Looking for some help with a training exercise which involves some coding to confirm that we understand a topic. Should be really simple, but sadly, the app we are using for this training uses a VERY rudimentary code editor/sandbox that doesn’t provide ANY feedback other than a red/green result for any code changes/tests.

What I’m asking for is NOT “help with my homework”, but simply help with the necessary code change to fix a CSRF exploit in a sample app by comparing the saved and current state values. The code is in Python which isn’t really my strong suit, and I can’t figure out exactly how it wants the code to be changed.

Here’s the sample code, with my latest attempt commented.

import base64
import html
import json
import requests
import urllib


def encodeClientCredentials(clientId, clientSecret):
    s = urllib.parse.quote(clientId)+":" + urllib.parse.quote(clientSecret)
    return base64.b64encode(s.encode("utf-8"))


def clientCallback(query, clientData, authServerData, savedState):
    # Client
    # /GET /callback
    # query = {error, code, redirect_uri, state, scope, response_type }
    # savedState => Hash value saved by client after click "Approve"
    
    if "error" in query:
        return {
            "error": True,
            "msg": query["error"]
        }
    code = query["code"] if "code" in query else None
    # My code
    state = query["state"] if "state" in query else None
    # End of my Code
    form_data = {
        "grant_type": "authorization_code",
        "code": code,
        "redirect_uri": "http://client.com/callback"
    }
    encodedCredentials = encodeClientCredentials(
        clientData["client_id"],
        clientData["client_secret"]
    )
    encodedCredentials = encodedCredentials.decode("utf-8")
    headers = {
        "Content-Type": "application/x-www-form-urlencoded",
        "Authorization": "Basic " + encodedCredentials
    }
    r = requests.post(
        authServerData["tokenEndpoint"],
        data=form_data,
        headers=headers
    )

    tokRes = r.text
    # My code
    #if state <> savedState:
    #    return {
    #        "error": True,
    #        "msg": "State value mismatch",
    #        "statusCode": r.status_code
    #    }
    # End of my code

    if r.status_code >= 200 and r.status_code < 300:
        body = json.loads(tokRes)
        scope = body["scope"]
        access_token = body["access_token"]
        return {
            "error": False,
            "access_token": access_token,
            "scope": scope,
            "statusCode": r.status_code
        }
    else:
        body = json.loads(tokRes)
        return {
            "error": True,
            "msg": body["error"],
            "statusCode": r.status_code
        }


def getContactXSS(access_token=None):
    if not access_token:
        return {
            "error": True,
            "msg": "No Access Token",
            "statusCode": 401
        }
    else:
        headers = {
            "Authorization": "Bearer " + access_token
        }
        r = requests.post(
            "http://protected:7012/contact-xss-get",
            headers=headers
        )
        rawResult = r.text
        if r.status_code >= 200 and r.status_code < 300:
            body = json.loads(rawResult)
            return {
                "error": False,
                "resource": body,
                "statusCode": r.status_code
            }
        else:
            return {
                "error": True,
                "statusCode": r.status_code,
            }

So, this version doesn’t throw ANY error. It simple says the exploit has not been fixed. ANY help, pointers or working code would be HUGELY appreciated. I understand the concepts behind remediating CSRF exploits, I just need help getting the stupid sample working.