A server side template injection is a vulnerability that occurs when a server renders user input as a template of some sort. Server-Side Template Injection is possible when an attacker injects template directive as user input that can execute arbitrary code on the server.
render_template_string() is used to generate output from a string that is passed in rather than from a file in the templates folder. And in some case, this function will lead to SSTI.
output = render_template_string(output)
Cross site scripting is the concept of injecting arbitrary HTML (and with it JavaScript) into the context of a website.
By default, everything flask outputs via jinja2 is HTML escaped so that even if you display a user generated string it is guaranteed not to contain any malicious javascript/html codes.
While Jinja2 can protect you from XSS issues by escaping HTML, there is one thing it cannot protect you from: XSS by attribute injection. To counter this possible attack vector, be sure to always quote your attributes with either double or single quotes when using Jinja expressions in them:
<input value="{{ value }}">
Why is this necessary? Because if you would not be doing that, an attacker could easily inject custom JavaScript handlers. For example an attacker could inject this piece of HTML+JavaScript:
onmouseover=alert(document.cookie)
or if autoescape set to false:
3. Deseriealize with Pickle
Serialization and Deserialization are mechanisms used in many environment (web, mobile, IoT, ...) when you need to convert any Object (it can be an OOM, an array, a dictionary, a file descriptor, ... anything) to something that you can put "outside" of your application (network, file system, database, ...)
import pickle import datetime my_data = {} my_data['last-modified'] = str(datetime.datetime.now()) my_data['friends'] = ["alice", "bob"] pickle_data = pickle.dumps(my_data) with open("backup.data", "wb") as file: file.write(pickle_data)
last-modifiedqX2020-12-12 00:23:29.986499qXfriendsq]q(XaliceqXbobqeu.
import pickle with open("backup.data", "rb") as file: pickle_data = file.read() my_data = pickle.loads(pickle_data) my_data
{'friends': ['alice', 'bob'], 'last-modified': '2020-12-12 00:23:29.986499'}
How to protect against it
It's simple... don't use pickle (or any other "wannabe" universal and automatic serializer) if you are going to parse untrusted data with it.
It's not that hard to write your own convert_data_to_string(data)
and convert_string_to_data(string)
functions that won't be able to interpret forged object with malicious code within.
Không có nhận xét nào:
Đăng nhận xét