[PYTHON] Activity record in the programming circle

About this article

I will write a summary of what I did in the security department of the Computer Study Group for output. We will add more and more every Friday.

June 19

Activity content: I went to part3 and part4 of https://google-gruyere.appspot.com/.

Challenge: Creating a web application that allows you to experience Path Traversal Attack

Directory structure


.
├── templates
│   └── index.html
├── a.txt
├── b.txt
├── c.txt
├── pass.txt
└── app.py

index.html


<!doctype html>
<html lang="ja">

<head>
	<meta charset="utf-8">
	<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
	<title>Hello Jinja2</title>
</head>

<body>
	<h1>A web application that allows you to experience Path Traversal Attack</h1>
	<p>Please enter the file name of the file you want to display in the form below</p>
	<p><strong>a.txt</strong> <strong>b.txt</strong> <strong>c.txt</strong>You can choose from.</p>
	
	<form action="/" method="POST" enctype="multipart/form-data">
		<div>
			<label for="name">file name:</label>
			<input type="text" id="name" name="name" placeholder="name">
		</div>
		<div>
			<input type="submit" value="Send">
		</div>
	</form>
	<p>{{data}}</p>
	<br><br><br>
	<h4>Commentary</h4>
	<p>This site looks for a file with the received file name in the directory and returns it as is</p>
	<p>Therefore, there is a possibility that a confidential file will be returned when a file name that is not expected to be entered is entered.</p>
	<h3>pass.Let's enter txt</h3>
</body>

</html>

a.txt


This is a.The contents of txt.

b.txt


This is b.The contents of txt.

c.txt


This is c.The contents of txt.

pass.txt


I was able to extract valuable password data.

app.py


# -*- coding: utf-8 -*-
from flask import Flask, render_template, request

app = Flask(__name__)
	
@app.route('/', methods=['POST'])
def post():
	name = request.form.get('name')
	data = ""
	try:
		f = open(name)
		data = f.read()
		f.close()
	except:
		pass

	return render_template('index.html', data = data)

if __name__ == '__main__':
	app.run()

All I had to do was set up a local server, so I wrote it using Flask. It was ridiculously easy to implement, so it felt like Flask !. Is there really anyone who implements such a stupid vulnerability?

June 12

Activity content: I went to part0, part1, part2 of https://google-gruyere.appspot.com/.

What I learned: There are various types of XSS (cross-site scripting) such as reflective type, accumulation type, and DOM based xss. Take measures against XSS and sanitize (escape).

Challenge: Creating a web page where you can experience DOM Based XSS

xss.html


<html>
  <title>DOM Based XSS</title>
  <h1>A site where you can experience DOM Based XSS</h1>
  Hi
  <script charset="UTF-8">
    var pos=document.URL.indexOf("name=")+5;
    document.write(unescape(document.URL.substring(pos,document.URL.length)));
  </script>
  <br><br>
  <p>If you give a name as a parameter at the end of the url of this page, it will dynamically rewrite the html</p>
  <p>(Example) 〜〜xss.html?name=Taro</p>
  <p>I think the name is displayed after Hi at the top.</p><br>
  <P>However, this site will execute it when a malicious script is put in the parameter.</P>
  <p>(Example) 〜〜xss.html?name=&ltscript&gtalert("Your PC was broken!!")&lt/script&gt</p>
  <P>Being able to alert will cause you to run a script that actually has a negative effect.</P>
  </html>

Recommended Posts

Activity record in the programming circle
Programming to fight in the world ~ 5-1
Programming to fight in the world ~ 5-5,5-6
Programming to fight in the world 5-3
Programming to fight in the world-Chapter 4
Programming to fight in the world ~ 5-2
The most sought after programming language in 2020
Draw graphs in the programming language Julia
Programming in python
Programming learning record day 2
Python programming in Excel
The story around the time acquisition API in programming languages
I participated in the translation activity of Django official documents
I tried programming the chi-square test in Python and Java.
10 Most Popular Programming Languages in 2020
Download the file in Python
Find the difference in Python
Programming language in "Hello World"
Methods available in the list
The popularity of programming languages
A programming language that young people will need in the future