[135] | 1 | #!/usr/bin/env python3 |
---|
| 2 | |
---|
| 3 | ''' |
---|
| 4 | Sample password reset process which is vulnerable to padding oracle attacks |
---|
| 5 | |
---|
| 6 | Copyright (C) 2016-2017 Blindspot Security LLC |
---|
| 7 | Author: Timothy D. Morgan |
---|
| 8 | |
---|
| 9 | This program is free software: you can redistribute it and/or modify |
---|
| 10 | it under the terms of the GNU Lesser General Public License, version 3, |
---|
| 11 | as published by the Free Software Foundation. |
---|
| 12 | |
---|
| 13 | This program is distributed in the hope that it will be useful, |
---|
| 14 | but WITHOUT ANY WARRANTY; without even the implied warranty of |
---|
| 15 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
---|
| 16 | GNU General Public License for more details. |
---|
| 17 | |
---|
| 18 | You should have received a copy of the GNU General Public License |
---|
| 19 | along with this program. If not, see <http://www.gnu.org/licenses/>. |
---|
| 20 | ''' |
---|
| 21 | |
---|
| 22 | import http.server |
---|
| 23 | import tokenutils |
---|
| 24 | |
---|
| 25 | listen_ip = '127.0.0.1' |
---|
| 26 | listen_port = 8888 |
---|
| 27 | |
---|
| 28 | |
---|
| 29 | class MyHandler(http.server.BaseHTTPRequestHandler): |
---|
| 30 | def do_HEAD(s): |
---|
| 31 | s.send_response(200) |
---|
| 32 | s.send_header("Content-type", "text/html") |
---|
| 33 | s.end_headers() |
---|
| 34 | |
---|
| 35 | def do_GET(s): |
---|
| 36 | if s.path.startswith('/generate-reset-token'): |
---|
| 37 | s.send_response(200) |
---|
| 38 | s.send_header("Content-Type", "text/html; charset=utf-8") |
---|
| 39 | s.end_headers() |
---|
| 40 | |
---|
| 41 | s.wfile.write(b"<html><head><title>Reset Your Password</title></head>") |
---|
| 42 | s.wfile.write(b"<body>") |
---|
| 43 | user = s.path.split('user=')[1] |
---|
| 44 | url = 'http://%s:%d/reset-password?token=%s' % (listen_ip,listen_port,tokenutils.generateResetToken(user)) |
---|
| 45 | s.wfile.write(('<h4>If this were a real application, we would have emailed the user "%s" the following URL so they could reset their password:</h4>' % user).encode('utf-8')) |
---|
| 46 | s.wfile.write(('<code><a href="%s">%s</a></code>' % (url,url)).encode('utf-8')) |
---|
| 47 | s.wfile.write(b"</body></html>") |
---|
| 48 | |
---|
| 49 | elif s.path.startswith('/reset-password'): |
---|
| 50 | token = s.path.split('token=')[1] |
---|
| 51 | result,info = tokenutils.validateResetToken(token) |
---|
| 52 | if result: |
---|
| 53 | s.send_response(200) |
---|
| 54 | s.send_header("Content-type", "text/html; charset=utf-8") |
---|
| 55 | s.end_headers() |
---|
| 56 | |
---|
| 57 | s.wfile.write(b"<html><head><title>Reset Your Password</title></head>") |
---|
| 58 | s.wfile.write(("<body><p>Hello <b>%s</b>, you may now reset your password:</p>" % info['user']).encode('utf-8')) |
---|
| 59 | s.wfile.write(b"<p>New password: <input type='password' /></p>") |
---|
| 60 | s.wfile.write(b"<p>Verify password: <input type='password' /></p>") |
---|
| 61 | s.wfile.write(b"<p><input type='button' value='Save' /></p>") |
---|
| 62 | s.wfile.write(b"</body></html>") |
---|
| 63 | else: |
---|
| 64 | s.send_response(200) |
---|
| 65 | s.send_header("Content-type", "text/html; charset=utf-8") |
---|
| 66 | s.end_headers() |
---|
| 67 | |
---|
| 68 | s.wfile.write(b"<html><head><title>Reset Your Password</title></head>") |
---|
| 69 | s.wfile.write(b"<body><p>Oops! There was a problem with your reset token</p>") |
---|
| 70 | s.wfile.write(b"<p>ERROR: <b>%s</b></p>" % info.encode('utf-8')) |
---|
| 71 | s.wfile.write(("<p>Please <a href='http://%s:%d/generate-reset-token?user=bob'>return here</a> to try again.</p>" % (listen_ip,listen_port)).encode('utf-8')) |
---|
| 72 | s.wfile.write(b"</body></html>") |
---|
| 73 | |
---|
| 74 | else: |
---|
| 75 | s.send_response(404) |
---|
| 76 | s.send_header("Content-type", "text/html; charset=utf-8") |
---|
| 77 | s.end_headers() |
---|
| 78 | |
---|
| 79 | s.wfile.write(b"<html><head><title>Not Found</title></head>") |
---|
| 80 | s.wfile.write(b"<body><p>Greetings traveler. We think you want to start at ") |
---|
| 81 | s.wfile.write(("<a href='http://%s:%d/generate-reset-token?user=bob'>this page</a>.</p>" % (listen_ip,listen_port)).encode('utf-8')) |
---|
| 82 | s.wfile.write(b"</body></html>") |
---|
| 83 | |
---|
| 84 | |
---|
| 85 | if __name__ == '__main__': |
---|
| 86 | httpd = http.server.HTTPServer((listen_ip, listen_port), MyHandler) |
---|
| 87 | try: |
---|
| 88 | httpd.serve_forever() |
---|
| 89 | except KeyboardInterrupt: |
---|
| 90 | pass |
---|
| 91 | httpd.server_close() |
---|