From 19d070578509dc56df082ab822a045df0870594c Mon Sep 17 00:00:00 2001 From: "pixeebot[bot]" <104101892+pixeebot[bot]@users.noreply.github.com> Date: Tue, 11 Jun 2024 21:54:01 +0000 Subject: [PATCH] Introduced protections against predictable RNG abuse --- .../lessons/challenges/challenge7/PasswordResetLink.java | 3 ++- .../webgoat/lessons/cryptography/EncodingAssignment.java | 3 ++- .../webgoat/lessons/cryptography/HashingAssignment.java | 5 +++-- .../java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java | 7 ++++--- .../cas/HijackSessionAuthenticationProvider.java | 3 ++- .../owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java | 3 ++- 6 files changed, 15 insertions(+), 9 deletions(-) diff --git a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java index ff00f06cb..8698d389f 100644 --- a/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java +++ b/src/main/java/org/owasp/webgoat/lessons/challenges/challenge7/PasswordResetLink.java @@ -1,5 +1,6 @@ package org.owasp.webgoat.lessons.challenges.challenge7; +import java.security.SecureRandom; import java.util.Random; /** @@ -11,7 +12,7 @@ public class PasswordResetLink { public String createPasswordReset(String username, String key) { - Random random = new Random(); + Random random = new SecureRandom(); if (username.equalsIgnoreCase("admin")) { // Admin has a fix reset link random.setSeed(key.length()); diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java index 65c115c41..edf65fd06 100644 --- a/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/EncodingAssignment.java @@ -22,6 +22,7 @@ package org.owasp.webgoat.lessons.cryptography; +import java.security.SecureRandom; import java.util.Base64; import java.util.Random; import javax.servlet.http.HttpServletRequest; @@ -49,7 +50,7 @@ public String getBasicAuth(HttpServletRequest request) { String username = request.getUserPrincipal().getName(); if (basicAuth == null) { String password = - HashingAssignment.SECRETS[new Random().nextInt(HashingAssignment.SECRETS.length)]; + HashingAssignment.SECRETS[new SecureRandom().nextInt(HashingAssignment.SECRETS.length)]; basicAuth = getBasicAuth(username, password); request.getSession().setAttribute("basicAuth", basicAuth); } diff --git a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java index b83f931a8..8e2bf5628 100644 --- a/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java +++ b/src/main/java/org/owasp/webgoat/lessons/cryptography/HashingAssignment.java @@ -24,6 +24,7 @@ import java.security.MessageDigest; import java.security.NoSuchAlgorithmException; +import java.security.SecureRandom; import java.util.Random; import javax.servlet.http.HttpServletRequest; import javax.xml.bind.DatatypeConverter; @@ -50,7 +51,7 @@ public String getMd5(HttpServletRequest request) throws NoSuchAlgorithmException String md5Hash = (String) request.getSession().getAttribute("md5Hash"); if (md5Hash == null) { - String secret = SECRETS[new Random().nextInt(SECRETS.length)]; + String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)]; MessageDigest md = MessageDigest.getInstance("MD5"); md.update(secret.getBytes()); @@ -68,7 +69,7 @@ public String getSha256(HttpServletRequest request) throws NoSuchAlgorithmExcept String sha256 = (String) request.getSession().getAttribute("sha256"); if (sha256 == null) { - String secret = SECRETS[new Random().nextInt(SECRETS.length)]; + String secret = SECRETS[new SecureRandom().nextInt(SECRETS.length)]; sha256 = getHash(secret, "SHA-256"); request.getSession().setAttribute("sha256Hash", sha256); request.getSession().setAttribute("sha256Secret", secret); diff --git a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java index e2cbc90c7..ff3eaa88c 100644 --- a/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java +++ b/src/main/java/org/owasp/webgoat/lessons/csrf/CSRFGetFlag.java @@ -22,6 +22,7 @@ package org.owasp.webgoat.lessons.csrf; +import java.security.SecureRandom; import java.util.HashMap; import java.util.Map; import java.util.Random; @@ -56,13 +57,13 @@ public Map invoke(HttpServletRequest req) { if (referer.equals("NULL")) { if ("true".equals(req.getParameter("csrf"))) { - Random random = new Random(); + Random random = new SecureRandom(); userSessionData.setValue("csrf-get-success", random.nextInt(65536)); response.put("success", true); response.put("message", pluginMessages.getMessage("csrf-get-null-referer.success")); response.put("flag", userSessionData.getValue("csrf-get-success")); } else { - Random random = new Random(); + Random random = new SecureRandom(); userSessionData.setValue("csrf-get-success", random.nextInt(65536)); response.put("success", true); response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success")); @@ -73,7 +74,7 @@ public Map invoke(HttpServletRequest req) { response.put("message", "Appears the request came from the original host"); response.put("flag", null); } else { - Random random = new Random(); + Random random = new SecureRandom(); userSessionData.setValue("csrf-get-success", random.nextInt(65536)); response.put("success", true); response.put("message", pluginMessages.getMessage("csrf-get-other-referer.success")); diff --git a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java index 018dd8bf1..238fcb55e 100644 --- a/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java +++ b/src/main/java/org/owasp/webgoat/lessons/hijacksession/cas/HijackSessionAuthenticationProvider.java @@ -23,6 +23,7 @@ package org.owasp.webgoat.lessons.hijacksession.cas; +import java.security.SecureRandom; import java.time.Instant; import java.util.LinkedList; import java.util.Queue; @@ -45,7 +46,7 @@ public class HijackSessionAuthenticationProvider implements AuthenticationProvider { private Queue sessions = new LinkedList<>(); - private static long id = new Random().nextLong() & Long.MAX_VALUE; + private static long id = new SecureRandom().nextLong() & Long.MAX_VALUE; protected static final int MAX_SESSIONS = 50; private static final DoublePredicate PROBABILITY_DOUBLE_PREDICATE = pr -> pr < 0.75; diff --git a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java index dac1ef5cc..3a475f667 100644 --- a/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java +++ b/src/main/java/org/owasp/webgoat/lessons/jwt/JWTSecretKeyEndpoint.java @@ -27,6 +27,7 @@ import io.jsonwebtoken.Jwts; import io.jsonwebtoken.SignatureAlgorithm; import io.jsonwebtoken.impl.TextCodec; +import java.security.SecureRandom; import java.time.Instant; import java.util.Calendar; import java.util.Date; @@ -54,7 +55,7 @@ public class JWTSecretKeyEndpoint extends AssignmentEndpoint { "victory", "business", "available", "shipping", "washington" }; public static final String JWT_SECRET = - TextCodec.BASE64.encode(SECRETS[new Random().nextInt(SECRETS.length)]); + TextCodec.BASE64.encode(SECRETS[new SecureRandom().nextInt(SECRETS.length)]); private static final String WEBGOAT_USER = "WebGoat"; private static final List expectedClaims = List.of("iss", "iat", "exp", "aud", "sub", "username", "Email", "Role");