From 06eef93f89b18daf2d21db1916f9c4deee349814 Mon Sep 17 00:00:00 2001 From: Edward Minnix III Date: Fri, 8 Dec 2023 10:40:48 -0500 Subject: [PATCH] Docs review suggestions --- .../CWE/CWE-330/InsecureRandomness.qhelp | 19 +++++++++---------- 1 file changed, 9 insertions(+), 10 deletions(-) diff --git a/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.qhelp b/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.qhelp index 912c423bd659..414e32520577 100644 --- a/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.qhelp +++ b/java/ql/src/Security/CWE/CWE-330/InsecureRandomness.qhelp @@ -16,17 +16,16 @@ -

- Use a cryptographically secure pseudo-random number generator if the output is to be used in a - security-sensitive context. As a general rule, a value should be considered "security-sensitive" - if predicting it would allow the attacker to perform an action that they would otherwise be unable - to perform. For example, if an attacker could predict the random password generated for a new user, - they would be able to log in as that new user. -

-

- For Java, java.util.Random is not cryptographically secure. Use java.security.SecureRandom instead. + The java.util.Random random number generator is not cryptographically secure. Use a secure random number generator such as java.security.SecureRandom instead.

+

+ Use a cryptographically secure pseudo-random number generator if the output is to be used in a + security-sensitive context. As a general rule, a value should be considered "security-sensitive" + if predicting it would allow the attacker to perform an action that they would otherwise be unable + to perform. For example, if an attacker could predict the random password generated for a new user, + they would be able to log in as that new user. +

@@ -44,7 +43,7 @@

- In the second case, we generate a fresh cookie by appending a random integer to the end of a static + In the second (GOOD) case, we generate a fresh cookie by appending a random integer to the end of a static string. The random number generator used (SecureRandom) is cryptographically secure, so it is not possible for an attacker to predict the generated cookie.