WEAK RANDOMNESS

Feature Value
Type Detection / Protection
Risk OWASP A3
Covered by Agent

Standard pseudo-random number generators cannot withstand cryptographic attacks.

Insecure randomness errors occur when a function that can produce predictable values is used as a source of randomness in security-sensitive context.

More information

How to solve it

The following code uses a statistical PRNG to create a URL for a receipt that remains active for some period of time after a purchase (DO NOT DO THIS).

String generateReceiptURL(String baseUrl) {
    Random ranGen = new Random();
    ranGen.setSeed((new Date()).getTime());
    return(baseUrl + ranGen.nextInt(400000000) + ".html");
}

This code uses the Random.nextInt() function to generate "unique" identifiers for the receipt pages it generates. Because Random.nextInt() is a statistical PRNG, it is easy for an attacker to guess the strings it generates. Although the underlying design of the receipt system is also faulty, it would be more secure if it used a random number generator that did not produce predictable receipt identifiers, such as a cryptographic PRNG.

The following code uses Java's SecureRandom class to generate a cryptographically strong pseudo-random number (DO THIS):

public static int generateRandom(int maximumValue) {
    SecureRandom ranGen = new SecureRandom();
    return ranGen.nextInt(maximumValue);
}