This site is the archived OWASP Foundation Wiki and is no longer accepting Account Requests.
To view the new OWASP Foundation website, please visit https://owasp.org

Talk:Insecure Randomness

From OWASP
Jump to: navigation, search

The example isn't very wel chosen in my opinion: a better PRNG (e.g. SecureRandom for Java) doesn't really help in this example since the seed can be pretty easily guessed. It exposes other vulnerabilities such as a timing attack when a second request is done within the same millisecond.

As a control I'd suggest mentioning that you should create a PRNG only once and reuse it instead of creating a new one each time. Or maybe that's another vulnerability...

Retrieved from "https://wiki.owasp.org/index.php?title=Talk:Insecure_Randomness&oldid=50109"