Arvutiteaduse instituut
  1. Kursused
  2. 2024/25 kevad
  3. Turvalise programmeerimise meetodid (MTAT.07.015)
EN
Logi sisse

Turvalise programmeerimise meetodid 2024/25 kevad

  • Home Page
  • Lectures
  • Homeworks

Homework 1 (10 points)

Please submit your report to secprog at cyber dot ee by March 28th 2025, 23:59 (EET) .

Description

Your school uses a Python Flask API for managing the grades of students. The security model for the API specifies that all teachers have admin access to the API for modifying grades, students should only be able to look at their arithmetical average grade.

However, recently there have been complaints from teachers, that some students have been able to alter their own grades as well. There have also been some weird password changes and even commands running on the server.

See if you can find a way to alter your grades with a student account and obtain code execution on the machine. Make note of any vulnerabilities discovered in the process and write a formal report that could be sent to the school's IT specialist.

Expected output

A formal report, that

  • shortly summarizes, which approaches you tried (what worked and what did not);
  • describe the methodology and tools that you used;
  • provides a Proof-of-Concept (PoC) for ways of gaining administrator access and achieving Remote Code Execution (RCE) inside the container, this can be a set of requests or a PoC script with explanations. We need to be sure that you understand the vulnerability that you exploit. In this part, it is mandatory to feature screenshots from your actual penetration testing process;
  • any other vulnerabilities or bad coding practices that you discovered during the process and that are relevant to the application. Do keep in mind, that there may be more than one way to exploit the application :)

Use the report template as a basis, you can write the report with whatever you prefer, but you will need to submit a PDF!

Grading

The system can be exploited through various methods, each with differing levels of difficulty. Points will be determined based on the complexity and sophistication of your chosen solution. The end goal is to achieve Remote Code Execution (RCE), but partial points will also be awarded for finding ways to compromise an admin account.

This homework is meant to be done individually, if you get stuck or run out of ideas we encourage you to ask for hints from us. Please write to us at secprog at cyber dot ee and describe what attack vectors you have tried and we will try to nudge you to see what you might have missed.

Usage

  • Install Docker;
  • unzip the application files;
  • navigate to the correct directory;
  • run the application with:

docker compose up -d --build

Navigate to http://localhost:8080/apidocs for the Swagger, which specifies all requests.

There are 4 predefined testing accounts: 

teacher@example.com:adminpass789
student1@example.com:password123
student2@example.com:securepass456
student3@example.com:letmein2022
  • Arvutiteaduse instituut
  • Loodus- ja täppisteaduste valdkond
  • Tartu Ülikool
Tehniliste probleemide või küsimuste korral kirjuta:

Kursuse sisu ja korralduslike küsimustega pöörduge kursuse korraldajate poole.
Õppematerjalide varalised autoriõigused kuuluvad Tartu Ülikoolile. Õppematerjalide kasutamine on lubatud autoriõiguse seaduses ettenähtud teose vaba kasutamise eesmärkidel ja tingimustel. Õppematerjalide kasutamisel on kasutaja kohustatud viitama õppematerjalide autorile.
Õppematerjalide kasutamine muudel eesmärkidel on lubatud ainult Tartu Ülikooli eelneval kirjalikul nõusolekul.
Courses’i keskkonna kasutustingimused