Sokudo - BAC #2

Enumeration

After clicking around as usual, I noticed a different thing to my normal I am used to seeing you things

The token that was created, has a date.
Definitely worth exploring this, hence this is where I pointed our friendly Caido MCP

I will take you on a journey of my prompts today to show the way I am thinking and how Claude is handling it
Image #1 is screenshot of the dashboard in the web app

At this point I felt it would have been a moment .. and it was less than 5 seconds before it found it all and did a writeup

Tokens generated using predictable timestamps (YYYYMMDDHHMMSS format from login time)
/api/stats/leaderboard endpoint publicly exposes last_login timestamps for all users
No cryptographic signing or randomness in token generation

Use cryptographically secure tokens
- Generate tokens with crypto.randomBytes(32).toString(‘hex’) or UUID v4
- Never derive tokens from predictable or guessable values like timestamps
Don’t expose sensitive timestamps
- Remove last_login from public endpoints
- Or display relative time (“5 mins ago”) without exact timestamps
Implement proper session management
- Use signed JWTs with server-side secret
- Include user ID and role in token payload with signature verification
- Set token expiration (short-lived access tokens + refresh tokens)
Add token binding
- Tie tokens to IP address or device fingerprint
- Invalidate tokens on password change or logout