Skip to content

A simple vulnerable token machine written in python.

License

Notifications You must be signed in to change notification settings

z3mil/accidentalFlask

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

20 Commits
 
 
 
 
 
 
 
 
 
 

Repository files navigation

MIT License


Logo

accidentalFlask

A simple vulnerable token machine

LOL, What is this?

A simple vulnerable Python API for educational purposes, specifically built for token entropy / bad session management abuse. The app is built in Python 3 with Flask and exposes 2 APIs at /token and /whomai. The web app runs locally and does not incorporate any backend storage.

Clone and install dependencies

git clone https://github.com/z3mil/accidentalFlask.git
cd accidentalFlask
python3 -m pip install -r requirement.txt

Run

python3 app.py &

running the app

Exploit Manually

On every run, the admin token is generated and echoed to terminal. The token endpoint will create a weak RC4 encrypted blob based on the provided username and a substring of current epoch time, students can use tools like attack proxies (e.g. Burp sequencer) to enumrate the entropy of the token, and attempt to generate a valid admin token. An admin token can be verified by hitting the whoami endpoint which will respond with You are logged in as admin if the token matches. RC4 is a stream cipher that is known to be vulnerable to bit-flipping.

  1. token endpoint
curl --location --request POST 'http://127.0.0.1:5000/token' \
--header 'Content-Type: application/json' \
--data-raw '{
    "Username": "bdmin",
    "Password": "password"
}'
  1. whoami endpoint
curl --location --request POST 'http://127.0.0.1:5000/whoami' \
--header 'Content-Type: application/json' \
--data-raw '{
    "Token": "<insert_token_here>"
}'

Automate

The attack set out to achieve a valid admin token can be done with Burp intruder or any other automation tool. A generated token for a similar user (e.g. 'bdmin') will generate a close enough cipher text to be bit-flipped. the whoami endpoint will return a different response if an admin token is presented.

Burp Intruder

Releases

No releases published

Packages

No packages published

Languages