From 1c49e90593278b52b8d4b2c98e34f121ef01777b Mon Sep 17 00:00:00 2001 From: LorennaCunha Date: Mon, 11 Nov 2024 15:17:28 -0300 Subject: [PATCH 1/2] Mitigated SQL Injection vulnerabilities by parameterizing queries. --- .../a3/copy-n-paste/app/util/db.go | 20 +++++++++---------- .../a3/copy-n-paste/postRequest.txt | 10 ++++++++++ 2 files changed, 20 insertions(+), 10 deletions(-) create mode 100644 owasp-top10-2021-apps/a3/copy-n-paste/postRequest.txt diff --git a/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go b/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go index 9c1346fa4..a6e2e4c21 100644 --- a/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go +++ b/owasp-top10-2021-apps/a3/copy-n-paste/app/util/db.go @@ -46,8 +46,8 @@ func AuthenticateUser(user string, pass string) (bool, error) { } defer dbConn.Close() - query := fmt.Sprint("select * from Users where username = '" + user + "'") - rows, err := dbConn.Query(query) + query := ("SELECT * FROM Users WHERE username = ?") + rows, err := dbConn.Query(query, user) if err != nil { return false, err } @@ -88,12 +88,12 @@ func NewUser(user string, pass string, passcheck string) (bool, error) { } defer dbConn.Close() - query := fmt.Sprint("insert into Users (username, password) values ('" + user + "', '" + passHash + "')") - rows, err := dbConn.Query(query) + query := ("INSERT INTO Users (username, password) VALUES (?, ?)") + rows, err := dbConn.Exec(query, user, passHash) if err != nil { return false, err } - defer rows.Close() + fmt.Println("User created: ", user) return true, nil //user created @@ -108,8 +108,8 @@ func CheckIfUserExists(username string) (bool, error) { } defer dbConn.Close() - query := fmt.Sprint("select username from Users where username = '" + username + "'") - rows, err := dbConn.Query(query) + query := ("SELECT username FROM Users WHERE username = ?") + rows, err := dbConn.Query(query, username) if err != nil { return false, err } @@ -126,16 +126,16 @@ func InitDatabase() error { dbConn, err := OpenDBConnection() if err != nil { - errOpenDBConnection := fmt.Sprintf("OpenDBConnection error: %s", err) + errOpenDBConnection := ("OpenDBConnection error: %s" + err) return errors.New(errOpenDBConnection) } defer dbConn.Close() - queryCreate := fmt.Sprint("CREATE TABLE Users (ID int NOT NULL AUTO_INCREMENT, Username varchar(20), Password varchar(80), PRIMARY KEY (ID))") + queryCreate := ("CREATE TABLE Users (ID int NOT NULL AUTO_INCREMENT, Username varchar(20), Password varchar(80), PRIMARY KEY (ID))") _, err = dbConn.Exec(queryCreate) if err != nil { - errInitDB := fmt.Sprintf("InitDatabase error: %s", err) + errInitDB := ("InitDatabase error: %s" + err) return errors.New(errInitDB) } diff --git a/owasp-top10-2021-apps/a3/copy-n-paste/postRequest.txt b/owasp-top10-2021-apps/a3/copy-n-paste/postRequest.txt new file mode 100644 index 000000000..5c5928989 --- /dev/null +++ b/owasp-top10-2021-apps/a3/copy-n-paste/postRequest.txt @@ -0,0 +1,10 @@ + +POST /login HTTP/1.1 +Host: 127.0.0.1:10001 +User-Agent: curl/7.54.0 +Accept: */* +Content-Type: application/json +Content-Lenght: 31 + +{"user":"-1' UNION SELECT 1,2,sleep(5) -- ", "pass":"password"} + From d333733fb57492843d343a503d7a1373f53dc486 Mon Sep 17 00:00:00 2001 From: LorennaCunha Date: Tue, 12 Nov 2024 16:15:34 -0300 Subject: [PATCH 2/2] XSS mitigation by sanitizing user inputs with bleach --- owasp-top10-2021-apps/a3/gossip-world/app/model/db.py | 5 +++++ .../a3/gossip-world/app/requirements.txt | 1 + owasp-top10-2021-apps/a3/gossip-world/app/routes.py | 11 +++++++---- 3 files changed, 13 insertions(+), 4 deletions(-) diff --git a/owasp-top10-2021-apps/a3/gossip-world/app/model/db.py b/owasp-top10-2021-apps/a3/gossip-world/app/model/db.py index 154dcea07..e504c2db5 100644 --- a/owasp-top10-2021-apps/a3/gossip-world/app/model/db.py +++ b/owasp-top10-2021-apps/a3/gossip-world/app/model/db.py @@ -2,6 +2,7 @@ # -*- coding: utf-8 -*- import MySQLdb +import bleach class DataBase: @@ -143,6 +144,10 @@ def get_comments(self, id): return comments, 1 def post_comment(self, author, comment, gossip_id, date): + allowed_tags = ['b', 'i', 'u', 'em', 'strong', 'a'] + allowed_attrs = {'a': ['href', 'title']} + + clean_comment = {bleach.clean(comment, tags=allowed_tags, attributes=allowed_attrs)} try: self.c.execute( 'INSERT INTO comments (author, comment, gossip_id, date) VALUES (%s, %s, %s, %s);', diff --git a/owasp-top10-2021-apps/a3/gossip-world/app/requirements.txt b/owasp-top10-2021-apps/a3/gossip-world/app/requirements.txt index 6783a729f..1ce51c940 100644 --- a/owasp-top10-2021-apps/a3/gossip-world/app/requirements.txt +++ b/owasp-top10-2021-apps/a3/gossip-world/app/requirements.txt @@ -10,3 +10,4 @@ mysqlclient==1.3.13 six==1.11.0 visitor==0.1.3 Werkzeug==0.14.1 +bleach==5.0.1 \ No newline at end of file diff --git a/owasp-top10-2021-apps/a3/gossip-world/app/routes.py b/owasp-top10-2021-apps/a3/gossip-world/app/routes.py index 98f9d7cad..bf3e71873 100644 --- a/owasp-top10-2021-apps/a3/gossip-world/app/routes.py +++ b/owasp-top10-2021-apps/a3/gossip-world/app/routes.py @@ -7,6 +7,7 @@ import os import uuid import datetime +import bleach from flask import ( Flask, @@ -32,6 +33,8 @@ app.config['MYSQL_PASSWORD'], app.config['MYSQL_DB']) +allowed_tags = ['b', 'i', 'u', 'em', 'strong', 'a'] +allowed_attrs = {'a':['href', 'title']} def generate_csrf_token(): ''' @@ -163,7 +166,7 @@ def all_gossips(): @login_required def gossip(id): if request.method == 'POST': - comment = request.form.get('comment') + comment = bleach.clean(request.form.get('comment'), tags=allowed_tags, attributes=allowed_attrs) user = session.get('username') date = datetime.datetime.now() if comment == '': @@ -198,9 +201,9 @@ def gossip(id): @login_required def newgossip(): if request.method == 'POST': - text = request.form.get('text') - subtitle = request.form.get('subtitle') - title = request.form.get('title') + text = bleach.clean(request.form.get('text'), tags=allowed_tags, attributes=allowed_attrs) + subtitle = bleach.clean(request.form.get('subtitle')) + title = bleach.clean(request.form.get('title')) author = session.get('username') date = datetime.datetime.now() if author is None or text is None or subtitle is None or title is None: