Uploaded image for project: 'Rules Repository'
  1. Rules Repository
  2. RSPEC-2245

Using pseudorandom number generators (PRNGs) is security-sensitive

    XMLWordPrintable

    Details

    • Type: Security Hotspot Detection
    • Status: Active
    • Resolution: Unresolved
    • Labels:
    • Message:
      Make sure that using this pseudorandom number generator is safe here.
    • Default Severity:
      Critical
    • Impact:
      High
    • Likelihood:
      Low
    • Default Quality Profiles:
      Sonar way
    • Targeted languages:
      VB6
    • Covered Languages:
      C#, C, C++, Java, JavaScript, Objective-C, PHP, Python, TypeScript
    • Remediation Function:
      Constant/Issue
    • Constant Cost:
      10min
    • Analysis Level:
      Semantic Analysis
    • Analysis Scope:
      Main Sources
    • Common Rule:
      Yes
    • CERT:
      MSC02-J., MSC30-C., MSC50-CPP.
    • CWE:
      CWE-338, CWE-330, CWE-326
    • OWASP:
      A3
    • FindSecBugs:
      PREDICTABLE_RANDOM

      Description

      Using pseudorandom number generators (PRNGs) is security-sensitive. For example, it has led in the past to the following vulnerabilities:

      When software generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.

      Ask Yourself Whether

      • the code using the generated value requires it to be unpredictable. It is the case for all encryption mechanisms or when a secret value, such as a password, is hashed.
      • the function you use generates a value which can be predicted (pseudo-random).
      • the generated value is used multiple times.
      • an attacker can access the generated value.

      There is a risk if you answered yes to any of those questions.

      Recommended Secure Coding Practices

      • Only use random number generators which are recommended by OWASP or any other trusted organization.
      • Use the generated random values only once.
      • You should not expose the generated random value. If you have to store it, make sure that the database or file is secure.

      See

        Attachments

          Issue Links

          1.
          C# RSPEC-4558 Language-Specification Active Unassigned
          2.
          PHP RSPEC-4707 Language-Specification Active Unassigned
          3.
          Java RSPEC-4708 Language-Specification Active Unassigned
          4.
          JavaScript RSPEC-5075 Language-Specification Active Unassigned
          5.
          Python RSPEC-5225 Language-Specification Active Unassigned
          6.
          C-Family RSPEC-6050 Language-Specification Active Unassigned
          7.
          Kotlin RSPEC-6240 Language-Specification Active Unassigned

            Activity

              People

              Assignee:
              Unassigned Unassigned
              Reporter:
              freddy.mallet Freddy Mallet (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Dates

                Created:
                Updated: