Publications

Java – Cracking the Random: CVE-2024-29868

TL;DR If you employ a Java application with a token-based password recovery mechanism, be sure that said token isn't generated using: RandomStringUtils. Spoiler: You can crack it and predict all past and future tokens generated by the application! Some Context During a Penetration Test I was sifting through the internet - as one often does - looking for ways...