CSRF-Samesite challenge and write-up (#45)

* SQL blind implemented

* JWT-null implemented

* JWT-Null Git Book

* Sync

* Sync

* Fix summary

* Fix summary

* SQL-Like, JWT fix

* SQL-Like md fix

* SQLi Blind + other fixes

* SQL-blind fix

* Formula Injection

* Formula Injection

* sync

* CSRF-Samesite challenge and write-up

* CSRF-SameSite write-up fix

CSRF-SameSite/CSRF-Samesite.py

@@ -0,0 +1,88 @@
+from models.sqlimodel import *
+from flask import Flask, request, url_for, render_template, redirect, make_response, request, session
+
+
+app = Flask(__name__, static_url_path='/static', static_folder='static')
+
+app.config['DEBUG'] = True
+
+app.config.update(dict(
+    SECRET_KEY= "woopie",
+    SESSION_COOKIE_HTTPONLY = True
+))
+# Load default config and override config from an environment variable
+# You can also replace password with static password:  PASSWORD='pass!@#example'
+
+
+
+@app.route("/")
+def start():
+    return render_template("index.html")
+
+@app.route("/login_insecure", methods=['GET', 'POST'])
+def login_insecure():
+    sqli  = Classes()
+    values = sqli.getUser(request.form['username'])
+    if values:
+        if values[0][2] == request.form['password']:
+            session['userId'] = values[0][0]
+            session['loggedin'] = True
+            pref = sqli.getColor(values[0][0])
+            color = pref[0][0]
+            return render_template("loggedin.html", color = color)
+    return render_template("index.html")
+
+@app.route("/login_strict", methods=['GET', 'POST'])
+def login_strict():
+    app.config.update(dict(
+    SESSION_COOKIE_SAMESITE = 'Strict'
+))
+    sqli  = Classes()
+    values = sqli.getUser(request.form['username'])
+    if values:
+        if values[0][2] == request.form['password']:
+            session['userId'] = values[0][0]
+            session['loggedin'] = True
+            pref = sqli.getColor(values[0][0])
+            color = pref[0][0]
+            return render_template("loggedin.html", color = color)
+    return render_template("index.html")
+
+@app.route("/login_lax", methods=['GET', 'POST'])
+def login_lax():
+    app.config.update(dict(
+    SESSION_COOKIE_SAMESITE = 'Lax'
+))
+    sqli  = Classes()
+    values = sqli.getUser(request.form['username'])
+    if values:
+        if values[0][2] == request.form['password']:
+            session['userId'] = values[0][0]
+            session['loggedin'] = True
+            pref = sqli.getColor(values[0][0])
+            color = pref[0][0]
+            return render_template("loggedin.html", color = color)
+    return render_template("index.html")
+
+@app.route("/update", methods=['POST', 'GET'])
+def update():
+    if not session.get('loggedin'):
+        return render_template('index.html')
+    sqli  = Classes()
+
+    if request.method == "POST":
+        sqli.updateColor(request.form['color'], session.get('userId'))
+
+    if request.method == "GET" and (request.args.get('color') is not None):
+             sqli.updateColor(request.args['color'], session.get('userId'))
+
+    pref = sqli.getColor(session.get('userId'))
+    color = pref[0][0]
+    return render_template("loggedin.html", color = color)
+
+@app.errorhandler(404)
+def page_not_found(e):
+    return render_template("404.html")
+
+if __name__ == "__main__":
+    app.run(host='0.0.0.0')

CSRF-SameSite/Docker/Dockerfile

@@ -0,0 +1,12 @@
+FROM alpine:3.7
+MAINTAINER Glenn ten Cate <glenn.ten.cate@owasp.org>
+RUN apk update --no-cache && apk add python3 \
+python3-dev \
+py3-pip \ 
+git \
+bash
+
+RUN git clone https://github.com/blabla1337/skf-labs.git
+WORKDIR /skf-labs/CSRF-Samesite
+RUN pip3 install -r requirements.txt
+CMD [ "python3", "./CSRF-Samesite.py" ]

CSRF-SameSite/__main__.py

@@ -0,0 +1,3 @@
+#!/usr/bin/python
+
+from core import *

CSRF-SameSite/config/initializer.py

@@ -0,0 +1,23 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+import sqlite3 as lite
+import sys
+
+con = lite.connect('Database.db')
+
+with con:
+
+    cur = con.cursor()
+
+    #Create data for the user table
+    cur.execute("CREATE TABLE users(UserId INT, UserName TEXT, Password TEXT)")
+    cur.execute("INSERT INTO users VALUES(1,'admin','admin')")
+
+
+    #Create some data for pageinformation
+    cur.execute("CREATE TABLE prefs(PreferenceId INT, Color TEXT, UserId)")
+    cur.execute("INSERT INTO prefs VALUES(1,'RED', 1)")
+
+    con.commit()
+    #con.close()

CSRF-SameSite/config/sqlite.py

@@ -0,0 +1,6 @@
+import sqlite3
+
+def database_con():
+    with sqlite3.connect("Database.db") as con:
+        cur = con.cursor()
+    return con

CSRF-SameSite/evil_server.py

@@ -0,0 +1,16 @@
+from flask import Flask, request, url_for, render_template, redirect, make_response
+import requests
+
+
+app = Flask(__name__, static_url_path='/static', static_folder='static')
+
+app.config['DEBUG'] = True
+
+@app.route("/")
+def start():
+    return render_template("evil.html")
+
+if __name__ == "__main__":
+    app.run(host='0.0.0.0', port=1337)
+
+

CSRF-SameSite/models/sqlimodel.py

@@ -0,0 +1,23 @@
+from config.sqlite import * 
+
+class Classes:
+
+    def getUser(self, username):
+	    db = database_con()
+	    cur = db.execute('SELECT UserId, Username, Password FROM users WHERE Username= ?',
+	    [username])
+	    return cur.fetchall()
+
+    def getColor(self, userId):
+	    db = database_con()
+	    cur = db.execute('SELECT Color FROM prefs WHERE UserId=?',
+	    [userId])
+	    return cur.fetchall()
+
+    def updateColor(self, color, userId):
+	    db = database_con()
+	    cur = db.execute('UPDATE prefs SET Color=? WHERE UserId=?',
+	    [color, userId])
+	    db.commit()
+	    return cur.fetchall()
+

CSRF-SameSite/requirements.txt

@@ -0,0 +1,4 @@
+Flask==1.0.0
+flask-cors==3.0.7
+requests==2.19.1
+Werkzeug==0.14.1