Created with Django 1.8
All Python code tested with Python 2.7.6
Project name: vulnerable
App name: delta3
##Setup
- Modify settings.py to include the the app
secure_app
- Modify settings.py to add middleware to include
secure_app.middlewares.Repair
ln -s ../django-auto-repair/secure_app/ ./
python manage.py syncdb
- Run
pip install -r requirements.txt
- Clone this repo to separate directory and start on port 8888 'python manage.py runserver 127.0.0.1:8888`
- Start main server which defaults to port 8000
python manage.py runserver
##Testing
/admin use username delta3 password is admin
#####Sql injections for search page:
" OR 1=1;--
" UNION ALL SELECT age, username, password FROM delta3_user;--
#####XSS for comments page:
- a variation of script tag, except for all lowercase (e.g.,
<scRipt>...</scRipt>
)
##Running Demo
###Register(Parse exception) Do no use numbers in first, last,
- Start off creating 3 'good' users with ages 20-30 in FF browser incognito mode
- Go to database and show everyone it has the user data
- Move to chrome incognito and act as bad guy with 2 digit number follow by letter
- This should crash !
- Show database explain input was tagged as bad
- Show filter with should allow only 2 digits (possibly)
- Go back to malicious user, enter 2 characters for age
- Crash, show request table, show filter, explain filter changed to be more generic
- Go back to malicious enter 2 characters for age, show bad input was blocked
###Search (Sql injection)
- Clear database
- Execute the sql injection showing it works
" UNION ALL SELECT age, username, password FROM delta3_user;--
- Now say "But with our system"
- Clear database
- With FF (good guy) search for at least 3 things
- With Chrome (bad guy) enter
- Show request database, it is tagged as bad
- Show filter that it generated
- Now do
" UNION ALL SELECT age, username, password FROM delta3_user;--