CTFtime.org

Secure-Coding-Science!

by skat / IrisCS

Tags: programming secure-coding 

Rating:

# Science!

We need to fix the vulnerability exploited in Web: Science!

This is a fairly simply fix. We just need to get rid of opening curly brace characters. The Python script in question is tamuctf/views.py.

Insecure code:

```python
import requests
import json
import sys
from tamuctf import app
from flask import Flask, render_template, request, jsonify, render_template_string

@app.route('/')
@app.route('/index')
def index():

return render_template('index.html')

@app.route('/science', methods=['POST'])
def science():
try:
chem1 = request.form['chem1']
chem2 = request.form['chem2']
template = '''<html>
<div style="text-align:center">
<h3>The result of combining {} and {} is:</h3>

<iframe src="https://giphy.com/embed/AQ2tIhLp4cBa" width="468" height="480" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></div>
</html>'''.format(chem1, chem2)

return render_template_string(template, dir=dir, help=help, locals=locals)
except:
return "Something went wrong"
```

These are the two problem lines:

```python
chem1 = request.form['chem1']
chem2 = request.form['chem2']
```

We can easily prevent injection by getting rid of opening curly braces.

```python
chem1 = request.form['chem1'].replace("{","")
chem2 = request.form['chem2'].replace("{","")
```

Secure code:

```python
import requests
import json
import sys
from tamuctf import app
from flask import Flask, render_template, request, jsonify, render_template_string

@app.route('/')
@app.route('/index')
def index():

return render_template('index.html')

@app.route('/science', methods=['POST'])
def science():
try:
chem1 = request.form['chem1'].replace("{","")
chem2 = request.form['chem2'].replace("{","")
template = '''<html>
<div style="text-align:center">
<h3>The result of combining {} and {} is:</h3>

<iframe src="https://giphy.com/embed/AQ2tIhLp4cBa" width="468" height="480" frameBorder="0" class="giphy-embed" allowFullScreen></iframe></div>
</html>'''.format(chem1, chem2)

return render_template_string(template, dir=dir, help=help, locals=locals)
except:
return "Something went wrong"
```

Upon committing and pushing the code upstream, we're presented with the flag.

![](https://raw.githubusercontent.com/shawnduong/ctf-writeups/master/2019-TAMU/images/Science-1.png)

Original writeup (https://github.com/shawnduong/ctf-writeups/blob/master/2019-TAMU/Secure-Coding/Science.md).

Comments