exploit it?
Hint: TmV2ZXIgdHJ1c3QgeW91ciBpbnB1dHMK
Q4 Consider a frontend application displays user information. The id of the user is taken from the URL.
HTML:
<html>
<body>
<div id="user-widget">
<span id="username"></span>
<span id="bio"></span>
</div>
</body>
</html>
Javascript:
async function displayUser() {
userId = get_query_param(window.location.query, 'user_id')
await user = httpClient.get("/users/" + userId)
document.getElementById("username").innerHTML = user.username
document.getElementById("bio").innerHTML = user.bio
}
Same question: what's the hole and how to exploit it?
Hint: Q3Jvc3Mgc2l0ZSBzY3JpcHRpbmcgKFhTUykK
Q5 Consider a database with the following user table:
CREATE TABLE users (
username text primary key,
password text,
name text
);
If my username is "chaitanya" and password is "pass@123", this is how my row will be created:
INSERT INTO users (username, password, name) VALUES ('chaitanya', 'pass@123', 'Chaitanya Gupta');
What's the problem with this scheme?
Hint: TG9va3VwIHVwIHBhc3N3b3JkIHN0b3JhZ2UgYmVzdCBwcmFjdGljZXMK