KelvinTegelaar
commented
3 years ago First off, thanks for the PR! Its great to have some help on the project. Unfortunately I've already implemented some of these fixes myself but did not upload. :) I'm uploading some of them and checking if I can/need still need to integrate your changes too.
This one has been solved.
Password URLs pick a random URL number between: 1 and 999999999999999. This can result in very short URL's that are easily enumerated. Given that there is no rate limiting there is a pretty decent change that an attacker could successfully enumerate a password in a reasonable period of time. Please consider something like
[guid]::NewGuid()instead for the ID.