Amarelo Designs (resolution) #631
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![github-advanced-security[bot]](https://avatars.githubusercontent.com/in/57789?s=60&v=4){kind=small}
| resp = make_response(redirect("/user")) | ||
| resp.set_cookie("sessionId", encodedSessionCookie) | ||
| resp.set_cookie("token", token) |
Check warning
Code scanning / CodeQL
Failure to use secure cookies Medium
|
|
||
|
|
||
| if __name__ == '__main__': | ||
| app.run(debug=True,host='0.0.0.0') | ||
| app.run(debug=True, host='0.0.0.0') |
Check failure
Code scanning / CodeQL
Flask app is run in debug mode High
|
Very nice, @RayTdC! After your changes I could not reproduce the attack scenario anymore! 🚀🐼 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This solution refers to which of the apps?
A8 - Amarelo Designs
What did you do to mitigate the vulnerability?
The app had a security flaw, which allowed the attacker to execute code remotely through a serialization vulnerability. The pickle module in Python is widely used to serialize and deserialize Python objects. However, its suitability depends on the context in which it is being used. In this case, JWT (JSON Web Token) was used, as Pickle's functionality allowed the attacker to access the machine through a reverse shell requested through the serialization vulnerability, which is where pickle is capable of serializing Python objects that may contain malicious code. When using JWT for serialization and deserialization, you have additional security benefits provided by authentication and signature verification, which are recommended in this app to prevent remote execution of malicious code.
The images below show the successful hacking attempt on the machine.
After the changes, it is no longer possible to access the machine as root.
