· 3 months ago · Jun 27, 2025, 09:05 AM
1from flask import Flask, request, session, redirect, render_template_string, abort
2
3app = Flask(__name__)
4app.secret_key = 'insecure-secret'
5
6# In-memory database
7users = {
8 1: {'username': 'alice', 'password': 'pass1', 'role': 'user'},
9 2: {'username': 'bob', 'password': 'pass2', 'role': 'admin'}
10}
11
12# Templates
13login_template = '''
14<h2>Login</h2>
15<form method="POST">
16 Username: <input name="username"><br>
17 Password: <input name="password"><br>
18 <input type="submit" value="Login">
19</form>
20'''
21
22profile_template = '''
23<h2>Welcome, {{ user['username'] }}</h2>
24<p>Your role: {{ user['role'] }}</p>
25<p><a href="/profile?user_id=1">View Alice's profile</a></p>
26'''
27
28admin_panel = '''
29<h2>Admin Panel</h2>
30<p>Super secret password is "Password". Only visible to admins.</p>
31'''
32
33edit_role_form = '''
34<h2>Edit Your Role</h2>
35<form method="POST">
36 <input type="hidden" name="role" value="admin">
37 <input type="submit" value="Update Role">
38</form>
39'''
40
41@app.route('/', methods=['GET', 'POST'])
42def login():
43 if request.method == 'POST':
44 for uid, user in users.items():
45 if user['username'] == request.form['username'] and user['password'] == request.form['password']:
46 session['user_id'] = uid
47 return redirect('/dashboard')
48 return 'Login failed'
49 return render_template_string(login_template)
50
51@app.route('/dashboard')
52def dashboard():
53 user = users.get(session.get('user_id'))
54 if not user:
55 return redirect('/')
56 return render_template_string(profile_template, user=user)
57
58@app.route('/profile')
59def profile():
60 # IDOR demo — no check on ownership
61 uid = int(request.args.get('user_id'))
62 user = users.get(uid)
63 if not user:
64 abort(404)
65 return f"<h2>Profile of {user['username']}</h2><p>Role: {user['role']}</p>"
66
67@app.route('/admin')
68def admin():
69 # No access control check
70 return render_template_string(admin_panel)
71
72@app.route('/edit-role', methods=['GET', 'POST'])
73def edit_role():
74 uid = session.get('user_id')
75 if not uid:
76 return redirect('/')
77 if request.method == 'POST':
78 users[uid]['role'] = request.form['role'] # Insecure: allows user to set any role
79 return redirect('/dashboard')
80 return render_template_string(edit_role_form)
81
82if __name__ == '__main__':
83 app.run(debug=True)
84
85
86
87