Stage/bug-bounty-reports
4
0
Fork 0
Code Issues 3 Pull Requests Actions Packages Projects Releases 2 Wiki Activity

Script improvements #3

New Issue
Open
opened 2024-08-01 13:13:32 +00:00 by papey · 4 comments
papey commented 2024-08-01 13:13:32 +00:00
Member
Copy Link
  1. Make the rotation key a variable/cli flag

src/fr/motysten/usertwist/exploit/Main.java Line 84 in 86495716e5
String password = Cesar.cesarRotate(user.getString("data"), -4);

  1. Variables should be static final

src/fr/motysten/usertwist/exploit/tools/Cesar.java Line 7 in 86495716e5
String LOWER_ALPHABET = "abcdefghijklmnopqrstuvwxyz";

  1. I think this could be simplified, try to use only char numeric value

src/fr/motysten/usertwist/exploit/tools/Cesar.java Lines 8 to 12 in 86495716e5
if (offset < 0) {
LOWER_ALPHABET = new StringBuilder(LOWER_ALPHABET).reverse().toString();
offset = -offset;
}
String UPPER_ALPHABET = LOWER_ALPHABET.toUpperCase();

  1. Could you please try a more functional approach to the following lines, using the Java Stream API ?

src/fr/motysten/usertwist/exploit/tools/Cesar.java Lines 17 to 31 in 86495716e5
for (int i = 0; i < input.length(); i++) {
char newChar = input.charAt(i);
if (!Character.isDigit(input.charAt(i))) {
int pos = LOWER_ALPHABET.indexOf(Character.toLowerCase(input.charAt(i)));
int newPos = (pos + offset) % 26;
if (Character.isUpperCase(input.charAt(i))) {
newChar = UPPER_ALPHABET.charAt(newPos);
} else {
newChar = LOWER_ALPHABET.charAt(newPos);
}
}
output.append(newChar);
}
return output.toString();

  1. Can you find the passwords in parallel ? Is it better in term of performance ? If not why ? Could you find when parallelism is relevant ?
1. Make the rotation key a variable/cli flag https://git.athelas-conseils.fr/Stage/bug-bounty-reports/src/commit/86495716e546ac05730d74d114b1ee130a5a5270/src/fr/motysten/usertwist/exploit/Main.java#L84 2. Variables should be static final https://git.athelas-conseils.fr/Stage/bug-bounty-reports/src/commit/86495716e546ac05730d74d114b1ee130a5a5270/src/fr/motysten/usertwist/exploit/tools/Cesar.java#L7 3. I think this could be simplified, try to use only char numeric value https://git.athelas-conseils.fr/Stage/bug-bounty-reports/src/commit/86495716e546ac05730d74d114b1ee130a5a5270/src/fr/motysten/usertwist/exploit/tools/Cesar.java#L8-L12 4. Could you please try a more [functional](https://en.wikipedia.org/wiki/Functional_programming) approach to the following lines, using the [Java Stream API](https://wary-kick-a3b.notion.site/Streams-329d07bc48c7471bbe028142b9712304) ? https://git.athelas-conseils.fr/Stage/bug-bounty-reports/src/commit/86495716e546ac05730d74d114b1ee130a5a5270/src/fr/motysten/usertwist/exploit/tools/Cesar.java#L17-L31 5. Can you find the passwords in parallel ? Is it better in term of performance ? If not why ? Could you find when parallelism is relevant ?
Mateo was assigned by papey 2024-08-01 13:13:32 +00:00
Mateo commented 2024-08-01 14:36:18 +00:00
Member
Copy Link

#4
1 / 2 / 3 done
4 / 5 left

#4 1 / 2 / 3 done 4 / 5 left
Mateo commented 2024-08-01 14:56:05 +00:00
Member
Copy Link

I don't understand how it's possible to rewrite the step4 using Java Streams even though I understand what they do. I can't manage to find the different steps of the conversion operation

I don't understand how it's possible to rewrite the step4 using Java Streams even though I understand what they do. I can't manage to find the different steps of the conversion operation
Mateo commented 2024-08-02 06:54:10 +00:00
Member
Copy Link

Implemented asynchronous passwords decryption (step 5).
Asynchronous decryption is approximately 2 times faster than synchronous :

1. user1 => zivlwuXiaa1I
...
69. galileoGalilei => iabzwvwugAbiza
Synchronous elapsed time = 10.747904ms

1. user1 => zivlwuXiaa1I
...
69. galileoGalilei => iabzwvwugAbiza
Asynchronous elapsed time = 5.373952ms

So we can consider that asynchronous approach is better. Moreover, it's more stable. In fact, synchronous parsing running time was extremely unstable as it was sometimes as fast as asynchronous.

Asynchronous threads are good to split the tasks on the multiple CPUs but it needs a pretty decent computer. Also, it takes time to create a new process child so it's not interesting to use asynchronous actions on a little set of data. The longer the data set, the more time saved !

Implemented asynchronous passwords decryption (step 5). Asynchronous decryption is approximately 2 times faster than synchronous : ```java 1. user1 => zivlwuXiaa1I ... 69. galileoGalilei => iabzwvwugAbiza Synchronous elapsed time = 10.747904ms ``` ```java 1. user1 => zivlwuXiaa1I ... 69. galileoGalilei => iabzwvwugAbiza Asynchronous elapsed time = 5.373952ms ``` So we can consider that asynchronous approach is better. Moreover, it's more stable. In fact, synchronous parsing running time was extremely unstable as it was sometimes as fast as asynchronous. Asynchronous threads are good to split the tasks on the multiple CPUs but it needs a pretty decent computer. Also, it takes time to create a new process child so it's not interesting to use asynchronous actions on a little set of data. The longer the data set, the more time saved !
papey commented 2024-08-02 09:25:08 +00:00
Author
Member
Copy Link

👋 @Mateo , starts looking good, left some comments directly in the PR. Let me know if the hints are enough 👍

👋 @Mateo , starts looking good, left some comments directly in the PR. Let me know if the hints are enough 👍
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
Administrator Corwin Mateo papey
No Assignees Mateo
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Stage/bug-bounty-reports#3
No description provided.
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?