[Esapi-user] ESAPI Random Number Generation Broken

Jim Manico jim.manico at owasp.org
Sun Apr 6 22:53:50 UTC 2014


Folks,

Over a year ago the ESAPI team got a report from David Rook that the 
ESAPI Random Number Generator was not providing a random sequence of 
values. Using burp's random number analyzer, he found that ESAPI was 
providing a very predictable sequence of numbers from the 
https://code.google.com/p/owasp-esapi-java/source/browse/branches/2.1/src/main/java/org/owasp/esapi/reference/DefaultRandomizer.java 
class. I was asked not to report on this to give the team time to fix 
it, but it's been over a year or more. So I reported it officially 
today. https://code.google.com/p/owasp-esapi-java/issues/detail?id=323

I believe this also may be the cause of 
https://code.google.com/p/owasp-esapi-java/issues/detail?id=217

This also impacts anyone using ESAPI for Java for CSRF protection. Your 
CSRF tokens are not true random, they are a predictable sequence of 
numbers that will make it easier for an attacker to guess your CSRF 
token value. This also impacts key creation in the crypto API's. This 
also impact the random access map in ESAPI.

A quick fix is to fork 
https://code.google.com/p/owasp-esapi-java/source/browse/branches/2.1/src/main/java/org/owasp/esapi/reference/DefaultRandomizer.java 
class and create a new instance of SecureRandom for each use. Be sure to 
test the performance impact of this.

Any questions, drop me a line here or at jim.manico at owasp.org.

Regards,
Jim




More information about the Esapi-user mailing list