search

Vuln-Code 3 {Python}

This code is one of the challenges intigriti posts on twitter. Source below

hashtag
code

from flask import Flask, request
from jinja2 import Environment

app = Flask(__name__)

Jinja2 = Environment()

@app.route("/email/unsubscribe")
def page():
    email = request.values.get('email')
    output = Jinja2.from_string('<h1>Are you sure you want the mail: '+email+' to unsubscribe?</h1>'+'<button onclick="unsubsUser()">BYE!</button>'+'<a href="/">Reconsider</a>').render()
    return output

if __name__ == "__main__":
    app.run(host='0.0.0.0',port=80)

Sourcearrow-up-right for the code , the original post on twitter.

hashtag
Vulnerability

The code seems to be vulnerable to the two vulnerabilities:

hashtag
Client side Vulnerability

Cross-Site-Scripting attack can be used on the application's front-end due to the *email* parameter that is being fetched at line 10 without and being used without any sanitization. Making it to embed malicious javascript.

hashtag
Server Side Vulnerability

The application allows imposes risk of RCE due to the same *email* parameter being vulnerable and used without sanitization , the vulnerability that leads to such scenario is Server-Side-Template-Injection. Even a small payload like: {{5*5}} would result in evaluating that.

hashtag
Remedy

  • Proper sanitization will help in doing so , but how:

Avoid directly injecting user input into your templates. Instead, use Flask's built-in mechanisms to handle user input safely:

we could use render_template method to change:

and the template may look like this:

PreviousVuln-Code 2 {php}NextJava Code Review Series

Last updated