🔐 Pracivo Crypto Lab

PRACIVO LAB — INTENTIONALLY VULNERABLE
⚠️ Pracivo Security Lab — Cryptography vulnerabilities: ECB penguin attack, padding oracle, weak ciphers, SSL/TLS misconfig, JWT cracking.

Insecure Random Number Generation

PREDICTABLE TOKENS
# Insecure: using time-seeded random for security tokens
import random, time
random.seed(int(time.time()))  # seed is just the current timestamp!
token = hex(random.randint(0, 0xFFFFFF))  # predictable

# If an attacker knows roughly when a token was issued,
# they can brute force the seed (only ~86400 possible values per day)

# Secure alternative:
import secrets
token = secrets.token_hex(32)  # cryptographically secure random

# Real vulnerability examples:
# - PHP rand() seeded with time() for password reset tokens
# - Java Math.random() for session IDs
# - Python random.random() for CSRF tokens
# - JWT with predictable "jti" (JWT ID) values

# Attack tool for PHP mt_rand:
# php_mt_seed — brute forces the seed from output values

# Vulnerable password reset flow:
# 1. Request reset → server generates token with rand()
# 2. Attacker requests reset at same second → same seed!
# 3. Both tokens are predictable from each other

⚠️ These tokens were generated with time-seeded random (insecure):

2ca1f3 ac65bb f0de29 51bdb4 703f90

Reload the page — they change every second. An attacker who knows the timestamp can reproduce them.