Java Use Of Insecure Random
Description
This vulnerability detector identifies the use of cryptographically insecure random number generators (java.util.Random) for security-sensitive operations like encryption or key generation. Using predictable random numbers in cryptographic contexts allows attackers to potentially predict or reproduce sensitive values, compromising security.
Detection Strategy
• Checks if the code imports java.util.Random or java.util.* packages
• Identifies calls to cryptographic functions that accept random byte arrays as parameters
• Traces the data flow of arguments passed to these cryptographic functions
• Reports a vulnerability when a cryptographic function receives a byte array that was generated using java.util.Random's nextBytes() method
• Only triggers when the insecure random source directly flows into security-sensitive cryptographic operations
Vulnerable code example
import java.util.Random;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class InsecureRandomCrypto {
public void generateCryptoMaterial() {
Random r = new Random();
...✅ Secure code example
import java.security.SecureRandom;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
public class SecureRandomCrypto {
public void generateCryptoMaterial() {
SecureRandom sr = new SecureRandom(); // Use SecureRandom for cryptographic operations
...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.