Publications

Java – Cracking the Random: CVE-2024-29868

TL;DR

If you employ a Java application with a token-based password recovery mechanism, be sure that said token isn't generated using: RandomStringUtils. Spoiler: You can crack it and predict all past and future tokens generated by the application!

Some Context

During a Penetration Test I was sifting through the internet - as one often does...