[Owasp-o2-platform] Another issue with the .NET Random class

dinis cruz dinis.cruz at owasp.org
Sat Jul 16 03:41:47 EDT 2011


OK, maybe it is just me, but I was not aware that the random class was not
Thread Safe (I was aware that it is recommended that you don't create a new
Random object on every use).

I just documented my findings/experience at the O2 Blog
http://o2platform.wordpress.com/2011/07/16/humm-net-random-class-is-not-thread-safe/and,
I have to say that I have the feeling that there are a number of
security vulnerabilities out there created by this behaviour (think of an
multi-thread environment which receives a lot of traffic and uses the Random
class for session/key/token/id generation).

And since it requires a certain number of requests/threads to trigger the
problem, it might not be easy to detect, debug and/or replicate (note that
Random doesn't fail safely... i.e. once the race condition is triggered, it
will just return 0).

Here are a couple projects that (look like they) use the Random class:
http://www.google.com/codesearch#search/&q=%22new%20Random%22%20lang:%5Ec%23$&type=cs

Dinis Cruz

Blog: http://diniscruz.blogspot.com
Twitter: http://twitter.com/DinisCruz
Web: http://www.owasp.org/index.php/O2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-o2-platform/attachments/20110716/ce0a1a09/attachment.html 


More information about the Owasp-o2-platform mailing list