Skip to main content

Exercises on web security

2021-2022 Demo exam exercise 4 (6 points)

LetsComplain is a new website for students and profs. Students here can complain about exams and professors can handle the complaints and register their exams. Get ready to hack this website.

The relevant pseudo-code of the forum is the following:

# https://letscomplain.com/register
def register():
  if request.method != "POST":
  	abort(403)
  username = request.form['username']
  password = request.form['password']

  if not is_alphanum_plus(username):
  	abort(400)

  q = "INSERT INTO User (username, password, prof) VALUES ('" + username + "','" +
  sword + "', False);"
  dbquery(q)

  return login_page()

# https://letscomplain.com/login
def login():
  if request.method != "POST":
  	abort(403)
  username = request.form['username']
  password = request.form['password']

  if not is_alphanum_plus(username) or not is_alphanum_plus(password):
  	abort(400)

  q = "SELECT id FROM User WHERE username='" + username + "' and password='" + password +

  result = dbquery(q)
  if result.empty():
  	return login_page(error="Wrong username or password.")

  id = result.get_text()

  return login_page(id=id)

# https://letscomplain.com/complain
def complain():
  if request.method != "POST":
  	abort(403)

  id = int(request.form.get("id"))
  complaint = html_escape_minimal(request.form['complaint'])
  exam_id = int(request.form['comment'])

  q = "INSERT INTO Complaints (author_id, exam_id, complaint) VALUES (" + id + "," +
  m_id + ",'" + complaint + "');"
  dbquery(q)

return

# https://letscomplain.com/personal_page
def personal_page():
  if request.method != "GET":
      abort(403)

  id = int(request.args.get("id"))
  q = "SELECT prof FROM User WHERE id='" + id + "'"
  prof = dbquery(q).get_text()
  if prof:
      return render_prof_page(id=id)

  return render_student_page(id=id)

# https://letscomplain.com/personal_page
def render_student_page(id):
  q = """SELECT U.username, E.exam, C.complaint FROM User as U
  N Complaint AS C ON U.id=C.author_id
  N Exam as E ON C.exam_id=E.id
  RE U.id='""" + id + "'"
  complaints = dbquery(q).get_text_list()

  html_page = """< ... """
  for i in range(len(comments)):
    html_page += """ ... """ + complaints[i].username """ ...""" complaints[i].exam +
     ... """ + complaints[i].complaint
    html_page += """...>"""

  return html_page
Back to top