[Esapi-user] ESAPI Random Number Generation Broken
jim.manico at owasp.org
Sun Apr 6 22:53:50 UTC 2014
Over a year ago the ESAPI team got a report from David Rook that the
ESAPI Random Number Generator was not providing a random sequence of
values. Using burp's random number analyzer, he found that ESAPI was
providing a very predictable sequence of numbers from the
class. I was asked not to report on this to give the team time to fix
it, but it's been over a year or more. So I reported it officially
I believe this also may be the cause of
This also impacts anyone using ESAPI for Java for CSRF protection. Your
CSRF tokens are not true random, they are a predictable sequence of
numbers that will make it easier for an attacker to guess your CSRF
token value. This also impacts key creation in the crypto API's. This
also impact the random access map in ESAPI.
A quick fix is to fork
class and create a new instance of SecureRandom for each use. Be sure to
test the performance impact of this.
Any questions, drop me a line here or at jim.manico at owasp.org.
More information about the Esapi-user