6oskarwN/Sim_exam_yo

Anyone can guess and invalidate an existing transaction

Closed this issue · 7 comments

Due to the fact that transaction IDs is generated incrementally, anyone can guess the probable range af active transaction IDs. Own transaction +/- 10 and 20 transactions are exposed.
Then each transaction can be sent to be evaluated by sim_exam_yo, doesen't matter they will not be found legitimate, they will be deleted.
For instance the bad guy can delete the transaction of somebody who is taking an exam, and when exam form is submitted, the answer will be "transaction expired".

One possible solution will be to keep the transaction counter incremental as it is, but the transaction number to be generated using a pseudo-random algorithm so it's not anymore easy to be guessed.
As generated transactions are stored in the transaction file, there is no need to keep a different track on the transactions, they do not need to be reproducible.

transaction ID must have an additional layer of security: at least a hash, to see if it was tampered or generated by an unauthorized entity.

First to be tested(already in work): trasaction_id wil be formed in this way:
transaction_id+expiry timestamp+MDA5 MAC
e.g.
ABC2C3_57_28_7_6_1_116_ti+fUiRHqlDK1KRmalLGiw

transaction_id is generated incrementally, this remain unchanged for simplicity
MDA5 is calculated by

sub compute_mac {

use Digest::MD5;
my ($message) = @_;
my $secret = '80b3781f9e43242f9996309e5a32ce8b'; #hardcoded key
Digest::MD5::md5_base64($secret, Digest::MD5::md5($secret, $message));
}

This solution introduces a limitation: system must have Digest::MD5

# cpan
install Digest::MD5

new branch made for this bugfix, "examyo_r3.2"

implementing started, commited sim_gen0.cgi and sim_ver0.cgi

only sim_ver1.cgi pending, this is the last to rework

All neccessary modules finished and tested functionally, integrated on the local test server.
From this bug's point of view, everything is done.

Update: by implementing issue #11, MD5 switched to SHA1 also for transaction hash