Java Code Snippets Review
Last updated on
Description
Java Code Snippets Review
Hash length extention attack
import java.util.Base64;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.nio.charset.StandardCharsets;
public class Secure {
private static String secret = "[...]";
public static String build_redirect() throws Exception {
SecureRandom rand = new SecureRandom();
String tx_id=String.valueOf(rand.nextInt(100000));
String payment_info = "transaction_id="+tx_id+"&amount=20.00";
String params = payment_info;
params+="&sign="+sign_for_payment(payment_info);
return "https://payment.pentesterlab.com/?"+params;
}
public static String sign_for_payment(String payment_info)
throws Exception{
String data = secret+payment_info;
MessageDigest digest = MessageDigest.getInstance("SHA-256");
byte[] hash = digest.digest(
data.getBytes(StandardCharsets.UTF_8));
return Base64.getUrlEncoder()
.withoutPadding()
.encodeToString(hash);
}
}
in line number 19, 20 is hashlength.
Pseudo Random Number generator
import java.util.Random;
public class Otp {
private static final Random R = new Random();
public static String generateCode() {
StringBuilder builder = new StringBuilder();
for (int i = 0; i < 4 ; i++) {
builder.append(R.nextInt(10));
}
return builder.toString();
}
}
if you get many random numbers you can guess next numbers.