search

ponga2112 / websec-ctf-for-n00bs

Web Application Security Capture the Flag Game for the Uninitiated
MIT License
1 stars 0 forks source link

Phase 3: API (server) #19

Closed ponga2112 closed 3 years ago

ponga2112 commented 4 years ago

Implement the API on the server side. This should be a standalone server; either in node or python flask.

c-h-a-n-c-e commented 4 years ago

Hey, Ray -- can we agree to use swagger for this API? I'm still trying to figure out what actually needs to be done, but found a couple beginner/intro links I'd like to start digging into: https://swagger.io/blog/api-development/how-to-build-an-api/ https://swagger.io/tools/swagger-editor/

ponga2112 commented 4 years ago

Closed Sub-Issue #1: API server should only ever return two response possible codes: 200 if successful, else 400

Reason: api now returns 400 Errors

ponga2112 commented 4 years ago

Closed Sub-Issue #2: API server throws stack trace when attempting to create a user: Request: /api/create :: {"token":"2c2d5801-c6fd-41e3-a74c-f2489802a5e4","name":"test"} Result: * Unable to add user to db

----------------------------------------
Exception happened during processing of request from ('127.0.0.1', 42258)
Traceback (most recent call last):
  File "./api.py", line 59, in create_user
    return jsonify(results)
  File "/usr/local/lib/python3.5/dist-packages/flask/json.py", line 237, in jsonify
    return current_app.response_class(dumps(dict(*args, **kwargs),
ValueError: dictionary update sequence element #0 has length 1; 2 is required

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/lib/python3.5/socketserver.py", line 313, in _handle_request_noblock
    self.process_request(request, client_address)
  File "/usr/lib/python3.5/socketserver.py", line 341, in process_request
    self.finish_request(request, client_address)
  File "/usr/lib/python3.5/socketserver.py", line 354, in finish_request
    self.RequestHandlerClass(request, client_address, self)
  File "/usr/lib/python3.5/socketserver.py", line 681, in __init__
    self.handle()
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 232, in handle
    rv = BaseHTTPRequestHandler.handle(self)
  File "/usr/lib/python3.5/http/server.py", line 422, in handle
    self.handle_one_request()
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 267, in handle_one_request
    return self.run_wsgi()
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 209, in run_wsgi
    execute(self.server.app)
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/serving.py", line 199, in execute
    for data in application_iter:
  File "/usr/local/lib/python3.5/dist-packages/werkzeug/debug/__init__.py", line 284, in debug_application
    app_iter = self.app(environ, start_response)
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1836, in __call__
    return self.wsgi_app(environ, start_response)
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1817, in wsgi_app
    response = self.full_dispatch_request()
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1475, in full_dispatch_request
    rv = self.dispatch_request()
  File "/usr/local/lib/python3.5/dist-packages/flask/app.py", line 1461, in dispatch_request
    return self.view_functions[rule.endpoint](**req.view_args)
  File "./api.py", line 61, in create_user
    prog_quit(" * Unable to add user to db", e)
  File "./api.py", line 9, in prog_quit
    sys.exit(" * Quitting: " + repr(e))
SystemExit:  * Quitting: ValueError('dictionary update sequence element #0 has length 1; 2 is required',)
----------------------------------------

Reason: Original code created uuid in api instead of accepting uuid from client

ponga2112 commented 4 years ago

Closed Sub-Issue #3: Per the API spec, GET /api/ping is supposed to return an empty JSON object but instead returns {"status": "OK"}

Reason: code now returns empty string

ponga2112 commented 4 years ago

Closed Sub-Issue #4: In /api/create, please forbid a list of naughty strings in a player handle contained in /api/naughty.txt - It's by no means all-inclusive, but it's something. Do something like:

naughty = [...]; #array of naughty words
for word in naughty:
    if(player.handle.lower() in word):
        return True; #prevent player from creating handle with naughty word

Reason: naughty code added

ponga2112 commented 4 years ago

Closed Sub-Issue #5: /api/leaders API does not return 400, even if there is an error condition - This is NOT per the api spec. (( Generally, the API spec is not being followed closely enough in this majority of this code))

Reason: api now returns 400 Errors