🐞
VulnInsights
  • VulnInsights
  • reporting-templates
    • Open Redirect
  • web-app-vulnerabilities
    • API Testing
    • GraphQL
    • open-redirect
  • secure-coding
    • docs
      • CWE-22
        • dotnet
          • .NET Deserialisation
        • groovy
          • bigbluebutton-lfi
        • java
          • path-traversal-metasphere
      • CWE-23
        • python
          • anything-llm-arbitrary-file-deletion
      • CWE-338
        • java
          • Overview
      • CWE-89
        • javascript
          • Overview
      • CWE-98
        • php
          • Overview
Powered by GitBook
On this page
  • Use of RandomStringUtils Package for Generating Tokens
  • Patch
  • How to Identify Similar vulnerabilities

Was this helpful?

  1. secure-coding
  2. docs
  3. CWE-338
  4. java

Overview

PreviousjavaNextCWE-89

Last updated 1 year ago

Was this helpful?

This vulnerability was reported by

Source link for the reported vulnerabilities are as follows:

  • https://huntr.com/bounties/604b0ff1-860a-4027-82ef-d12a187233e9/

This is something which is used by many people, from a security prespective you want a token which serves as an integrity of an action to be random and not guessable. Often time, programmatically there exists multiple classes that can generate random numbers or string. Problem with functions/methods like this is that they are not and hence does not provide a good entropy for generating the tokens. In order to tackle this, many new implementations of PRNG algorithms has been done where they make use of seed specified by the developer to generate random numbers.

Use of RandomStringUtils Package for Generating Tokens

In the alovoa application relies on RandomStringUtils.randomAlphaNumeric to generate a token for performing user account based operations such as registration, deletion and password reset.


    public UserDeleteToken deleteAccountRequest() throws MessagingException, IOException, AlovoaException {
        User user = authService.getCurrentUser(true);
        UserDeleteToken token = new UserDeleteToken();
        Date currentDate = new Date();

        token.setContent(RandomStringUtils.randomAlphanumeric(tokenLength));
        token.setDate(currentDate);
        token.setUser(user);
        user.setDeleteToken(token);
        user = userRepo.saveAndFlush(user);

        mailService.sendAccountDeleteRequest(user);

        return user.getDeleteToken();
    }

(User Delete Action)[https://github.com/Alovoa/alovoa/blob/ace5c183a790b45a00cc437f563a8a34a5599783/src/main/java/com/nonononoki/alovoa/service/UserService.java]

Same logic exists for generating password reset tokens as well:

[..snip..]
		//user has social login, do not assign new password!
		if (u.getPassword() != null) {
			UserPasswordToken token = new UserPasswordToken();
			token.setContent(RandomStringUtils.randomAlphanumeric(tokenLength));
			token.setDate(new Date());
			token.setUser(u);
			u.setPasswordToken(token);
			u = userRepo.saveAndFlush(u);
	
			mailService.sendPasswordResetMail(u);
			
			SecurityContextHolder.clearContext();
	
			return u.getPasswordToken();
		} else {
			throw new AlovoaException("user_has_social_login");
		}

Patch

		token.setContent(RandomStringUtils.random(tokenLength, 0, 0, true, true, null, new SecureRandom()));

How to Identify Similar vulnerabilities

It is very important to look into the functions that has been obsolete and possess considerable security concerns such as the one we discussed.

There is a which takes a deep dive into the implementation of RandomStringUtils.randomAlphanumeric and reverse engineer the algorithm to predict past and future genrated numbers.

The developers made patch to the vulnerable code by using the java.security.SecureRandom as the PRNG for generating the random string, here they have provided SecureRandom method for source of randomness. Reference for

PasswordService.java
public POC
RandomStringUtils
harpsiford
truly random
How to Identify Similar vulnerabilities