From cb6f8be9a6971073bab68225ddd4331312e26f7c Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Sun, 24 Nov 2024 03:11:50 +0000 Subject: [PATCH] Introduced protections against predictable RNG abuse --- .../lessons/challenges/challenge1/ImageServlet.java | 3 ++- .../lessons/challenges/challenge7/PasswordResetLink.java | 3 ++- .../webgoat/lessons/cryptography/EncodingAssignment.java | 3 ++- .../webgoat/lessons/cryptography/HashingAssignment.java | 5 +++-- .../java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java | 7 ++++--- .../cas/HijackSessionAuthenticationProvider.java | 3 ++- .../owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java | 3 ++- 7 files changed, 17 insertions(+), 10 deletions(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java index 6ae34384c9..9b6d0bed57 100644 --- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java +++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge1/ImageServlet.java @@ -1,5 +1,6 @@ package org.owasp.webgoat.lessons.challenges.challenge1; +import java.security.SecureRandom; import static org.springframework.web.bind.annotation.RequestMethod.GET; import static org.springframework.web.bind.annotation.RequestMethod.POST; @@ -14,7 +15,7 @@ @RestController public class ImageServlet { - public static final int PINCODE = new Random().nextInt(10000); + public static final int PINCODE = new SecureRandom().nextInt(10000); @RequestMapping( method = {GET, POST}, diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java index ff00f06cb8..8698d389f0 100644 --- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java +++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java @@ -1,5 +1,6 @@ package org.owasp.webgoat.lessons.challenges.challenge7; +import java.security.SecureRandom; import java.util.Random; /** @@ -11,7 +12,7 @@ public class PasswordResetLink { public String createPasswordReset(String username, String key) { - Random random = new Random(); + Random random = new SecureRandom(); if (username.equalsIgnoreCase("admin")) { // Admin has a fix reset link random.setSeed(key.length()); diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java index 437e899593..db56dfddc2 100644 --- a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java @@ -23,6 +23,7 @@ package org.owasp.webgoat.lessons.cryptography; import jakarta.servlet.http.HttpServletRequest; +import java.security.SecureRandom; import java.util.Base64; import java.util.Random; import org.owasp.webgoat.container.assignments.AssignmentEndpoint; @@ -49,7 +50,7 @@ public String getBasicAuth(HttpServletRequest request) { String username = request.getUserPrincipal().getName(); if (basicAuth == null) { String password = - HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)]; + HashingAssignment.SECRETS[new SecureRandom().nextInt(HashingAssignment.SECRETS.length)]; basicAuth = getBasicAuth(username, password); request.getSession().setAttribute("basicAuth", basicAuth); } diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java index 266c53ffab..1f2af067c0 100644 --- a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java @@ -25,6 +25,7 @@ import jakarta.servlet.http.HttpServletRequest; import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.Random; import javax.xml.bind.DatatypeConverter; import org.owasp.webgoat.container.assignments.AssignmentEndpoint; @@ -50,7 +51,7 @@ public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException String md5Hash = (String) request.getSession().getAttribute("md5Hash"); if (md5Hash == null) { - String secret = SECRETS[new Random().nextInt(SECRETS.length)]; + String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)]; MessageDigest md = MessageDigest.getInstance("MD5"); md.update(secret.getBytes()); @@ -68,7 +69,7 @@ public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmExcept String sha256 = (String) request.getSession().getAttribute("sha256"); if (sha256 == null) { - String secret = SECRETS[new Random().nextInt(SECRETS.length)]; + String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)]; sha256 = getHash(secret, "SHA-256"); request.getSession().setAttribute("sha256Hash", sha256); request.getSession().setAttribute("sha256Secret", secret); diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java index a0e3f5609b..ce7c652738 100644 --- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java +++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java @@ -23,6 +23,7 @@ package org.owasp.webgoat.lessons.csrf; import jakarta.servlet.http.HttpServletRequest; +import java.security.SecureRandom; import java.util.HashMap; import java.util.Map; import java.util.Random; @@ -54,13 +55,13 @@ public Map invoke(HttpServletRequest req) { if (referer.equals("NULL")) { if ("true".equals(req.getParameter("csrf"))) { - Random random = new Random(); + Random random = new SecureRandom(); userSessionData.setValue("csrf-get-success", random.nextInt(65536)); response.put("success", true); response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success")); response.put("flag", userSessionData.getValue("csrf-get-success")); } else { - Random random = new Random(); + Random random = new SecureRandom(); userSessionData.setValue("csrf-get-success", random.nextInt(65536)); response.put("success", true); response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success")); @@ -71,7 +72,7 @@ public Map invoke(HttpServletRequest req) { response.put("message", "Appears the request came from the original host"); response.put("flag", null); } else { - Random random = new Random(); + Random random = new SecureRandom(); userSessionData.setValue("csrf-get-success", random.nextInt(65536)); response.put("success", true); response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success")); diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java index 018dd8bf1a..238fcb55ed 100644 --- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java +++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java @@ -23,6 +23,7 @@ package org.owasp.webgoat.lessons.hijacksession.cas; +import java.security.SecureRandom; import java.time.Instant; import java.util.LinkedList; import java.util.Queue; @@ -45,7 +46,7 @@ public class HijackSessionAuthenticationProvider implements AuthenticationProvider { private Queue sessions = new LinkedList<>(); - private static long id = new Random().nextLong() & Long.MAX_VALUE; + private static long id = new SecureRandom().nextLong() & Long.MAX_VALUE; protected static final int MAX_SESSIONS = 50; private static final DoublePredicate PROBABILITY_DOUBLE_PREDICATE = pr -> pr < 0.75; diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java index 0e688c0497..32c0de77b4 100644 --- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java +++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java @@ -27,6 +27,7 @@ import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import io.jsonwebtoken.impl.TextCodec; +import java.security.SecureRandom; import java.time.Instant; import java.util.Calendar; import java.util.Date; @@ -50,7 +51,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint { "victory", "business", "available", "shipping", "washington" }; public static final String JWT_SECRET = - TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]); + TextCodec.BASE64.encode(SECRETS[new SecureRandom().nextInt(SECRETS.length)]); private static final String WEBGOAT_USER = "WebGoat"; private static final List expectedClaims = List.of("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");