A web application is made with python using flask
-
python database.py (Run first to create the database)
-
python app.py
If you want to visit login page, use :- /login or comments page, use :- /comments
- phase 2 :- SQL injection
- phase 3 :- XSS
SQLi :-
- put username = ' OR '1'='1' -- , and anything on password XSS :-
- put comment field = <script>alert('XSS')</script>
- Python 3
- flask module
Phase 1 — Flask basics: learned how a web server works. Flask starts a server on the machine, listens for browser requests, matches them to routes, runs the function under that route, and returns a response. I built a basic route, rendered an HTML template, and understood the GET/POST difference.
Phase 2 — SQL Injection: Built a login system that talks to a SQLite database. The vulnerability is in how the query is built — user input is directly joined into the SQL string without any sanitization. This means an attacker can type SQL syntax into the username field and manipulate the query itself. With ' OR '1'='1' -- the attacker bypasses the password check entirely because:
OR '1'='1'makes the condition always true--comments out the rest of the query
Phase 3 — XSS: Built a comment system that is connected to SQLite database.
The vulnerability is in how the user input is stored in database and rendered
directly into HTML page as raw HTML using the | safe filter — without any
sanitization. Normally Jinja2 would escape special characters, so the browser treats them as plain text, but | safe bypasses it and executes any JavaScript inside it.
In a real attack, the payload could:
- steal session cookies and send it to attacker.
- redirect users to a fake login page.