Creating a stored XSS attack on a website based on Flask(python)

Question

I'm currently learning about computer security and in my course we have been asked to create a basic website and demonstrate some basic attack on it.

So, my mission is to demonstrate a stored XSS attack on my website which is based on flask(pythin3.7.2).

Now, the first picture is the python code in which I get the costumer name and email from the HTML form, store them in my DB and then read it back so I can present the user the costumer name that just entered the system

The second picture is the HTML itself and third one is what I feed the website with, as you can see i put a basic HTML command in the "costumer name" field in hope that when the website present it, it will be BOLD... as you can see it just present it as a plain text...

What am I doing wrong?

thanks!!!

score 0 · Accepted Answer · answered Aug 28 '20 at 08:44

0

jinja templates perform html encoding by default. To disable this, add | safe :{{ msg | safe}}

https://jinja.palletsprojects.com/en/2.10.x/templates/#safe

answered Aug 28 '20 at 08:44

Tohmaxxx

423
2
9

Creating a stored XSS attack on a website based on Flask(python)

1 Answers1