def create_user_with_xss2_payload(server):
"""
The UI client blocks invalid email addresses. Bypass it and create a user through the API.
:param server: juice shop URL.
"""
xss2 = '<script>alert("XSS2")</script>'
print('Creating user account with malicious XSS2 as email...'),
create_user(server, xss2, 'password')
print('Success.')
def register():
username = flask.request.form['username']
password = flask.request.form['password']
if authentication.create_user(username, password):
flask.session['username'] = username
return flask.make_response(('success', 201))
else:
return flask.make_response(('unauthorized', 401))
def register():
username = flask.request.form['username']
password = flask.request.form['password']
if authentication.create_user(username, password):
flask.session['username'] = username
return flask.make_response(('success', 201))
else:
return flask.make_response(('unauthorized', 401))
def create_user(self,username,password,public_key):
if not create_user(self.session,username,password,public_key,self._user):
raise ValueError("Cannot change different user's password")
def create_user(self, username, password, public_key):
if not create_user(self.session, username, password, public_key,
self._user):
raise ValueError("Cannot change different user's password")
def test_create_user_update_admin(self): u=auth.get_user(self.s,'admin') self.assertTrue(auth.create_user(self.s,'test','pass2',None,u)) u=auth.check_user(self.s,'test','pass2') self.assertIsNotNone(u)
def test_create_user_update_other(self): u=auth.get_user(self.s,'test_1') self.assertFalse(auth.create_user(self.s,'test','pass2',None,u)) u=auth.check_user(self.s,'test','pass') self.assertIsNotNone(u)
def test_create_user_update_no_creator(self): self.assertFalse(auth.create_user(self.s,'test','pass2',None,None)) u=auth.check_user(self.s,'test','pass') self.assertIsNotNone(u)
def test_create_user_new_creator(self): u=auth.get_user(self.s,'test') self.assertTrue(auth.create_user(self.s,'test_new','pass',None,u)) u=auth.get_user(self.s,'test_new') self.assertEqual(u.name,'test_new')