Want to Add XSS (Cross Site Scripting ) in Flask API for a new level!

[viralvaghela]

Hello 👋, I would like to contribute to XSS (Reflected Cross Site Scripting ) Vulnerability in Flask API where not properly sanitizing user input will cause XSS.

Scenario:
We will create a simple REST API using Flask that is vulnerable to reflected XSS attacks. The API will have an endpoint that takes a parameter and echoes it back in the response without proper sanitization, allowing malicious JavaScript code to be executed in the user's browser.

the /getPlanetInfo endpoint of the Flask API takes a query parameter named planet in the GET request. The value of the planet parameter is used to fetch the corresponding planet information from the planet_data dictionary. However, if the provided planet name is not found in the dictionary, the API responds with an HTML string containing an XSS payload that executes a JavaScript alert.

For example, if an attacker passes the following URL:

http://localhost:5000/getPlanetInfo?planet=<script>alert('XSS Attack')</script>

the JavaScript code will be executed in the victim's browser.

Please do let me know what you think about this. or if you have any feedback/improvements please share :)

[jkcso]

Fantastic idea @viralvaghela! Go for it and slack to me or our community anytime at #secure-code-game for help or questions!

[viralvaghela]

Thank you @jkcso , I am working on it, and will send a PR soon. First i tried with Android web view,but didn't work, i found it tricky, but i have ideas can we add other mobile specific vulnerabilities like
Insecure logging, insecure storage, hard-coded credentials, insecure host validation,etc ?

[jkcso]

If possible, let's prioritize the vulnerabilities indicated in the contribution guideline first. For example, would Broken Access Control work? Happy to connect over video to try make the Android web view work with the preferred vulnerabilities before we focus on other bugs 💯

[jkcso]

If there's no absolute chance to have XSS or Broken Access Control, I have a slight preference for insecure storage and insecure host validation, happening together in a challenge so that is more difficult and it's a Level 3. Also with different vulnerability variants if possible and maybe with a few ways to defend against it but done wrongly? For example, let's simulate a codebase where the developer actually tried to protect from insecure storage but it was done poorly for example. This way, we can follow Level 3 from Season 1 where the code has some defences, but they are implemented poorly. Let me know what you think, but first let's try more over video with XSS and Broken Access Control or a combo between those and insecure storage and insecure host validation.

[jkcso]

Adding the PR here