In [1]:
!pip install flask_sqlalchemy

Collecting flask_sqlalchemy
  Downloading flask_sqlalchemy-3.1.1-py3-none-any.whl.metadata (3.4 kB)
Collecting flask>=2.2.5 (from flask_sqlalchemy)
  Downloading flask-3.1.0-py3-none-any.whl.metadata (2.7 kB)
Collecting Werkzeug>=3.1 (from flask>=2.2.5->flask_sqlalchemy)
  Downloading werkzeug-3.1.3-py3-none-any.whl.metadata (3.7 kB)
Collecting Jinja2>=3.1.2 (from flask>=2.2.5->flask_sqlalchemy)
  Using cached jinja2-3.1.4-py3-none-any.whl.metadata (2.6 kB)
Collecting itsdangerous>=2.2 (from flask>=2.2.5->flask_sqlalchemy)
  Downloading itsdangerous-2.2.0-py3-none-any.whl.metadata (1.9 kB)
Collecting blinker>=1.9 (from flask>=2.2.5->flask_sqlalchemy)
  Downloading blinker-1.9.0-py3-none-any.whl.metadata (1.6 kB)
Collecting MarkupSafe>=2.0 (from Jinja2>=3.1.2->flask>=2.2.5->flask_sqlalchemy)
  Downloading MarkupSafe-3.0.2-cp312-cp312-manylinux_2_17_x86_64.manylinux2014_x86_64.whl.metadata (4.0 kB)
Downloading flask_sqlalchemy-3.1.1-py3-none-any.whl (25 kB)
Downloading flask-3.1.0-py3-no

In [2]:
from flask import Flask, request, jsonify
from flask_sqlalchemy import SQLAlchemy
import threading

app = Flask(__name__)
app.config['SQLALCHEMY_DATABASE_URI'] = 'sqlite:///users.db'
app.config['SQLALCHEMY_TRACK_MODIFICATIONS'] = False
db = SQLAlchemy(app)

class User(db.Model):
    id = db.Column(db.Integer, primary_key=True)
    username = db.Column(db.String(80), unique=True, nullable=False)
    password = db.Column(db.String(120), nullable=False)

with app.app_context():
  db.create_all()

@app.route('/')
def home():
    return "Welcome to the Security Testing Demo!"

@app.route('/users', methods=['GET'])
def get_users():
    users = User.query.all()
    return jsonify([{"id": user.id, "username": user.username, "password": user.password} for user in users])

@app.route('/user/<int:id>', methods=['GET'])
def get_user(id):
    user = User.query.get(id)
    if user:
        return jsonify({"id": user.id, "username": user.username, "password": user.password})
    return jsonify({"message": "User not found"}), 404

@app.route('/user', methods=['POST'])
def add_user():
    data = request.get_json()
    new_user = User(username=data['username'], password=data['password'])
    db.session.add(new_user)
    db.session.commit()
    return jsonify({"message": "User added successfully"}), 201

@app.route('/user/<int:id>', methods=['PUT'])
def update_user(id):
    data = request.get_json()
    user = User.query.get(id)
    if user:
        user.username = data['username']
        user.password = data['password']
        db.session.commit()
        return jsonify({"message": "User updated successfully"})
    return jsonify({"message": "User not found"}), 404

@app.route('/user/<int:id>', methods=['DELETE'])
def delete_user(id):
    user = User.query.get(id)
    if user:
        db.session.delete(user)
        db.session.commit()
        return jsonify({"message": "User deleted successfully"})
    return jsonify({"message": "User not found"}), 404


threading.Thread(target=app.run, kwargs={'host':'0.0.0.0','port':5000}).start()


 * Serving Flask app '__main__'
 * Debug mode: off


 * Running on all addresses (0.0.0.0)
 * Running on http://127.0.0.1:5000
 * Running on http://172.25.199.95:5000
[33mPress CTRL+C to quit[0m
127.0.0.1 - - [10/Dec/2024 21:38:04] "GET / HTTP/1.1" 200 -
127.0.0.1 - - [10/Dec/2024 21:38:04] "[33mGET /favicon.ico HTTP/1.1[0m" 404 -
127.0.0.1 - - [10/Dec/2024 21:38:32] "GET /users HTTP/1.1" 200 -
  user = User.query.get(id)
127.0.0.1 - - [10/Dec/2024 21:38:35] "[33mGET /user/1 HTTP/1.1[0m" 404 -
127.0.0.1 - - [10/Dec/2024 21:38:45] "[35m[1mPOST /user HTTP/1.1[0m" 201 -
  user = User.query.get(id)
127.0.0.1 - - [10/Dec/2024 21:39:11] "PUT /user/1 HTTP/1.1" 200 -
  user = User.query.get(id)
127.0.0.1 - - [10/Dec/2024 21:39:23] "DELETE /user/1 HTTP/1.1" 200 -
127.0.0.1 - - [10/Dec/2024 21:40:30] "GET /users HTTP/1.1" 200 -
127.0.0.1 - - [10/Dec/2024 21:42:26] "GET /users HTTP/1.1" 200 -
127.0.0.1 - - [10/Dec/2024 21:42:26] "[35m[1mPOST /user HTTP/1.1[0m" 201 -
127.0.0.1 - - [10/Dec/2024 21:42:26] "GET /users HTTP/1.1" 200 -
127.0.

