Scanner output examples

This is a collection of files from unit tests that demonstrates the Aura scanning capabilities and various output formats.

Vulnerable flask application

# This is an intentionaly vulnerable Flask application
# Vulnerabilites here are used to test the taint analysis sytem

import flask

from . import taint_import

app = flask.Flask("ratata")

class Unsecure():
    def __init__(self):
        self.code = None

    def eval_arg(cls):
        eval(flask.request.args.get('src', 'pass'))
        return True

    def run(self):
        if self.code is None:
            return False
            return True

def xss_arg():
    XSS via URL parameter
    data = flask.request.args.get('data')
    resp = flask.make_response(data, 200)
    resp.headers['Content-Type'] = 'text/html'
    return resp

def xss_form():
    XSS via form parameter
    data = flask.request.form['input_data']
    return data

def drive_by():
    Arbitrary redirect via URL parameter
    return flask.redirect(flask.request.args.get('secret_value'), 302)

def vuln4():
    XSS via string concatenation
    return "<h1>" + flask.request.args.get('name', 'John Doe') + '!</h1>'

def vuln5():
    Tainted input defined at the end of the for-loop
    name = None
    for _ in range(5):  # TODO: handle this case
        if name is not None:
            name = flask.request.args.get('src', 'pass')

def vuln6():
    obj = Unsecure()
    obj.code = flask.request.args.get('src', 'pass')
    return "Hello world"

def vuln7(command):

def vuln8():
    name = flask.request.args.get('name', 'Spiderman')
    return flask.render_template("main_xss.html", name=name)

def vuln9():
    # Test that the taint is passed from a different module
    name = taint_import.get_username()
    return flask.render_template('main_xss.html', name=name)

def not_vuln1(command):

def not_vuln2(command):
    c = int(command)

def test1():
    return flask.render_template('doesn_not_exists.html')


  • plaintext

  • JSON

  • SQLite

  • Parsed AST

Obfuscated code

import pprint as fabulous  # Rename imported module
# Various module import styles
from a.b.c import d
from x import y as z
from .. import relative

from requests import post  # Import only function from a module
# Simple obfuscation of URL
url = 'aHR0cDovL21hbHd' + 'hcmUuY29tL0NuQw==\n'

blah = open  # Rename builtin function

d = {
    'func': blah

somefile = d['func']('~/.profile')

payload =

test_url = ""

with blah('~/.bash_rc') as fd:
    # Local context sensitive

# This statement works only in Python 2; can't be parsed in Python 3
print "test"

cpx = 12 + 3j # complex number

fabulous.pprint("adalaraoawa aoalalaeaH"[::-2])  # String "Hello world" after slicing