Institute of Computer Science
  1. Courses
  2. 2024/25 spring
  3. Secure programming techniques (MTAT.07.015)
ET
Log in

Secure programming techniques 2024/25 spring

  • Home Page
  • Lectures
  • Homeworks

Homework 1 (10 points)

Please submit your report to secprog at cyber dot ee by March 28th 2025, 23:59 (EET) .

Description

Your school uses a Python Flask API for managing the grades of students. The security model for the API specifies that all teachers have admin access to the API for modifying grades, students should only be able to look at their arithmetical average grade.

However, recently there have been complaints from teachers, that some students have been able to alter their own grades as well. There have also been some weird password changes and even commands running on the server.

See if you can find a way to alter your grades with a student account and obtain code execution on the machine. Make note of any vulnerabilities discovered in the process and write a formal report that could be sent to the school's IT specialist.

Expected output

A formal report, that

  • shortly summarizes, which approaches you tried (what worked and what did not);
  • describe the methodology and tools that you used;
  • provides a Proof-of-Concept (PoC) for ways of gaining administrator access and achieving Remote Code Execution (RCE) inside the container, this can be a set of requests or a PoC script with explanations. We need to be sure that you understand the vulnerability that you exploit. In this part, it is mandatory to feature screenshots from your actual penetration testing process;
  • any other vulnerabilities or bad coding practices that you discovered during the process and that are relevant to the application. Do keep in mind, that there may be more than one way to exploit the application :)

Use the report template as a basis, you can write the report with whatever you prefer, but you will need to submit a PDF!

Grading

The system can be exploited through various methods, each with differing levels of difficulty. Points will be determined based on the complexity and sophistication of your chosen solution. The end goal is to achieve Remote Code Execution (RCE), but partial points will also be awarded for finding ways to compromise an admin account.

This homework is meant to be done individually, if you get stuck or run out of ideas we encourage you to ask for hints from us. Please write to us at secprog at cyber dot ee and describe what attack vectors you have tried and we will try to nudge you to see what you might have missed.

Usage

  • Install Docker;
  • unzip the application files;
  • navigate to the correct directory;
  • run the application with:

docker compose up -d --build

Navigate to http://localhost:8080/apidocs for the Swagger, which specifies all requests.

There are 4 predefined testing accounts: 

teacher@example.com:adminpass789
student1@example.com:password123
student2@example.com:securepass456
student3@example.com:letmein2022
  • Institute of Computer Science
  • Faculty of Science and Technology
  • University of Tartu
In case of technical problems or questions write to:

Contact the course organizers with the organizational and course content questions.
The proprietary copyrights of educational materials belong to the University of Tartu. The use of educational materials is permitted for the purposes and under the conditions provided for in the copyright law for the free use of a work. When using educational materials, the user is obligated to give credit to the author of the educational materials.
The use of educational materials for other purposes is allowed only with the prior written consent of the University of Tartu.
Terms of use for the Courses environment