Python Snippet #04
This challenge covers the review of a snippet of code written in Python
The Code Review Snippet challenges present you with small pieces of vulnerable code to test your ability to identify security flaws. In this lab, we examine a Python server script where your task is to spot vulnerabilities without initial guidance. If you struggle or want to confirm your findings, a detailed video explanation is available.
In the provided Python script, we see a server handling HTTP GET requests, retrieving a 'session_id' from cookies, and using it to read a file. This script has a critical vulnerability: it does not filter the session ID, allowing an attacker to read the first line of any file accessible to the server. Additionally, there is a minor Cross-Site Scripting (XSS) vulnerability when the username is displayed without proper sanitization.