Talk:Insecure Randomness

From OWASP
Revision as of 09:54, 5 January 2009 by Arjanl (Talk | contribs)

(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search

The example isn't very wel chosen in my opinion: a better PRNG (e.g. SecureRandom for Java) doesn't really help in this example since the seed can be pretty easily guessed. It exposes other vulnerabilities such as a timing attack when a second request is done within the same millisecond.

As a control I'd suggest mentioning that you should create a PRNG only once and reuse it instead of creating a new one each time. Or maybe that's another vulnerability...