[Learning] Flask Framework - Python [#3] - Common Vulnerabilities

 

Link [#1] Flask Framework - Python [#1]

Link [#2] Flask Framework - Python [#2]

Web applications usually face all kinds of security problems and it’s very hard to get everything right. Flask tries to solve a few of these things for you, but there are a couple more you have to take care of yourself.

1. SSTI - Server side template injection

A server side template injection is a vulnerability that occurs when a server renders user input as a template of some sort. Server-Side Template Injection is possible when an attacker injects template directive as user input that can execute arbitrary code on the server. 

At the beginning, my local website simply show a message 

If already logged in

If not

Let's edit the code so we can input parameter by GET method

As you can see, now we can input 'name' parameter into URL

render_template_string() is used to generate output from a string that is passed in rather than from a file in the templates folder. And in some case, this function will lead to SSTI.

Add this to the piece of code above

        output = render_template_string(output)

And input SSTI payload. For instance: 

Bingo! the vulnerability comes into play when the template is executed on the side of the server, and we control the input.

Leak The Secret Key Used To Sign Session Cookies

By calling the config object, it returns a list of key value pairs, one being the secret key used to sign user cookies. So we can specify the SECRET_KEY, name pair and it will return the secret key value. {{config["SECRET_KEY"]}}

How can we built a payload for RCE?

RCE

2. Cross-Site Scripting - XSS

Cross site scripting is the concept of injecting arbitrary HTML (and with it JavaScript) into the context of a website.

By default, everything flask outputs via jinja2 is HTML escaped so that even if you display a user generated string it is guaranteed not to contain any malicious javascript/html codes.

While Jinja2 can protect you from XSS issues by escaping HTML, there is one thing it cannot protect you from: XSS by attribute injection. To counter this possible attack vector, be sure to always quote your attributes with either double or single quotes when using Jinja expressions in them:

<input value="{{ value }}">

Why is this necessary? Because if you would not be doing that, an attacker could easily inject custom JavaScript handlers. For example an attacker could inject this piece of HTML+JavaScript:

onmouseover=alert(document.cookie) 

 or if autoescape set to false:

 3. Deseriealize with Pickle

Serialization and Deserialization are mechanisms used in many environment (web, mobile, IoT, ...) when you need to convert any Object (it can be an OOM, an array, a dictionary, a file descriptor, ... anything) to something that you can put "outside" of your application (network, file system, database, ...)

With python, the default library used to serialize and deserialize objects is pickle. 

import pickle
import datetime
my_data = {}
my_data['last-modified'] = str(datetime.datetime.now())
my_data['friends'] = ["alice", "bob"]
pickle_data = pickle.dumps(my_data)
with open("backup.data", "wb") as file:
    file.write(pickle_data)

last-modifiedqX2020-12-12 00:23:29.986499qXfriendsq]q(XaliceqXbobqeu.

import pickle
with open("backup.data", "rb") as file:
    pickle_data = file.read()
my_data =  pickle.loads(pickle_data)
my_data

{'friends': ['alice', 'bob'], 'last-modified': '2020-12-12 00:23:29.986499'}

How to protect against it

It's simple... don't use pickle (or any other "wannabe" universal and automatic serializer) if you are going to parse untrusted data with it.

It's not that hard to write your own convert_data_to_string(data) and convert_string_to_data(string) functions that won't be able to interpret forged object with malicious code within.

Source https://davidhamann.de/2020/04/05/exploiting-python-pickle/