I will write a summary of what I did in the security department of the Computer Study Group for output. We will add more and more every Friday.
Activity content: I went to part3 and part4 of https://google-gruyere.appspot.com/.
Challenge: Creating a web application that allows you to experience Path Traversal Attack
Directory structure
.
├── templates
│ └── index.html
├── a.txt
├── b.txt
├── c.txt
├── pass.txt
└── app.py
index.html
<!doctype html>
<html lang="ja">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1, shrink-to-fit=no">
<title>Hello Jinja2</title>
</head>
<body>
<h1>A web application that allows you to experience Path Traversal Attack</h1>
<p>Please enter the file name of the file you want to display in the form below</p>
<p><strong>a.txt</strong> <strong>b.txt</strong> <strong>c.txt</strong>You can choose from.</p>
<form action="/" method="POST" enctype="multipart/form-data">
<div>
<label for="name">file name:</label>
<input type="text" id="name" name="name" placeholder="name">
</div>
<div>
<input type="submit" value="Send">
</div>
</form>
<p>{{data}}</p>
<br><br><br>
<h4>Commentary</h4>
<p>This site looks for a file with the received file name in the directory and returns it as is</p>
<p>Therefore, there is a possibility that a confidential file will be returned when a file name that is not expected to be entered is entered.</p>
<h3>pass.Let's enter txt</h3>
</body>
</html>
a.txt
This is a.The contents of txt.
b.txt
This is b.The contents of txt.
c.txt
This is c.The contents of txt.
pass.txt
I was able to extract valuable password data.
app.py
# -*- coding: utf-8 -*-
from flask import Flask, render_template, request
app = Flask(__name__)
@app.route('/', methods=['POST'])
def post():
name = request.form.get('name')
data = ""
try:
f = open(name)
data = f.read()
f.close()
except:
pass
return render_template('index.html', data = data)
if __name__ == '__main__':
app.run()
All I had to do was set up a local server, so I wrote it using Flask. It was ridiculously easy to implement, so it felt like Flask !. Is there really anyone who implements such a stupid vulnerability?
Activity content: I went to part0, part1, part2 of https://google-gruyere.appspot.com/.
What I learned: There are various types of XSS (cross-site scripting) such as reflective type, accumulation type, and DOM based xss. Take measures against XSS and sanitize (escape).
Challenge: Creating a web page where you can experience DOM Based XSS
xss.html
<html>
<title>DOM Based XSS</title>
<h1>A site where you can experience DOM Based XSS</h1>
Hi
<script charset="UTF-8">
var pos=document.URL.indexOf("name=")+5;
document.write(unescape(document.URL.substring(pos,document.URL.length)));
</script>
<br><br>
<p>If you give a name as a parameter at the end of the url of this page, it will dynamically rewrite the html</p>
<p>(Example) 〜〜xss.html?name=Taro</p>
<p>I think the name is displayed after Hi at the top.</p><br>
<P>However, this site will execute it when a malicious script is put in the parameter.</P>
<p>(Example) 〜〜xss.html?name=<script>alert("Your PC was broken!!")</script></p>
<P>Being able to alert will cause you to run a script that actually has a negative effect.</P>
</html>
Recommended Posts