Skip to content

Commit

Permalink
Docs review suggestions
Browse files Browse the repository at this point in the history
  • Loading branch information
egregius313 committed Dec 11, 2023
1 parent ce20c4a commit 06eef93
Showing 1 changed file with 9 additions and 10 deletions.
19 changes: 9 additions & 10 deletions java/ql/src/Security/CWE/CWE-330/InsecureRandomness.qhelp
Original file line number Diff line number Diff line change
Expand Up @@ -16,17 +16,16 @@

</overview>
<recommendation>
<p>
Use a cryptographically secure pseudo-random number generator if the output is to be used in a
security-sensitive context. As a general rule, a value should be considered "security-sensitive"
if predicting it would allow the attacker to perform an action that they would otherwise be unable
to perform. For example, if an attacker could predict the random password generated for a new user,
they would be able to log in as that new user.
</p>

<p>
For Java, <code>java.util.Random</code> is not cryptographically secure. Use <code>java.security.SecureRandom</code> instead.
The <code>java.util.Random</code> random number generator is not cryptographically secure. Use a secure random number generator such as <code>java.security.SecureRandom</code> instead.
</p>
<p>
Use a cryptographically secure pseudo-random number generator if the output is to be used in a
security-sensitive context. As a general rule, a value should be considered "security-sensitive"
if predicting it would allow the attacker to perform an action that they would otherwise be unable
to perform. For example, if an attacker could predict the random password generated for a new user,
they would be able to log in as that new user.
</p>
</recommendation>

<example>
Expand All @@ -44,7 +43,7 @@
<sample src="examples/InsecureRandomnessCookie.java" />

<p>
In the second case, we generate a fresh cookie by appending a random integer to the end of a static
In the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static
string. The random number generator used (<code>SecureRandom</code>) is cryptographically secure,
so it is not possible for an attacker to predict the generated cookie.
</p>
Expand Down

0 comments on commit 06eef93

Please sign in to comment.