I'm currently working in a group project where we are simulating a code injection attack on a simulated smart device, specifically a light bulb. the way this works is using an HTML page with the following text field code within it:
<input type="text" id="color" name="color">
<input type="submit" value="Set Color">
when hit, the following function is called:
color = request.args.get('color')
bulb_state["color"] = color
os.system(f"echo Setting color to {color}")
return f"Color set to : {color}"
after this, the simulated smart bulb has a function to update the color as shown in the color bulb state:
r = requests.get("http://127.0.0.1:5000/get_state")
if r.status_code == 200:
state = r.json()
bulb_label.config(fg=state["color"])
brightness = state["brightness"] / 100
bulb_label.config(text=f"đź’ˇ {state['brightness']}%")
from this, I have tried a couple different methods to inject code into different points of the program. whenever I try to inject a statement into the code, however, it seems to fail. most of my attempts so far have been similar to:
> red"])#
> red} and {bulb_state["brightness"]}
> red}")#
where I have attempted to have the color string be printed out differently, or have counted as a color as legitimate despite the added code at the end. none of my attempts so far have worked, however, and I believe I am missing something. Is there a part of the program that is protecting against code injection attacks, or am I submitting the code injection wrong? I'm trying to see where the problem may be arising, so I may make the necessary changes I must. Any help is appreciated on this!
