Java Secure Random Hardcoded Seed Unsafe
Description
This detector identifies when Java's SecureRandom.setSeed() method is called with a hardcoded seed value. Using hardcoded seeds makes the random number generation predictable, defeating the cryptographic security that SecureRandom is designed to provide and potentially allowing attackers to predict generated values.
Detection Strategy
• Scans Java source code files that import java.security.SecureRandom or java.security.*
• Identifies method calls to 'setSeed' on SecureRandom objects
• Analyzes the first argument passed to setSeed() to determine if it's a hardcoded value (literal number, constant, or other non-dynamic value)
• Reports a vulnerability when setSeed() is called with a hardcoded seed rather than a dynamically generated or system-provided seed
Vulnerable code example
import java.security.SecureRandom;
public class VulnerableSecureRandom {
public void weakRandomness() {
SecureRandom sr = new SecureRandom();
sr.setSeed(123456L); // VULNERABLE: hardcoded seed compromises randomness
byte[] fixedSeed = {1, 2, 3, 4};...✅ Secure code example
import java.security.SecureRandom;
public class SecureRandomFixed {
public void secureRandomness() {
SecureRandom sr = new SecureRandom(); // SAFE: uses entropy-based seeding
// Alternative: explicitly get strong instance
SecureRandom strongRandom = SecureRandom.getInstanceStrong();...Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.