Golang Snippet #02

This challenge covers the review of a snippet of code written in Golang

PRO
Tier
Easy
< 1 Hr.
808

Course


In this lab, we explore a Golang snippet with three functions: `buildSignatureforPayment`, `buildUrl`, and `verifyPayment`. These functions work together to create and verify a payment signature using HMAC with SHA-256. The code concatenates the user and amount to produce a signature, which is then used to construct a URL for payment processing.

However, the code has a significant flaw: it concatenates the user and amount directly without a separator. This can lead to collisions where different user and amount combinations produce the same HMAC signature. For example, a user "test" with an amount of 20 and a user "test2" with an amount of 0 both produce the same signature, causing a security vulnerability. This issue highlights the importance of using separators when concatenating values for signature generation to avoid such collisions.

Want to learn more? Get started with PentesterLab Pro! GO PRO