logo

URL injection

URL injection + Insecure security controls

Medium
45 min

Deepen your knowledge and try to bypass the built-in security mechanism in the application. After that, you can perform a classic URL injection attack and solve the lab. This lab is based on a real-life application where the developers used similar protection mechanisms without knowing that they could be completely breached.

Read the blog here if you get stuck!

The application source codes can be found below.

import os
import hmac
import flask
import requests

from urllib.parse import urlparse
from flask import Flask, render_template, request, flash, abort, jsonify
from modules import database
from modules import variables

app = Flask(__name__)
db = database.Database()

@app.route("/internal-api/v1/recipes", methods=['GET'])
def recipes_api():
    ip_address = flask.request.remote_addr
    if ip_address not in ('127.0.0.1', '::1', 'localhost'):
        abort(404)
    
    return jsonify({
        'recipes': [
            {
                'Secret Recipe': [
                    'Sugar',
                    'Flour',
                    'Hacked flag %s' % os.environ['FLAG']
                ]
            }
        ]
    })


@app.route("/api/user/<user_mail>")
def user_api(user_mail):
    ip_address = flask.request.remote_addr
    if ip_address not in ('127.0.0.1', '::1', 'localhost'):
      abort(404)
    user_mail = request.view_args["user_mail"]
    ret_user = db.get_user(user_mail)
    if ret_user != None:
      return jsonify({ 'Email free': 'False' })
    else:
      return jsonify({ 'Email free': 'True' })


@app.route("/verify", methods=['POST'])
def verify():
  mail = request.form.get("mail")
  signature = request.headers.get('X-Signature')
  if calculateSignatureAndCompare(email, signature):
    resp = requests.get("http://127.0.0.1:5000/api/user/"+sposti)
    return jsonify(resp.json())
  else:
    return jsonify({'Signature':'Invalid'})


@app.route("/", methods=['GET'])
def index():
  return render_template("index.html")

# Helper function that calculates and compares the signature with the given value
def calculateSignatureAndCompare(email, signature):
  try:
    key = variables.secret
    hmac_value = hmac.new(key=key.encode(), msg=sposti.encode(), digestmod="sha256")
    calculated_signature = hmac_value.digest().hex()
    if calculated_signature == signature:
      return True

    return False
  except Exception as e:
    print
    return False


if __name__ == '__main__':
  app.run(debug=False, host='0.0.0.0', port=5000)

Exercises

Flag

Find the flag from the lab environment and enter it below.

hakatemia pro

Ready to become an ethical hacker?
Start today.

As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.