Finished up Docu for Facepalm, will read over it again later.

Robert Quander · Robert Quander · commit 7a635b8b4858 · 2025-08-10T10:26:11.000+02:00
diff --git a/documentation/README.md b/documentation/README.md
@@ -19,8 +19,16 @@ Facepalm Documentation
     - [Creating, viewing and joining Events](#creating-viewing-and-joining-events)
   - [5. The Exploits and their fixes](#5-the-exploits-and-their-fixes)
     - [5.1 Insecure UUID Generation](#51-insecure-uuid-generation)
+      - [Vulnerability](#vulnerability)
       - [Exploit](#exploit)
       - [The Fix](#the-fix)
+    - [5.2 Cropped Keys](#52-cropped-keys)
+      - [Vulnerability](#vulnerability-1)
+      - [Exploit](#exploit-1)
+      - [The Fix](#the-fix-1)
+  - [6. File Structure](#6-file-structure)
+    - [6.1 Checker](#61-checker)
+    - [6.2 Service](#62-service)
 
 
 ## 1. Introduction
@@ -134,6 +142,8 @@ Then all events can be viewed, and, if not already in it, access can be requeste
 
 ### 5.1 Insecure UUID Generation
 
+#### Vulnerability
+
 The User IDs and the Post IDs are both derived deterministically (in the classes `IdentifierGenerator.swift` and `PostIDGenerator.swift`, respectively).
 
 The User ID is directly derived from a (padded or cut) username, while the PostID is derived from the User ID, a counter (initialized to 0) and a timestamp (with `minute` precision). These values are `XOR`ed together, and then form the (derivable) PostID.
@@ -157,4 +167,98 @@ return uuid()
 
 This returns a secure uuid, from which the postID is then derived. For additional security, this could also be replaced by the same logic. 
 
-Alternatively, only the PostID generation could be made secure. In the current state of development for facepalm, the deterministic User ID does not have implications (that have been found).
+Alternatively, only the PostID generation could be made secure. In the current state of development for facepalm, the deterministic User ID does not have implications (that have been found).
+
+### 5.2 Cropped Keys
+
+#### Vulnerability
+
+When generating the key used to enter an event, a 32 char long random hex numbers is generated and used as the key. When storing this numbers in the DB, though, only the first byte of the key is stored - thus making the search space $2^{8}$ instead of $2^{32}$. Since multiple keys at once can be uploaded, a huge keyfile containing all keys that hash to the complete set of keys can be uploaded in one go, allowing access to all events.
+
+#### Exploit
+
+To exploit the vulnerability, the own keystore (which is in the DB for the user) needs to be filled with 32 char long strings that hash to `00` to `ff`. A brute force approach can be used, since the search room is relatively small. A file containing a variety of keys to get the flags is also stored in `checker/src`. These are used by the checker to automatically exploit the vulnerability if needed.
+
+#### The Fix
+
+The fix here is to simple store the entire key in the DB. This requires the removal of `prefix(1)` from every interaction with the keys. E.g. when storing the key in the DB, this is called, and needs to be changed as follows:
+
+```Swift
+--- self.eventKey = hash.prefix(1).map { String(format: "%02x", $0) }.joined() // removed
+
++++ self.eventKey = hash.map { String(format: "%02x", $0) }.joined() // added
+```
+
+Then, the entire key is stored, and the search room is now $2^{32}$, making the key a secure method.
+
+## 6. File Structure
+
+### 6.1 Checker
+```bash
+checker
+├── docker-compose.yaml
+├── Dockerfile
+├── requirements.txt
+└── src
+    ├── automatedExploit.py
+    ├── checkerArchived.py
+    ├── checker.py
+    ├── event_templates.txt
+    ├── FinalFinalTry.py
+    ├── gunicorn.conf.py
+    ├── keysGenerator.py
+    ├── key.txt
+    ├── logs.txt
+    ├── noise-posts.txt
+    └── uuidTest.py
+```
+
+### 6.2 Service
+```bash
+service
+├── data
+│   └── uploads
+├── docker-compose.yml
+├── Dockerfile
+├── Package.swift
+├── Public
+│   └── facepalm_logo.png
+├── README_Before_playing.md
+├── Sources
+│   ├── App
+│   │   ├── configure.swift
+│   │   ├── Globals.swift
+│   │   ├── Middleware
+│   │   │   └── NotFoundMiddleware.swift
+│   │   ├── Migrations
+│   │   │   ├── AddCreatedAtToProfile.swift
+│   │   │   ├── AddCreatedAtToUser.swift
+│   │   │   └── AddPostCounterToUser.swift
+│   │   ├── Models
+│   │   │   ├── CreateEventInvite.swift
+│   │   │   ├── CreateEventRequest.swift
+│   │   │   ├── CreateEvent.swift
+│   │   │   ├── CreatePost.swift
+│   │   │   ├── CreateProfileFollow.swift
+│   │   │   ├── CreateProfile.swift
+│   │   │   ├── CreateToken.swift
+│   │   │   ├── CreateUser.swift
+│   │   │   ├── EventInvite.swift
+│   │   │   ├── EventRequest.swift
+│   │   │   ├── Event.swift
+│   │   │   ├── IdentifierGenerator.swift
+│   │   │   ├── PostForm.swift
+│   │   │   ├── PostIDGenerator.swift
+│   │   │   ├── Post.swift
+│   │   │   ├── ProfileFollow.swift
+│   │   │   ├── Profile.swift
+│   │   │   ├── Token.swift
+│   │   │   └── User.swift
+│   │   ├── routes.swift
+│   │   └── Utils
+│   │       ├── ErrorPages.swift
+│   │       └── StringAppend.swift
+│   └── Run
+│       └── main.swift
+└── uploads
+```
