Skip to content

Broken authentication #3

New issue
New issue
Open
Open
Broken authentication#3
@thelonewolf123

Description

@thelonewolf123
thelonewolf123
opened on Jul 5, 2020

In this flask application user sessions are managed using session cookies. but the session cookies aren't unique and they can be easily brute-forced.

result = cur.execute("SELECT * FROM users WHERE username=%s", [username])

    if result > 0:
        # Get stored value
        data = cur.fetchone()
        password = data['password']
        uid = data['id']
        name = data['name']

        # Compare password
        if sha256_crypt.verify(password_candidate, password):
            # passed
            session['logged_in'] = True
            session['uid'] = uid
            session['s_name'] = name

In the above piece of code, we can see totally 3 different session cookies created. but none of them are unique. we can get the s_name value from the online section. and uid is just one or two-digit number (It may vary based on the total number of registered users). so uid can be easily brute-forced.

I think It's better to use flask_sessions or flask_user to handle login and signup. or else we should use something unique uid for a cookie.

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions