||Detection / Protection|
Standard pseudo-random number generators cannot withstand cryptographic attacks.
Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context.
How to solve it
The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase (DO NOT DO THIS).
This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.
The following code uses Java's SecureRandom class to generate a cryptographically strong pseudo-random number (DO THIS):