forked from blabla1337/skf-labs
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCSRF-Samesite.py
executable file
·88 lines (72 loc) · 2.86 KB
/
CSRF-Samesite.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
from models.sqlimodel import *
from flask import Flask, request, url_for, render_template, redirect, make_response, request, session
app = Flask(__name__, static_url_path='/static', static_folder='static')
app.config['DEBUG'] = True
app.config.update(dict(
SECRET_KEY= "woopie",
SESSION_COOKIE_HTTPONLY = True
))
# Load default config and override config from an environment variable
# You can also replace password with static password: PASSWORD='pass!@#example'
@app.route("/")
def start():
return render_template("index.html")
@app.route("/login_insecure", methods=['GET', 'POST'])
def login_insecure():
sqli = Classes()
values = sqli.getUser(request.form['username'])
if values:
if values[0][2] == request.form['password']:
session['userId'] = values[0][0]
session['loggedin'] = True
pref = sqli.getColor(values[0][0])
color = pref[0][0]
return render_template("loggedin.html", color = color)
return render_template("index.html")
@app.route("/login_strict", methods=['GET', 'POST'])
def login_strict():
app.config.update(dict(
SESSION_COOKIE_SAMESITE = 'Strict'
))
sqli = Classes()
values = sqli.getUser(request.form['username'])
if values:
if values[0][2] == request.form['password']:
session['userId'] = values[0][0]
session['loggedin'] = True
pref = sqli.getColor(values[0][0])
color = pref[0][0]
return render_template("loggedin.html", color = color)
return render_template("index.html")
@app.route("/login_lax", methods=['GET', 'POST'])
def login_lax():
app.config.update(dict(
SESSION_COOKIE_SAMESITE = 'Lax'
))
sqli = Classes()
values = sqli.getUser(request.form['username'])
if values:
if values[0][2] == request.form['password']:
session['userId'] = values[0][0]
session['loggedin'] = True
pref = sqli.getColor(values[0][0])
color = pref[0][0]
return render_template("loggedin.html", color = color)
return render_template("index.html")
@app.route("/update", methods=['POST', 'GET'])
def update():
if not session.get('loggedin'):
return render_template('index.html')
sqli = Classes()
if request.method == "POST":
sqli.updateColor(request.form['color'], session.get('userId'))
if request.method == "GET" and (request.args.get('color') is not None):
sqli.updateColor(request.args['color'], session.get('userId'))
pref = sqli.getColor(session.get('userId'))
color = pref[0][0]
return render_template("loggedin.html", color = color)
@app.errorhandler(404)
def page_not_found(e):
return render_template("404.html")
if __name__ == "__main__":
app.run(host='0.0.0.0')