Webapp security exercises for beginners

2 min read Original article ↗

(All hints are encoded in base64)

Q1 Here's a Django view that serves an HTML response, whose content depends on a request query parameter:

def hello_view(request, name):
    return HttpResponse(f'<html><body><p>Hello {name}</p></body></html>')

What's the security hole? If this code were running on a third party server, how would you exploit it?

Hint: Q3Jvc3Mgc2l0ZSBzY3JpcHRpbmcgKFhTUykK

Q2 Consider a SQL database with a students table:

CREATE TABLE students (
  id serial primary key,
  first_name text,
  last_name text
);

Now consider a Django view that takes the first name and last name as query parameters, and inserts the given student into the table:

def insert_view(request, first_name, last_name):
  connection = get_sql_connection()
  connection.execute(f"INSERT INTO STUDENTS (first_name, last_name) VALUES ('{first_name}', '{last_name}')")
  return HttpResponse()

What's the security hole and how to exploit it?

Hint: U1FMIEluamVjdGlvbgo=

Q3 Consider the following Django model:

class User(models.Model):
  is_superuser = models.BooleanField()
  username = models.CharField()

An important requirement of the system is that only a superuser can designate another user as a superuser.

This requirement is implemented using the following code.

In the backend using a Django view:

def set_superuser(request):
  user_id = request.data['user_id']
  is_superuser = request.data['is_superuser']
  if is_superuser:
    user = User.objects.get(user_id)
    user.is_superuser = True
    user.save()
  return HttpResponse()

And in the frontend using Javascript:

function setSuperuser(userId) {
  // Assume that details of the current user are stored locally
  currentUser = getCurrentUser()
  if (currentUser.isSuperuser) {
    httpClient.post('/set-superuser', { 'is_superuser': true, 'user_id': userId })
  }
}

What's the security hole and how do you exploit it?

Hint: TmV2ZXIgdHJ1c3QgeW91ciBpbnB1dHMK

Q4 Consider a frontend application displays user information. The id of the user is taken from the URL.

HTML:

<html>
  <body>
    <div id="user-widget">
      <span id="username"></span>
      <span id="bio"></span>
    </div>
  </body>
</html>

Javascript:

async function displayUser() {
  userId = get_query_param(window.location.query, 'user_id')
  await user = httpClient.get("/users/" + userId)
  document.getElementById("username").innerHTML = user.username
  document.getElementById("bio").innerHTML = user.bio
}

Same question: what's the hole and how to exploit it?

Hint: Q3Jvc3Mgc2l0ZSBzY3JpcHRpbmcgKFhTUykK

Q5 Consider a database with the following user table:

CREATE TABLE users (
  username text primary key,
  password text,
  name text
);

If my username is "chaitanya" and password is "pass@123", this is how my row will be created:

INSERT INTO users (username, password, name) VALUES ('chaitanya', 'pass@123', 'Chaitanya Gupta');

What's the problem with this scheme?

Hint: TG9va3VwIHVwIHBhc3N3b3JkIHN0b3JhZ2UgYmVzdCBwcmFjdGljZXMK