AttackFlow Findings Dictionary

Finding A Way To Try AttackFlow Enterprise Edition?

If so, click to download 15 days full version for free!

Insecure Random Number Generator

The attacker can predict the next generated value before the algorithm produces one

Severity

High

Fix Cost

Medium

Trust Level

Medium

Producing random values is a usual requirement for software projects. There’s no real but pseudo-randomness in computers. Unfortunately pseudorandomness is deterministic (related the computers) and therefore reproducible.

The random (although pseudo) number generator algorithms are usually used to produce secret keys for encryption algorithms. However, they are also used to identify users, such as session cookies, produce SMS OTPs, random file names, etc.

Using insecure random number generator algorithms we, as developers, make the lives of attackers easier. The code below uses an insecure random number generator and produced “random” 8 character strings can be predicted by an attacker.

                                       
var chars = "ABCDEFGHIJKLMNOPQRYZabcdefghijklmwxyz0123456789";
var output = new char[8];
var random = new Random();
for (int i = 0; i < output.Length; i++)
{
output[i] = chars[random.Next(chars.Length)];
}
return new String(output);
                 
            

Producing random values is a usual requirement for software projects. There’s no real but pseudo-randomness in computers. Unfortunately pseudorandomness is deterministic (related the computers) and therefore reproducible.

The random (although pseudo) number generator algorithms are usually used to produce secret keys for encryption algorithms. However, they are also used to identify users, such as session cookies, produce SMS OTPs, random file names, etc.

Using insecure random number generator algorithms we, as developers, make the lives of attackers easier. The code below uses an insecure random number generator and produced “random” 8 character strings can be predicted by an attacker.

            
String symbols = "ABCDEFGHIJKLMNOPQRYZabcdefghijklmwxyz0123456789";

Random random = new Random();
char[] buffer = new char[8];
for (int i = 0; i < buffer.length; ++i)
{
buffer[i] = symbols.charAt[random.nextInt(symbols.length())];
}
String randomString = new String(buf);

                 
            

Producing random values is a usual requirement for software projects. There’s no real but pseudo-randomness in computers. Unfortunately pseudorandomness is deterministic (related the computers) and therefore reproducible.

The random (although pseudo) number generator algorithms are usually used to produce secret keys for encryption algorithms. However, they are also used to identify users, such as session cookies, produce SMS OTPs, random file names, etc.

Using insecure random number generator algorithms we, as developers, make the lives of attackers easier. The code below uses an insecure random number generator and produced “random” 8 character strings can be predicted by an attacker.

            
String symbols = "ABCDEFGHIJKLMNOPQRYZabcdefghijklmwxyz0123456789";

Random random = new Random();
char[] buffer = new char[8];
for (int i = 0; i < buffer.length; ++i)
{
buffer[i] = symbols.charAt[random.nextInt(symbols.length())];
}
String randomString = new String(buf);

                 
            

Finding A Way To Purchase AttackFlow Enterprise Edition?

If so, click to buy now for yearly subscriptions!