In [11]:
!curl -X GET http://127.0.0.1:5000/users

[]


In [5]:
!curl -X GET http://localhost:5000/user/1

{"message":"User not found"}


In [6]:
!curl -X POST http://localhost:5000/user -H "Content-Type: application/json" -d '{"username":"testuser","password":"securepassword"}'


{"message":"User added successfully"}


In [7]:
!curl -X PUT http://localhost:5000/user/1 -H "Content-Type: application/json" -d '{"username":"testuser","password":"newsecurepassword"}'

{"message":"User updated successfully"}


In [8]:
!curl -X DELETE http://localhost:5000/user/1

{"message":"User deleted successfully"}


In [13]:
import unittest
import requests
import json

BASE_URL = "http://localhost:5000"

class FlaskAppTestCase(unittest.TestCase):

    def test_sql_injection(self):
        payload = {"username": "testuser'; DROP TABLE users; --", "password": "testpass"}
        response = requests.post(f"{BASE_URL}/user", json=payload)
        self.assertNotEqual(response.status_code, 201, "SQL Injection vulnerability detected")

    def test_xss(self):
        payload = {"username": "<script>alert('XSS');</script>", "password": "testpass"}
        response = requests.post(f"{BASE_URL}/user", json=payload)
        self.assertNotIn("<script>", response.text, "XSS vulnerability detected")

    def test_insecure_password_storage(self):
        payload = {"username": "testuser", "password": "testpass"}
        response = requests.post(f"{BASE_URL}/user", json=payload)
        self.assertEqual(response.status_code, 201)
        user_id = response.json()["id"]
        response = requests.get(f"{BASE_URL}/user/{user_id}")
        self.assertNotIn("testpass", response.json()["password"], "Insecure password storage detected")

    def test_authentication(self):
        response = requests.get(f"{BASE_URL}/users")
        self.assertEqual(response.status_code, 401, "No authentication detected")

    def test_authorization(self):
        payload = {"username": "admin", "password": "adminpass"}
        response = requests.post(f"{BASE_URL}/user", json=payload)
        user_id = response.json()["id"]
        payload = {"username": "normaluser", "password": "userpass"}
        response = requests.post(f"{BASE_URL}/user", json=payload)
        response = requests.put(f"{BASE_URL}/user/{user_id}", json={"username": "hacked", "password": "hackedpass"})
        self.assertEqual(response.status_code, 403, "No authorization detected")

    def test_insecure_direct_object_references(self):
        payload = {"username": "testuser1", "password": "testpass"}
        response = requests.post(f"{BASE_URL}/user", json=payload)
        user_id = response.json()["id"]
        response = requests.get(f"{BASE_URL}/user/{user_id}")
        self.assertNotEqual(response.status_code, 200, "Insecure direct object reference detected")

    def test_data_exposure(self):
        response = requests.get(f"{BASE_URL}/users")
        self.assertNotIn("password", response.json()[0], "Sensitive data exposure detected")
    
if __name__ == '__main__':
    test_suite = unittest.TestLoader().loadTestsFromTestCase(FlaskAppTestCase)
    unittest.TextTestRunner().run(test_suite)

FEFEEF.
ERROR: test_authorization (__main__.FlaskAppTestCase.test_authorization)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/ipykernel_20048/1188377124.py", line 34, in test_authorization
    user_id = response.json()["id"]
              ~~~~~~~~~~~~~~~^^^^^^
KeyError: 'id'

ERROR: test_insecure_direct_object_references (__main__.FlaskAppTestCase.test_insecure_direct_object_references)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/ipykernel_20048/1188377124.py", line 43, in test_insecure_direct_object_references
    user_id = response.json()["id"]
              ~~~~~~~~~~~~~~~^^^^^^
KeyError: 'id'

ERROR: test_insecure_password_storage (__main__.FlaskAppTestCase.test_insecure_password_storage)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/tmp/ipykernel_20048/1188377124.py"