Replay Attack Agent

Detect vulnerabilities to replay attacks in authentication and transaction systems.

Overview

Agent Name: ReplayAttackAgent Scan Type: replay-attack Credit Cost: 1 credit Target Types: APIs, authentication endpoints, transaction systems

Capabilities

Nonce validation testing
Timestamp verification
Token replay detection
Session replay prevention
Transaction idempotency checks
Request signature validation
Challenge-response testing

Usage


# Test API for replay vulnerabilities
alprina scan https://api.example.com --type replay-attack
 
# Comprehensive replay testing
alprina scan https://api.example.com --type replay-attack --profile comprehensive

What It Tests

Authentication Replay
- Login token reuse
- Session token replay
- OAuth token replay
- API key replay
Transaction Replay
- Payment double-processing
- Order duplication
- Action replay (delete, update)
Mitigation Checks
- Nonce implementation
- Timestamp validation
- Request signing
- Idempotency keys

Example Output


{
  "scan_id": "scan_replay606",
  "findings": [
    {
      "severity": "high",
      "title": "API Allows Request Replay",
      "description": "Authentication tokens can be reused without time limit or nonce",
      "endpoint": "POST /api/transfer",
      "attack_scenario": "Attacker intercepts transfer request, replays it to duplicate transaction",
      "recommendation": "Implement:\n1. Nonce (unique request ID)\n2. Timestamp with 5-minute window\n3. Request signature",
      "example_fix": "Include headers:\nX-Request-ID: unique-nonce\nX-Timestamp: 1704470400\nX-Signature: hmac-sha256(request_body + timestamp)"
    }
  ]
}

Mitigation Strategies

1. Nonces


# Generate unique request ID
import uuid
nonce = str(uuid.uuid4())
 
# Server validates nonce hasn't been used
if redis.exists(f"nonce:{nonce}"):
    return error("Request already processed")
redis.setex(f"nonce:{nonce}", 300, "1")  # 5 min expiry

2. Timestamps


# Client sends timestamp
timestamp = int(time.time())
 
# Server validates recency
request_time = int(request.headers.get('X-Timestamp'))
if abs(time.time() - request_time) > 300:  # 5 minutes
    return error("Request expired")

3. Request Signatures


# Client signs request
signature = hmac.new(
    secret_key,
    f"{request_body}{timestamp}".encode(),
    hashlib.sha256
).hexdigest()
 
# Server verifies signature
expected = hmac.new(
    secret_key,
    f"{request_body}{timestamp}".encode(),
    hashlib.sha256
).hexdigest()
if not hmac.compare_digest(signature, expected):
    return error("Invalid signature")

4. Idempotency Keys


# Client provides idempotency key
idempotency_key = request.headers.get('Idempotency-Key')
 
# Server checks if already processed
result = redis.get(f"idempotent:{idempotency_key}")
if result:
    return json.loads(result)  # Return cached result
 
# Process and cache result
result = process_transaction()
redis.setex(f"idempotent:{idempotency_key}", 86400, json.dumps(result))
return result

Common Vulnerabilities

No replay protection at all
Tokens without expiration
Missing nonce validation
Weak timestamp windows
No request signing