Skip to content

Commit

Permalink
Merge pull request #35 from sip49/pixeebot/drip-2024-06-11-pixee-java…
Browse files Browse the repository at this point in the history
…/secure-random

Introduced protections against predictable RNG abuse
  • Loading branch information
sip49 authored Jun 11, 2024
2 parents 1b423ef + 19d0705 commit f55a467
Show file tree
Hide file tree
Showing 6 changed files with 15 additions and 9 deletions.
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
package org.owasp.webgoat.lessons.challenges.challenge7;

import java.security.SecureRandom;
import java.util.Random;

/**
Expand All @@ -11,7 +12,7 @@
public class PasswordResetLink {

public String createPasswordReset(String username, String key) {
Random random = new Random();
Random random = new SecureRandom();
if (username.equalsIgnoreCase("admin")) {
// Admin has a fix reset link
random.setSeed(key.length());
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@

package org.owasp.webgoat.lessons.cryptography;

import java.security.SecureRandom;
import java.util.Base64;
import java.util.Random;
import javax.servlet.http.HttpServletRequest;
Expand Down Expand Up @@ -49,7 +50,7 @@ public String getBasicAuth(HttpServletRequest request) {
String username = request.getUserPrincipal().getName();
if (basicAuth == null) {
String password =
HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)];
HashingAssignment.SECRETS[new SecureRandom().nextInt(HashingAssignment.SECRETS.length)];
basicAuth = getBasicAuth(username, password);
request.getSession().setAttribute("basicAuth", basicAuth);
}
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,7 @@

import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Random;
import javax.servlet.http.HttpServletRequest;
import javax.xml.bind.DatatypeConverter;
Expand All @@ -50,7 +51,7 @@ public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException
String md5Hash = (String) request.getSession().getAttribute("md5Hash");
if (md5Hash == null) {

String secret = SECRETS[new Random().nextInt(SECRETS.length)];
String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)];

MessageDigest md = MessageDigest.getInstance("MD5");
md.update(secret.getBytes());
Expand All @@ -68,7 +69,7 @@ public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmExcept

String sha256 = (String) request.getSession().getAttribute("sha256");
if (sha256 == null) {
String secret = SECRETS[new Random().nextInt(SECRETS.length)];
String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)];
sha256 = getHash(secret, "SHA-256");
request.getSession().setAttribute("sha256Hash", sha256);
request.getSession().setAttribute("sha256Secret", secret);
Expand Down
7 changes: 4 additions & 3 deletions src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java
Original file line number Diff line number Diff line change
Expand Up @@ -22,6 +22,7 @@

package org.owasp.webgoat.lessons.csrf;

import java.security.SecureRandom;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
Expand Down Expand Up @@ -56,13 +57,13 @@ public Map<String, Object> invoke(HttpServletRequest req) {

if (referer.equals("NULL")) {
if ("true".equals(req.getParameter("csrf"))) {
Random random = new Random();
Random random = new SecureRandom();
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success", true);
response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success"));
response.put("flag", userSessionData.getValue("csrf-get-success"));
} else {
Random random = new Random();
Random random = new SecureRandom();
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success", true);
response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
Expand All @@ -73,7 +74,7 @@ public Map<String, Object> invoke(HttpServletRequest req) {
response.put("message", "Appears the request came from the original host");
response.put("flag", null);
} else {
Random random = new Random();
Random random = new SecureRandom();
userSessionData.setValue("csrf-get-success", random.nextInt(65536));
response.put("success", true);
response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success"));
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@

package org.owasp.webgoat.lessons.hijacksession.cas;

import java.security.SecureRandom;
import java.time.Instant;
import java.util.LinkedList;
import java.util.Queue;
Expand All @@ -45,7 +46,7 @@
public class HijackSessionAuthenticationProvider implements AuthenticationProvider<Authentication> {

private Queue<String> sessions = new LinkedList<>();
private static long id = new Random().nextLong() & Long.MAX_VALUE;
private static long id = new SecureRandom().nextLong() & Long.MAX_VALUE;
protected static final int MAX_SESSIONS = 50;

private static final DoublePredicate PROBABILITY_DOUBLE_PREDICATE = pr -> pr < 0.75;
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,6 +27,7 @@
import io.jsonwebtoken.Jwts;
import io.jsonwebtoken.SignatureAlgorithm;
import io.jsonwebtoken.impl.TextCodec;
import java.security.SecureRandom;
import java.time.Instant;
import java.util.Calendar;
import java.util.Date;
Expand Down Expand Up @@ -54,7 +55,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint {
"victory", "business", "available", "shipping", "washington"
};
public static final String JWT_SECRET =
TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]);
TextCodec.BASE64.encode(SECRETS[new SecureRandom().nextInt(SECRETS.length)]);
private static final String WEBGOAT_USER = "WebGoat";
private static final List<String> expectedClaims =
List.of("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");
Expand Down

0 comments on commit f55a467

Please sign in to comment.