Software Security Training

Exercise: The Integer Trap

In this activity, you will identify and fix a business logic vulnerability related to input validation.

Scenario: You are a backend developer for an e-commerce site. A user discovered that if they enter a negative quantity for an item, the website calculates a negative price—effectively paying the user to "buy" the item!

Your Task

Examine the code in the editor.
Click "Run Security Test" to see the vulnerability output in the console.
Modify the calculate_total function to reject negative numbers.
If input < 0, return 0 or print an error.
When finished, click "Export PDF" to submit your work.

Why This Matters

Input validation is the first line of defense. Ensuring that data conforms to expected bounds prevents logic errors that attackers can exploit for financial gain.

PYTHON EDITOR (main.py)

SECURITY CONSOLE OUTPUT

Ready... Waiting for code execution.

from js import document, window import sys # 1. Remove the loading screen def setup(): loading = document.getElementById("loading") if loading: loading.style.display = "none" setup() # 2. HELPER: Custom Output Class to capture "print()" class ConsoleOutput: def write(self, text): if text.strip(): log(text.strip(), "normal") def flush(self): pass sys.stdout = ConsoleOutput() sys.stderr = ConsoleOutput() # 3. The Log Function def log(message, type="normal"): console = document.getElementById("console-output") if type == "clear": console.innerHTML = "" return color = "#ffffff" if type == "pass": color = "#2ecc71" if type == "fail": color = "#e74c3c" if type == "info": color = "#3498db" if type == "system": color = "#d4d4d4" safe_message = message.replace("<", "<").replace(">", ">") console.innerHTML += f'

{safe_message}

' console.scrollTop = console.scrollHeight # 4. The Test Runner def run_tests(*args): log("", "clear") log("[*] Compiling your code...", "system") user_code = document.getElementById("code-editor").value test_env = {} window.submissionStatus = "INCOMPLETE / FAILED" try: # Use test_env as locals AND globals to fix scope issues exec(user_code, test_env) if "calculate_total" not in test_env: log("[!] Error: Function 'calculate_total' not found.", "fail") return calc_func = test_env["calculate_total"] log("[*] Running Test Case 1: Normal Purchase (10, 2)...", "system") if calc_func(10, 2) == 20: log(" -> PASS", "pass") else: log(f" -> FAIL", "fail") return log("[*] Running Test Case 2: ATTACK (50, -10)...", "system") result2 = calc_func(50, -10) if result2 == -500: log(" -> VULNERABILITY DETECTED!", "fail") log(" The system calculated a refund of $500.", "fail") window.submissionStatus = "FAILED - Vulnerable" elif result2 == 0 or result2 is None: log(" -> SECURE: Attack blocked!", "pass") log(" SUCCESS: Challenge Complete.", "pass") window.submissionStatus = "PASSED - Secure" else: log(f" -> SECURE: Attack blocked! Output: {result2}", "pass") log(" SUCCESS: Challenge Complete.", "pass") window.submissionStatus = "PASSED - Secure" except Exception as e: log(f"[!] Runtime Error: {e}", "fail") window.submissionStatus = "ERROR - Syntax/Runtime"