Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Introduced protections against predictable RNG abuse #2

Closed
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package org.owasp.webgoat.lessons.challenges.challenge1;

import java.security.SecureRandom;
import static org.springframework.web.bind.annotation.RequestMethod.GET;
import static org.springframework.web.bind.annotation.RequestMethod.POST;

Expand All @@ -14,7 +15,7 @@
@RestController
public class ImageServlet {

public static final int PINCODE = new Random().nextInt(10000);
public static final int PINCODE = new SecureRandom().nextInt(10000);

@RequestMapping(
method = {GET, POST},
Expand Down
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package org.owasp.webgoat.lessons.challenges.challenge7;

import java.security.SecureRandom;
import java.util.Random;

/**
Expand All @@ -11,7 +12,7 @@
public class PasswordResetLink {

public String createPasswordReset(String username, String key) {
Random random = new Random();
Random random = new SecureRandom();
if (username.equalsIgnoreCase("admin")) {
// Admin has a fix reset link
random.setSeed(key.length());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.cryptography;

import jakarta.servlet.http.HttpServletRequest;
import java.security.SecureRandom;
import java.util.Base64;
import java.util.Random;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
Expand All @@ -49,7 +50,7 @@ public String getBasicAuth(HttpServletRequest request) {
String username = request.getUserPrincipal().getName();
if (basicAuth == null) {
String password =
HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
HashingAssignment.SECRETS[new SecureRandom().nextInt(HashingAssignment.SECRETS.length)];
basicAuth = getBasicAuth(username, password);
request.getSession().setAttribute("basicAuth", basicAuth);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,7 @@
import jakarta.servlet.http.HttpServletRequest;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Random;
import javax.xml.bind.DatatypeConverter;
import org.owasp.webgoat.container.assignments.AssignmentEndpoint;
Expand All @@ -50,7 +51,7 @@ public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException
String md5Hash = (String) request.getSession().getAttribute("md5Hash");
if (md5Hash == null) {

String secret = SECRETS[new Random().nextInt(SECRETS.length)];
String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)];

MessageDigest md = MessageDigest.getInstance("MD5");
md.update(secret.getBytes());
Expand All @@ -68,7 +69,7 @@ public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmExcept

String sha256 = (String) request.getSession().getAttribute("sha256");
if (sha256 == null) {
String secret = SECRETS[new Random().nextInt(SECRETS.length)];
String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)];
sha256 = getHash(secret, "SHA-256");
request.getSession().setAttribute("sha256Hash", sha256);
request.getSession().setAttribute("sha256Secret", secret);
Expand Down
7 changes: 4 additions & 3 deletions src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@
package org.owasp.webgoat.lessons.csrf;

import jakarta.servlet.http.HttpServletRequest;
import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
Expand Down Expand Up @@ -54,13 +55,13 @@ public Map<String, Object> invoke(HttpServletRequest req) {

if (referer.equals("NULL")) {
if ("true".equals(req.getParameter("csrf"))) {
Random random = new Random();
Random random = new SecureRandom();
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success", true);
response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success"));
response.put("flag", userSessionData.getValue("csrf-get-success"));
} else {
Random random = new Random();
Random random = new SecureRandom();
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success", true);
response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
Expand All @@ -71,7 +72,7 @@ public Map<String, Object> invoke(HttpServletRequest req) {
response.put("message", "Appears the request came from the original host");
response.put("flag", null);
} else {
Random random = new Random();
Random random = new SecureRandom();
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success", true);
response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

package org.owasp.webgoat.lessons.hijacksession.cas;

import java.security.SecureRandom;
import java.time.Instant;
import java.util.LinkedList;
import java.util.Queue;
Expand All @@ -45,7 +46,7 @@
public class HijackSessionAuthenticationProvider implements AuthenticationProvider<Authentication> {

private Queue<String> sessions = new LinkedList<>();
private static long id = new Random().nextLong() & Long.MAX_VALUE;
private static long id = new SecureRandom().nextLong() & Long.MAX_VALUE;
protected static final int MAX_SESSIONS = 50;

private static final DoublePredicate PROBABILITY_DOUBLE_PREDICATE = pr -> pr < 0.75;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.TextCodec;
import java.security.SecureRandom;
import java.time.Instant;
import java.util.Calendar;
import java.util.Date;
Expand All @@ -50,7 +51,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
"victory", "business", "available", "shipping", "washington"
};
public static final String JWT_SECRET =
TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
TextCodec.BASE64.encode(SECRETS[new SecureRandom().nextInt(SECRETS.length)]);
private static final String WEBGOAT_USER = "WebGoat";
private static final List<String> expectedClaims =
List.of("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
Expand Down
Loading