cancel
Showing results for 
Search instead for 
Did you mean: 

Insecure Randomness

0 Kudos

Insecure Randomness

The software may use insufficiently random numbers or values in a security context that depends on unpredictable numbers.When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

1. java.security.SecureRandom should be used instead of java.util.Random

2.Use Cryptographically secure generators that are strongly believed to be very difficult to predict.

ex : var rand10 = Math.random().toString().substr(2, 10);

 

this.boundary = '------RWWorkerFormDataBoundary' + Math.random().toString(36); Math.random() code traced

in \lib\web\FormData.js (Line:46) and few other vendor files.

 

CWE Code : CWE-676