Golang Snippet #03

This challenge covers the review of a snippet of code written in Golang

< 1 Hr.


In this code review snippet, we analyze two Golang functions: `SignforPayment` and `verifyPayment`. The `SignforPayment` function concatenates a user string and an amount integer to create a data string, then generates an HMAC-SHA256 signature for this data using a secret key. The `verifyPayment` function takes the data and the provided signature to check if the signature is valid by recomputing the HMAC-SHA256 signature and comparing it to the provided one.

The primary issue identified in this code is that the application does not ensure the user string does not contain a colon. A malicious user could manipulate the signature verification process by including a colon in the username, thus altering the expected behavior when the data string is split. This vulnerability allows a user to craft a username in such a way that the amount can be misinterpreted, leading to potential security breaches.

Want to learn more? Get started with PentesterLab Pro! GO PRO