🐞
VulnInsights
  • VulnInsights
  • reporting-templates
    • Open Redirect
  • web-app-vulnerabilities
    • API Testing
    • GraphQL
    • open-redirect
  • secure-coding
    • docs
      • CWE-22
        • dotnet
          • .NET Deserialisation
        • groovy
          • bigbluebutton-lfi
        • java
          • path-traversal-metasphere
      • CWE-23
        • python
          • anything-llm-arbitrary-file-deletion
      • CWE-338
        • java
          • Overview
      • CWE-89
        • javascript
          • Overview
      • CWE-98
        • php
          • Overview
Powered by GitBook
On this page

Was this helpful?

Last updated 1 year ago

This vulnerability was reported by

Source link for the reported vulnerabilities are as follows:

  • https://huntr.com/bounties/604b0ff1-860a-4027-82ef-d12a187233e9/

This is something which is used by many people, from a security prespective you want a token which serves as an integrity of an action to be random and not guessable. Often time, programmatically there exists multiple classes that can generate random numbers or string. Problem with functions/methods like this is that they are not and hence does not provide a good entropy for generating the tokens. In order to tackle this, many new implementations of PRNG algorithms has been done where they make use of seed specified by the developer to generate random numbers.

Use of RandomStringUtils Package for Generating Tokens

In the alovoa application relies on RandomStringUtils.randomAlphaNumeric to generate a token for performing user account based operations such as registration, deletion and password reset.

(User Delete Action)[https://github.com/Alovoa/alovoa/blob/ace5c183a790b45a00cc437f563a8a34a5599783/src/main/java/com/nonononoki/alovoa/service/UserService.java]

Same logic exists for generating password reset tokens as well:

Patch

How to Identify Similar vulnerabilities

It is very important to look into the functions that has been obsolete and possess considerable security concerns such as the one we discussed.

There is a which takes a deep dive into the implementation of RandomStringUtils.randomAlphanumeric and reverse engineer the algorithm to predict past and future genrated numbers.

The developers made patch to the vulnerable code by using the java.security.SecureRandom as the PRNG for generating the random string, here they have provided SecureRandom method for source of randomness. Reference for

PasswordService.java
public POC
RandomStringUtils
  • Use of RandomStringUtils Package for Generating Tokens
  • Patch
  • How to Identify Similar vulnerabilities
PreviousjavaNextCWE-89
  1. secure-coding
  2. docs
  3. CWE-338
  4. java

Overview

harpsiford
How to Identify Similar vulnerabilities
truly random

    public UserDeleteToken deleteAccountRequest() throws MessagingException, IOException, AlovoaException {
        User user = authService.getCurrentUser(true);
        UserDeleteToken token = new UserDeleteToken();
        Date currentDate = new Date();

        token.setContent(RandomStringUtils.randomAlphanumeric(tokenLength));
        token.setDate(currentDate);
        token.setUser(user);
        user.setDeleteToken(token);
        user = userRepo.saveAndFlush(user);

        mailService.sendAccountDeleteRequest(user);

        return user.getDeleteToken();
    }

[..snip..]
		//user has social login, do not assign new password!
		if (u.getPassword() != null) {
			UserPasswordToken token = new UserPasswordToken();
			token.setContent(RandomStringUtils.randomAlphanumeric(tokenLength));
			token.setDate(new Date());
			token.setUser(u);
			u.setPasswordToken(token);
			u = userRepo.saveAndFlush(u);
	
			mailService.sendPasswordResetMail(u);
			
			SecurityContextHolder.clearContext();
	
			return u.getPasswordToken();
		} else {
			throw new AlovoaException("user_has_social_login");
		}
		token.setContent(RandomStringUtils.random(tokenLength, 0, 0, true, true, null, new SecureRandom()));