Abusing weak PRNGs in PHP applications
Posted: Tue Feb 02, 2010 4:00 am
gat3way has uploaded an interesting PoC video - a mt_rand()/rand() seed value discovery.
http://www.youtube.com/watch?v=NMhO00bnRzM
According to his articles (in Bulgarian), he is able to bruteforce the seed value used by mt_srand() in just an hour. He uses a rainbow table (11MB) that took 17 hours to be generated.
He also explains the weaknesses of using low entropy sources for seeding mt_srand() - like the time() function.
Finally, he explains that CAPTCHA images can be bypassed by *predicting* the values they are generated from. He shows the weaknesses of the "unique URLs" used for resetting passwords in some PHP applications.
Enjoy watching the video
... and fix your code 
http://www.youtube.com/watch?v=NMhO00bnRzM
According to his articles (in Bulgarian), he is able to bruteforce the seed value used by mt_srand() in just an hour. He uses a rainbow table (11MB) that took 17 hours to be generated.
He also explains the weaknesses of using low entropy sources for seeding mt_srand() - like the time() function.
Finally, he explains that CAPTCHA images can be bypassed by *predicting* the values they are generated from. He shows the weaknesses of the "unique URLs" used for resetting passwords in some PHP applications.
Enjoy watching the video