HackDay - Web

Flask Web Challenge - Template Injection Analysis Link to heading

In this challenge, we have a downloadable folder containing several files.

Step 1: Identifying the Web Framework Link to heading

By examining the requirements.txt and app.py files, we confirm that the application is built using Flask.

Step 2: Examining the Docker Configuration Link to heading

Looking into the docker-compose.yaml file, we notice that the application is using templates as an environment variable, which could be a potential security risk.

Step 3: Accessing the Template in the Browser Link to heading

By navigating to the template in a web browser, we confirm that the application is rendering content dynamically.

Step 4: Inspecting the Template Code in an IDE and Extracting the Flag Link to heading

Opening the template in an IDE allows us to analyze its structure.

After analyzing the template, we find that the flag is commented within the template file.

This suggests a misconfiguration where sensitive data was left exposed in the source code.