Skip to main content

Insecure generation of random numbers

Description

The system uses insecure functions, insufficient ranges or low-entropy components to generate random numbers. This could allow an attacker to guess the generation sequence after a short time or predict results using probabilistic methods.

Impact

Predict the secuence of random numbers to create new attack vectors.

Recommendation

Use the most secure mechanisms offered by language to generate random numbers.

Threat

Authenticated attacker from the Internet.

Expected Remediation Time

⌚ 15 minutes.

Score

Default score using CVSS 3.1. It may change depending on the context of the vulnerability.

Base

  • Attack vector: N
  • Attack complexity: H
  • Privileges required: N
  • User interaction: N
  • Scope: U
  • Confidentiality: L
  • Integrity: N
  • Availability: N

Temporal

  • Exploit code madurity: P
  • Remediation level: O
  • Report confidence: C

Result

  • Vector string: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C
  • Score:
    • Base: 3.7
    • Temporal: 3.4
  • Severity:
    • Base: Low
    • Temporal: Low

Code Examples

Compliant code

The application should implement secure randomization algorithms at every step

public class BenchmarkTest00167 extends HttpServlet {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
// create instance of SecureRandom class
SecureRandom rand = new SecureRandom();

long l = new rand.nextInt().nextLong();
String rememberMeKey = Long.toString(l);

String cookieName = "rememberMe";
request.getSession().setAttribute(cookieName, rememberMeKey);
}
}

Non compliant code

Insecure method to generate random numbers

public class BenchmarkTest00167 extends HttpServlet {
@Override
public void doPost(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
response.setContentType("text/html;charset=UTF-8");
long l = new java.util.Random().nextLong();
String rememberMeKey = Long.toString(l);
String cookieName = "rememberMe";
request.getSession().setAttribute(cookieName, rememberMeKey);
}
}

Requirements