search

Baby Todo or Not Todo: An Exploration of a Python Todo List App

Introduction:

Ever wondered how secure your 'todo list' is? While it might sound trivial, todo lists often house our most intimate thoughts, plans, and goals. Let's take a journey together to explore a Python-based todo list application named "Baby Todo or Not Todo". We'll investigate if this application is as 'baby'-proof as it's made out to be.

Machine name: baby todo or not todo

Difficulty: Easy

Category: Web

Source Files: Yes

DESCRIPTION:

I'm so done with these bloody HR solutions coming from those bloody HR specialists, I don't need anyone monitoring my thoughts, or do I... ?

Setting Up The Game:

Upon initializing the application, we procured the IP address to open on our browser. Our playground was now set.

Intercepting The Signals:

As the next step, we decided to intercept the HTTP requests with Burp Suite. This offered us an insight into how the application communicates with the server.

Unveiling The Python Code:

Looking into the source files provided a deeper understanding. It was a Python 'todo list' application that used a 'secret' parameter to identify unique sessions.

The Silent Observer:

Upon inspecting the intercepted requests, we found an interesting behavior. The application was autonomously sending GET requests to its API every few milliseconds.

For instance, it was making calls to /api/list/userD3Ac4ACE/?secret=9FbCCD4A2DB7Fd5, where 'userD3Ac4ACE' was the username, and '9FbCCD4A2DB7Fd5' was the auto-generated secret as per the application's source code schema.

Deciphering The Source Code:

While looking at the schema.sql source code, we discovered that the first user was 'admin', and, importantly, the flag was in this user's todo list. The key challenge was to obtain the 'admin' user's secret to access the flag.

Traversing Through Routes:

Exploring further, we came across several route lists. When trying to access the '/api/list/all' route, it led to a '308 permanent redirect', and following the redirect gave an error.

However, a twist was awaiting us. On using our own secret with the 'GET /api/list/all/?secret=' request, we surprisingly gained access to all the todo lists, bypassing the need for the 'admin' user's secret.

Discovering the Flag:

As we scrolled through the various todo lists, lo and behold, we found our flag. This vulnerability, primarily due to broken authentication, allowed us to bypass the need for the 'admin' user's secret and directly access all todo lists.

Conclusion:

The "Baby Todo or Not Todo" challenge serves as an eye-opening reminder that even seemingly benign applications like a todo list can host security vulnerabilities. Broken authentication, as we've seen, can provide unauthorized access to critical information. As we cherish our victorious discovery of the flag, we also acknowledge the continual need to develop more secure software applications.

PreviousBaby WAFfles Order: A Fun Dive into a Secure Ordering System APINextBaby BoneChewerCon: Unleashing the Devil in the Debugging Details