Challenge - 5 Problems

🎖️

CSRF Protection Mastery

Get all challenges correct to earn this badge!

Test your skills under time pressure!

🧠 Conceptual

intermediate

1:30remaining

What is the main purpose of CSRF protection in Flask?

CSRF protection is important in web applications. What does it mainly protect against?

AIt validates user input to prevent SQL injection.

BIt encrypts user passwords before storing them in the database.

CIt blocks all external requests to the server.

DIt prevents attackers from tricking users into submitting unwanted requests to a web application.

Attempts:

2 left

❓ component_behavior

intermediate

1:30remaining

What happens if a Flask form is submitted without a valid CSRF token?

Consider a Flask app using Flask-WTF with CSRF protection enabled. What is the typical behavior when a form is submitted without a valid CSRF token?

AThe form submission is accepted but logged as suspicious.

BThe server raises a <code>CSRFError</code> and rejects the request.

CThe server ignores the CSRF token and processes the form normally.

DThe server redirects the user to the homepage without processing the form.

Attempts:

2 left

📝 Syntax

advanced

2:00remaining

Which code snippet correctly adds CSRF protection to a Flask app using Flask-WTF?

Choose the correct code to enable CSRF protection in a Flask app using Flask-WTF.

Flask

from flask import Flask
from flask_wtf.csrf import CSRFProtect

app = Flask(__name__)
app.config['SECRET_KEY'] = 'your-secret-key'

# Add CSRF protection here

csrf = CSRFProtect()
csrf.init_app(app)

Bcsrf = CSRFProtect(app)

csrf = CSRFProtect(app)
app.config['WTF_CSRF_ENABLED'] = False

csrf = CSRFProtect()
app.csrf = csrf

Attempts:

2 left

🔧 Debug

advanced

2:00remaining

Why does this Flask form raise a CSRF error despite using Flask-WTF?

Given this Flask-WTF form and template, the form submission raises a CSRF error. What is the likely cause?

Flask

class MyForm(FlaskForm):
    name = StringField('Name')
    submit = SubmitField('Submit')

# Template snippet:
# <form method="POST">
#   {{ form.name.label }} {{ form.name() }}
#   {{ form.submit() }}
# </form>

AThe form method should be GET instead of POST.

BThe form class does not inherit from FlaskForm.

CThe form is missing the CSRF token field in the template.

DThe submit button is missing a name attribute.

Attempts:

2 left

❓ state_output

expert

2:30remaining

What is the output of this Flask route with CSRF protection when submitting a form without a token?

Consider this Flask route using Flask-WTF with CSRF protection enabled. What response does the user get if the form is submitted without a CSRF token?

Flask

from flask import Flask, render_template_string
from flask_wtf import FlaskForm
from flask_wtf.csrf import CSRFProtect
from wtforms import StringField, SubmitField

app = Flask(__name__)
app.config['SECRET_KEY'] = 'secret'
csrf = CSRFProtect(app)

class TestForm(FlaskForm):
    name = StringField('Name')
    submit = SubmitField('Send')

@app.route('/', methods=['GET', 'POST'])
def index():
    form = TestForm()
    if form.validate_on_submit():
        return 'Form submitted'
    return render_template_string('''
        <form method="POST">
            {{ form.csrf_token }}
            {{ form.name.label }} {{ form.name() }}
            {{ form.submit() }}
        </form>
    ''', form=form)

# If a POST request is sent without CSRF token, what happens?

AThe server returns a 400 Bad Request error with a CSRF error message.

BThe server accepts the form and returns 'Form submitted'.

CThe server redirects to the GET route without error.

DThe server crashes with an unhandled exception.

Attempts:

2 left