Python vulnerability in input() function

PythonServer Side ProgrammingProgramming

In this article, we will learn about how the input function behaves in an undesirable manner in version 2.x. Or earlier. In version 2.x. the raw_input() function works as replacement of the input() function . In newer versions 3.x. or later all the desirable features & functionalities of both functions are merged into the input() function.

Firstly let’s look at the input type of built-in functions for taking input in Python 2.x.

Example

# Input Given : String
str1 = raw_input("Output of raw_input() function: ")
print type(str1)
str2 = input("Output of input() function: ")
print type(str2)
# Input Given : Float
str3 = raw_input("Output of raw_input() function: ")
print type(str3)
str4 = input("Output of input() function: ")
print type(str4)
# Input Given : Integer
str5 = raw_input("Output of raw_input() function: ")
print type(str5)
str6 = input("Output of input() function: ")
print type(str6)

Output

Output of raw_input() function:
Output of input() function:
Output of raw_input() function:
Output of input() function:
Output of raw_input() function:
Output of input() function:

Explanation − From the output, it is quite evident that the raw_input function explicitly converts the input to string type irrespective of the type of input provided. On the contrary, the input function retains the same data type as provided during input.

Now after seeing the above example you may be wondering that if input function retains the data type then why it is vulnerable? Let’s clarify this using an illustration −

ILLUSTRATION 1: Now let’s make a dice game using the random module.

Example

import random as rd
number = random.randint(1,6)
print ("Pick a number between 1 to 6")
while True:
   user_input = input("Guess the number: ")
   if user_input==number:
      print ("You guessed it right.")
      break
   else:
      print ("OOPS! try it next time.")
      continue

Explanation − In case the user provides an integer input then the desired output according to conditional expressions will be computed accordingly.

In case the user provides a string input i.e. identical to the variable name in which we storing the random integer generated by dice using the random module, then also the output is computed. But this must not be desired output that we want to compute. Actually, it must raise an error bearing wrong input type when a string input. It considers the variable name equivalent to a number directly entered by the user, The expression yields a True Boolean value and game reaches the end. On the contrary, if I used raw_input() instead, no such issue is encountered.

This vulnerability may prove fatal in case we are storing login credentials, user details & account passwords.

ILLUSTRATION 1: Now let’s make a system which asks for the pin and compares with the stored value.

Example

stored_value = 7863
def return_function():
   return stored_value
inp = input()
if inp == stored_value:
   print "You Entered Correctly"
else:
   print "Oops! It's Incorrect"

Explanation

As we discussed in the previous ILLUSTRATION that in case input provided is on integer type, the function works normally. But in any case user provide input identical to the return value of the function, the conditional becomes True and output is produced.

This is very dangerous to use in case of handling critical and confidential pieces of information like pins & passwords. This can be overcome by using raw_input() provided in Python 2.x.

From the above two ILLUSTRATIONS, it is quite clear that the input function makes the program ready for direct Variable attack.

Conclusion

In this article, we learnt what all issues and loopholes are encountered while using the input() function in Python 2.x. needed.

raja
Updated on 29-Aug-2019 07:55:48

Advertisements