diff --git a/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go b/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go index 9c1346fa4..a6e2e4c21 100644 --- a/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go +++ b/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go @@ -46,8 +46,8 @@ func AuthenticateUser(user string, pass string) (bool, error) { } defer dbConn.Close() - query := fmt.Sprint("select * from Users where username = '" + user + "'") - rows, err := dbConn.Query(query) + query := ("SELECT * FROM Users WHERE username = ?") + rows, err := dbConn.Query(query, user) if err != nil { return false, err } @@ -88,12 +88,12 @@ func NewUser(user string, pass string, passcheck string) (bool, error) { } defer dbConn.Close() - query := fmt.Sprint("insert into Users (username, password) values ('" + user + "', '" + passHash + "')") - rows, err := dbConn.Query(query) + query := ("INSERT INTO Users (username, password) VALUES (?, ?)") + rows, err := dbConn.Exec(query, user, passHash) if err != nil { return false, err } - defer rows.Close() + fmt.Println("User created: ", user) return true, nil //user created @@ -108,8 +108,8 @@ func CheckIfUserExists(username string) (bool, error) { } defer dbConn.Close() - query := fmt.Sprint("select username from Users where username = '" + username + "'") - rows, err := dbConn.Query(query) + query := ("SELECT username FROM Users WHERE username = ?") + rows, err := dbConn.Query(query, username) if err != nil { return false, err } @@ -126,16 +126,16 @@ func InitDatabase() error { dbConn, err := OpenDBConnection() if err != nil { - errOpenDBConnection := fmt.Sprintf("OpenDBConnection error: %s", err) + errOpenDBConnection := ("OpenDBConnection error: %s" + err) return errors.New(errOpenDBConnection) } defer dbConn.Close() - queryCreate := fmt.Sprint("CREATE TABLE Users (ID int NOT NULL AUTO_INCREMENT, Username varchar(20), Password varchar(80), PRIMARY KEY (ID))") + queryCreate := ("CREATE TABLE Users (ID int NOT NULL AUTO_INCREMENT, Username varchar(20), Password varchar(80), PRIMARY KEY (ID))") _, err = dbConn.Exec(queryCreate) if err != nil { - errInitDB := fmt.Sprintf("InitDatabase error: %s", err) + errInitDB := ("InitDatabase error: %s" + err) return errors.New(errInitDB) } diff --git a/owasp-top10-2021-apps/a3/copy-n-paste/postRequest.txt b/owasp-top10-2021-apps/a3/copy-n-paste/postRequest.txt new file mode 100644 index 000000000..5c5928989 --- /dev/null +++ b/owasp-top10-2021-apps/a3/copy-n-paste/postRequest.txt @@ -0,0 +1,10 @@ + +POST /login HTTP/1.1 +Host: 127.0.0.1:10001 +User-Agent: curl/7.54.0 +Accept: */* +Content-Type: application/json +Content-Lenght: 31 + +{"user":"-1' UNION SELECT 1,2,sleep(5) -- ", "pass":"password"} + diff --git a/owasp-top10-2021-apps/a3/gossip-world/app/model/db.py b/owasp-top10-2021-apps/a3/gossip-world/app/model/db.py index 154dcea07..e504c2db5 100644 --- a/owasp-top10-2021-apps/a3/gossip-world/app/model/db.py +++ b/owasp-top10-2021-apps/a3/gossip-world/app/model/db.py @@ -2,6 +2,7 @@ # -*- coding: utf-8 -*- import MySQLdb +import bleach class DataBase: @@ -143,6 +144,10 @@ def get_comments(self, id): return comments, 1 def post_comment(self, author, comment, gossip_id, date): + allowed_tags = ['b', 'i', 'u', 'em', 'strong', 'a'] + allowed_attrs = {'a': ['href', 'title']} + + clean_comment = {bleach.clean(comment, tags=allowed_tags, attributes=allowed_attrs)} try: self.c.execute( 'INSERT INTO comments (author, comment, gossip_id, date) VALUES (%s, %s, %s, %s);', diff --git a/owasp-top10-2021-apps/a3/gossip-world/app/requirements.txt b/owasp-top10-2021-apps/a3/gossip-world/app/requirements.txt index 6783a729f..1ce51c940 100644 --- a/owasp-top10-2021-apps/a3/gossip-world/app/requirements.txt +++ b/owasp-top10-2021-apps/a3/gossip-world/app/requirements.txt @@ -10,3 +10,4 @@ mysqlclient==1.3.13 six==1.11.0 visitor==0.1.3 Werkzeug==0.14.1 +bleach==5.0.1 \ No newline at end of file diff --git a/owasp-top10-2021-apps/a3/gossip-world/app/routes.py b/owasp-top10-2021-apps/a3/gossip-world/app/routes.py index 98f9d7cad..bf3e71873 100644 --- a/owasp-top10-2021-apps/a3/gossip-world/app/routes.py +++ b/owasp-top10-2021-apps/a3/gossip-world/app/routes.py @@ -7,6 +7,7 @@ import os import uuid import datetime +import bleach from flask import ( Flask, @@ -32,6 +33,8 @@ app.config['MYSQL_PASSWORD'], app.config['MYSQL_DB']) +allowed_tags = ['b', 'i', 'u', 'em', 'strong', 'a'] +allowed_attrs = {'a':['href', 'title']} def generate_csrf_token(): ''' @@ -163,7 +166,7 @@ def all_gossips(): @login_required def gossip(id): if request.method == 'POST': - comment = request.form.get('comment') + comment = bleach.clean(request.form.get('comment'), tags=allowed_tags, attributes=allowed_attrs) user = session.get('username') date = datetime.datetime.now() if comment == '': @@ -198,9 +201,9 @@ def gossip(id): @login_required def newgossip(): if request.method == 'POST': - text = request.form.get('text') - subtitle = request.form.get('subtitle') - title = request.form.get('title') + text = bleach.clean(request.form.get('text'), tags=allowed_tags, attributes=allowed_attrs) + subtitle = bleach.clean(request.form.get('subtitle')) + title = bleach.clean(request.form.get('title')) author = session.get('username') date = datetime.datetime.now() if author is None or text is None or subtitle is None or title is None: diff --git a/owasp-top10-2021-apps/a3/mongection/src/db.js b/owasp-top10-2021-apps/a3/mongection/src/db.js index b47b2a70f..ff0d1326a 100644 --- a/owasp-top10-2021-apps/a3/mongection/src/db.js +++ b/owasp-top10-2021-apps/a3/mongection/src/db.js @@ -4,15 +4,18 @@ const register = async (user) => { try { const { name, email, password } = user; + const sanitizedName = String(name); + const sanitizedEmail = String(email); + const sanitizedPassword = String(password); - const existUser = await User.findOne({email: email}); + const existUser = await User.findOne({email: sanitizedEmail}); if(existUser) { return null } const newUser = new User({ - name: name, - email: email, - password: password + name: sanitizedName, + email: sanitizedEmail, + password: sanitizedPassword }); await newUser.save(); @@ -29,18 +32,18 @@ const login = async (credentials) => { try { const { email, password } = credentials; - const existsUser = await User.find({$and: [ { email: email}, { password: password} ]}); + const existsUser = await User.find({$and: [ { email: sanitizedEmail}, { password: sanitizedPassword} ]}); if(!existsUser) { return null;} const returnUser = existsUser.map((user) => { - return user.email + return null; }) return returnUser; } - + catch(error) { throw error; } diff --git a/owasp-top10-2021-apps/a3/sstype/src/public/index.html b/owasp-top10-2021-apps/a3/sstype/src/public/index.html index b15091780..ec26923cd 100644 --- a/owasp-top10-2021-apps/a3/sstype/src/public/index.html +++ b/owasp-top10-2021-apps/a3/sstype/src/public/index.html @@ -28,7 +28,7 @@

-

Hello: NAMEHERE

+

Hello: {{name}}

Try with /?name=YourName

\ No newline at end of file diff --git a/owasp-top10-2021-apps/a3/sstype/src/server.py b/owasp-top10-2021-apps/a3/sstype/src/server.py index 4455395f3..179b16741 100644 --- a/owasp-top10-2021-apps/a3/sstype/src/server.py +++ b/owasp-top10-2021-apps/a3/sstype/src/server.py @@ -13,8 +13,7 @@ class MainHandler(tornado.web.RequestHandler): def get(self): name = self.get_argument('name', '') - template_data = tmpl.replace("NAMEHERE",name) - t = tornado.template.Template(template_data) + t = tornado.template.Template(tmpl) self.write(t.generate(name=name)) application = tornado.web.Application([ @@ -24,4 +23,4 @@ def get(self): if __name__ == '__main__': application.listen(10001) - tornado.ioloop.IOLoop.instance().start() \ No newline at end of file + tornado.ioloop.IOLoop.instance().start()