We present a number of novel, practical, techniques for exploiting randomness vulnerabilities in PHP applications. We focus on the predictability of password reset tokens and demonstrate how an attacker can take over user accounts in a web application via predicting the PHP core randomness generators.
Our suite of new techniques and tools go far beyond previously known attacks (e.g. Kamkar and Esser) and can be used to mount attacks against all PRNG of the PHP core system even when it is hardened with the Suhosin extension. Using them we demonstrate how to create practical attacks for a number of very popular PHP applications (including Mediawiki, Gallery, osCommerce and Joomla) that result in the complete take over of arbitrary user accounts.
While our techniques are designed for the PHP language, the principles behind ]them are independent of PHP and readily apply to any system that utilizes weak randomness generators or low entropy sources.
We will also release tools that assist in the exploitation of randomness vulnerabilities and exploits for some vulnerable applications.