FilesExpand file tree

 main

/

BenchmarkTest00017.py

Copy path

Blame

More file actions

Blame

More file actions

Latest commit

 

History

History

History

72 lines (55 loc) · 2.28 KB

 main

/

BenchmarkTest00017.py

Copy path

Top

File metadata and controls

• Code
• Blame

72 lines (55 loc) · 2.28 KB

Raw

Copy raw file

Download raw file

Open symbols panel

Edit and raw actions

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

'''

OWASP Benchmark for Python v0.1

This file is part of the Open Web Application Security Project (OWASP) Benchmark Project.

For details, please see https://owasp.org/www-project-benchmark.

The OWASP Benchmark is free software: you can redistribute it and/or modify it under the terms

of the GNU General Public License as published by the Free Software Foundation, version 3.

The OWASP Benchmark is distributed in the hope that it will be useful, but WITHOUT ANY

WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR

PURPOSE. See the GNU General Public License for more details.

Author: Theo Cartsonis

Created: 2025

'''

from flask import redirect, url_for, request, make_response, render_template

from helpers.utils import escape_for_html

def init(app):

@app.route('/benchmark/xxe-00/BenchmarkTest00017', methods=['GET'])

def BenchmarkTest00017_get():

response = make_response(render_template('web/xxe-00/BenchmarkTest00017.html'))

response.set_cookie('BenchmarkTest00017', '%3C%3Fxml+version%3D%221.0%22+encoding%3D%22UTF-8%22+standalone%3D%22yes%22%3F%3E%0A%09%3Ctest+xmlns%3Axsi%3D%22http%3A%2F%2Fwww.w3.org%2F2001%2FXMLSchema-instance%22%0A%09xsi%3AnoNamespaceSchemaLocation%3D%22test.xsd%22%3EHello+from+Venus%3C%2Ftest%3E',

max_age=60*3,

secure=True,

path=request.path,

domain='localhost')

return response

return BenchmarkTest00017_post()

@app.route('/benchmark/xxe-00/BenchmarkTest00017', methods=['POST'])

def BenchmarkTest00017_post():

RESPONSE = ""

import urllib.parse

param = urllib.parse.unquote_plus(request.cookies.get("BenchmarkTest00017", "noCookieValueSupplied"))

bar = "This should never happen"

if 'should' in bar:

bar = param

import xml.dom.minidom

import xml.sax.handler

try:

parser = xml.sax.make_parser()

# all features are disabled by default

doc = xml.dom.minidom.parseString(bar, parser)

out = ''

processing = [doc.documentElement]

while processing:

e = processing.pop(0)

if e.nodeType == xml.dom.Node.TEXT_NODE:

out += e.data

else:

processing[:0] = e.childNodes

RESPONSE += (

f'Your XML doc results are: <br>{escape_for_html(out)}'

)

except:

RESPONSE += (

f'There was an error reading your XML doc:<br>{escape_for_html(bar)}'

)

return RESPONSE