This website uses cookies. By continuing to browse or login to this website, you consent to the use of cookies. Learn more.
OK
lm001
Absent Member.
Absent Member.
‎2016-07-01 18:42
10546 views

HP Fortify SCA - erroneous High Impact Insecure Randomness

HP Fortify SCA flags javascript math.Random in JQuery (js/jquery-1.7.1.min.js) as, "High Impact vulnerability; Insecure Randomness". JQuery and GitHub forum moderators disagree (links below).

Specific javascript code cited by Fortify (three examples):

Ex1.[internalfunctions.js] function GenerateCaptID(){randomNum=Math.floor(Math.random()*8888+1e3);document.getElementById("captchaid").innerHTML=randomNum;document.getElementById("xl_ex").value=randomNum}

Ex2.[jquery-1.7.1.min.js] expando:"jQuery"+(f.fn.jquery+Math.random()).replace(/\D/g,"")

Ex3.[jquery-1.7.1.min.js] d="sizcache"+(Math.random()+"").replace(".","")

The Fortify explanation is to use window.crypto.random, which I have done (see attached screenshot) but SCA does not accept this. Any suggestions?

Thank you,

GitHub disagrees

Jquery disagrees

Preview file
322 KB
0 Likes
Reply
Report Inappropriate Content
1 Reply
Jaime Rojas
Commodore
Commodore
‎2016-07-01 20:25

Hi L. Mitchell,

We as Security Analysts, should confirm or discard every issue detected by Fortify, because there are facts that fortify does not know, for example the use of some functions, protection that some files have and so on.

In some cases, like this for example, every call to Math.random is reported because suspecting cryptographic use. The same occurs with the presence of every form in html/jsp(x)/asp(x) page, that are suspect of CSRF weakness.

In those cases, we should evaluate the context and tell to Fortify: "Yes, this issue is real and should be fixed" or: "Not, this issue is a false positive, send it to the trash".

In this case, developers give you the answer: "there's no need to use crypto as we are not trying to generate secure, random numbers. We only use Math.random to generate internal unique identifiers". Then, if that response is enough for you, I suggest: mark the issue with the analysis tag "Not an Issue" and done.

Hope this be useful.

Regards.

0 Likes
Reply
Report Inappropriate Content
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.