Document the vulnerabilities (#10)

Author: ursachec

README.md

@@ -25,3 +25,33 @@ pip install -r requirements.txt
 FLASK_APP=run.py flask run
 ```
 
+### Vulnerabilities
+
+This project contains the following vulnerabilities:
+
+- Remote Code Execution
+- SQL injection
+- XSS
+- Insecure Deserialization
+- Directory Traversal
+- Open Redirect
+- Sensitive Data Exposure
+- Broken Access Control
+- Security Misconfiguration
+
+You can find each one in the codebase by grepping for the string
+`vulnerability`:
+
+```
+$ grep vulnerability . -R -n | grep -v README
+./flask_webgoat/actions.py:43: # vulnerability: Remote Code Execution
+./flask_webgoat/users.py:37: # vulnerability: SQL Injection
+./flask_webgoat/auth.py:17: # vulnerability: SQL Injection
+./flask_webgoat/ui.py:14: # vulnerability: XSS
+./flask_webgoat/actions.py:60: # vulnerability: Insecure Deserialization
+./flask_webgoat/actions.py:35: # vulnerability: Directory Traversal
+./flask_webgoat/auth.py:45: # vulnerability: Open Redirect
+./flask_webgoat/__init__.py:12: # vulnerability: Sensitive Data Exposure
+./run.py:7: # vulnerability: Broken Access Control
+./run.py:9: # vulnerability: Security Misconfiguration
+```

flask_webgoat/__init__.py

@@ -9,6 +9,7 @@
 
 def query_db(query, args=(), one=False, commit=False):
  with sqlite3.connect(DB_FILENAME) as conn:
+ # vulnerability: Sensitive Data Exposure
  conn.set_trace_callback(print)
  cur = conn.cursor().execute(query, args)
  if commit:

flask_webgoat/actions.py

@@ -32,13 +32,15 @@ def log_entry():
  filename = filename_param + ".txt"
  path = Path(user_dir + "/" + filename)
  with path.open("w", encoding="utf-8") as open_file:
+ # vulnerability: Directory Traversal
  open_file.write(text_param)
  return jsonify({"success": True})
 
 
 @bp.route("/grep_processes")
 def grep_processes():
  name = request.args.get("name")
+ # vulnerability: Remote Code Execution
  res = subprocess.run(
  ["ps aux | grep " + name + " | awk '{print $11}'"],
  shell=True,
@@ -55,5 +57,6 @@ def grep_processes():
 def deserialized_descr():
  pickled = request.form.get('pickled')
  data = base64.urlsafe_b64decode(pickled)
+ # vulnerability: Insecure Deserialization
  deserialized = pickle.loads(data)
  return jsonify({"success": True, "description": str(deserialized)})

flask_webgoat/auth.py

@@ -14,6 +14,7 @@ def login():
  400,
  )
 
+ # vulnerability: SQL Injection
  query = (
  "SELECT id, username, access_level FROM user WHERE username = '%s' AND password = '%s'"
  % (username, password)
@@ -41,6 +42,7 @@ def login_and_redirect():
  query = "SELECT id, username, access_level FROM user WHERE username = ? AND password = ?"
  result = query_db(query, (username, password), True)
  if result is None:
+ # vulnerability: Open Redirect
  return redirect(url)
  session["user_info"] = (result[0], result[1], result[2])
  return jsonify({"success": True})

flask_webgoat/ui.py

@@ -11,6 +11,7 @@ def search():
  query_param = request.args.get("query")
  if query_param is None:
  message = "please provide the query parameter"
+ # vulnerability: XSS
  return render_template("error.html", message=message)
 
  try:

flask_webgoat/users.py

@@ -34,6 +34,7 @@ def create_user():
  402,
  )
 
+ # vulnerability: SQL Injection
  query = (
  "INSERT INTO user (username, password, access_level) VALUES ('%s', '%s', %d)"
  % (username, password, int(access_level))

run.py

@@ -4,7 +4,9 @@
 
 @app.after_request
 def add_csp_headers(response):
+ # vulnerability: Broken Access Control
  response.headers['Access-Control-Allow-Origin'] = '*'
+ # vulnerability: Security Misconfiguration
  response.headers['Content-Security-Policy'] = "script-src 'self' 'unsafe-inline'"
  return response