I Forgot Your Password: Randomness Attacks Against PHP Applications

@inproceedings{Argyros2012IFY,
  title={I Forgot Your Password: Randomness Attacks Against PHP Applications},
  author={George Argyros and Aggelos Kiayias},
  booktitle={USENIX Security Symposium},
  year={2012}
}
We provide a number of practical techniques and algorithms for exploiting randomness vulnerabilities in PHP applications.We focus on the predictability of password reset tokens and demonstrate how an attacker can take over user accounts in a web application via predicting or algorithmically derandomizing the PHP core randomness generators. While our techniques are designed for the PHP language, the principles behind our techniques and our algorithms are independent of PHP and can readily apply… CONTINUE READING