refactors

web-security/auth-bypass-cookie/server

@@ -45,11 +45,10 @@ def challenge_post():
 @app.route("/", methods=["GET"])
 def challenge_get():
     page = "<html><body>"
-    if "session_user" not in flask.request.cookies:
+    if not (username := flask.request.cookies.get("session_user", None)):
         page += "Welcome to the login service! Please log in as admin to get the flag."
     else:
-        username = flask.request.cookies["session_user"]
-        page = f"<html><body>Hello, {username}!"
+        page = f"Hello, {username}!"
         if username == "admin":
             page += "<br>Here is your flag: " + open("/flag").read()
 

web-security/level-3/server

@@ -38,33 +38,26 @@ def challenge_post():
     if not user:
         flask.abort(403, "Invalid username or password")
 
-    return flask.redirect(f"""{flask.request.path}?session_user_id={int(user["rowid"])}""")
+    return flask.redirect(f"""{flask.request.path}?session_user={username}""")
 
 
 @app.route("/", methods=["GET"])
 def challenge_get():
-    if "session_user_id" not in flask.request.args:
-        return """
-            <html><body>
-            Welcome to the login service! Please log in as admin to get the flag.
-            <form method=post>
-            User:<input type=text name=username>Pass:<input type=text name=password><input type=submit value=Submit>
-            </form>
-            </body></html>
-        """
-
-    user_id = int(flask.request.args["session_user_id"])
-    user = db.execute("SELECT * FROM users WHERE rowid = ?", (user_id,)).fetchone()
-    if not user:
-        flask.abort(403, "No such user")
-
-    username = user["username"]
-    page = f"<html><body>Hello, {username}!"
-    if username == "admin":
-        page += "<br>Here is your flag: " + open("/flag").read()
-    page += "</body></html>"
-    return page
-
+    page = "<html><body>"
+    if not (username := flask.request.args.get("session_user", None)):
+        page += "Welcome to the login service! Please log in as admin to get the flag."
+    else:
+        page = f"Hello, {username}!"
+        if username == "admin":
+            page += "<br>Here is your flag: " + open("/flag").read()
+
+    return page + """
+        <hr>
+        <form method=post>
+        User:<input type=text name=username>Pass:<input type=text name=password><input type=submit value=Submit>
+        </form>
+        </body></html>
+    """
 
 app.secret_key = os.urandom(8)
 app.run("challenge.localhost", int(os.environ.get("HTTP_PORT", 80)))

web-security/level-4/server

@@ -50,10 +50,9 @@ def challenge_post():
 @app.route("/", methods=["GET"])
 def challenge_get():
     page = "<html><body>"
-    if not flask.session.get("user", None):
+    if not (username := flask.session.get("user", None)):
         page += "Welcome to the login service! Please log in as admin to get the flag."
     else:
-        username = flask.session.get("user")
         page = f"<html><body>Hello, {username}!"
         if username == "admin":
             page += "<br>Here is your flag: " + open("/flag").read()

web-security/sqli-pin/server

@@ -50,10 +50,9 @@ def challenge_post():
 @app.route("/", methods=["GET"])
 def challenge_get():
     page = "<html><body>"
-    if not flask.session.get("user", None):
+    if not (username := flask.session.get("user", None)):
         page += "Welcome to the login service! Please log in as admin to get the flag."
     else:
-        username = flask.session.get("user")
         page = f"<html><body>Hello, {username}!"
         if username == "admin":
             page += "<br>Here is your flag: " + open("/flag").read()