Insecure Random Seed

Insecure Random Seed

Risk: medium

Description

Random number generator is seeded using constant value which results in the generation of predictable numbers.

Recommendation

Do not seed Random with the current time because that value is more predictable to an attacker than the default seed.

The java.util.Random class must not be used either for security-critical applications or for protecting sensitive data. Use a more secure random number generator, such as the java.security.SecureRandom class.

Links

• CWE-330: Use of Insufficiently Random Values
• MSC02-J. Generate strong random numbers (CERT Secure Coding)

Standards

• OWASP_MASVS_L1:
  • MSTG_CRYPTO_6
• OWASP_MASVS_L2:
  • MSTG_CRYPTO_6
• PCI_STANDARDS:
  • REQ_2_2
  • REQ_6_2