nalfonso
Frequent Visitor.
1881 views

Why did not Fortify detect the following issue?: Cryptography.PoorEntropy

Why did not Fortify detect the following issue?:

Cryptography.PoorEntropy: The application uses an insecure source of randomness, potentially enabling an attacker to improve the odds of predicting the next secret generated by the generator. This form of attack is used in sequence number prediction, cryptographic attacks, and session spoofing.

The application should use a cryptographic strength random number generator, such as the java.security.SecureRandom class. There are commercial and open source libraries available that have strong random number generator classes. You should choose a tested and widely used implementation. As with all cryptographic mechanisms, the source code should be available for analysis.

-This issue is found in the following code lines:

public ResponseDTO enviarOnbase(String peticion) {
  try {
        if(!StringUtils.isBlank(usarOnbase) && usarOnbase.equalsIgnoreCase("no")){
        ResponseDTO respuesta = new ResponseDTO();
        Random rand = new Random();
        respuesta.setCode("00");
        respuesta.setDocumentHandle(""+rand.nextInt(20071969));
        return respuesta;
  }else{
       return wsFormulario.enviarOnbase(usuario, password, peticion);
  }
} catch (RemoteException ex) {
      LOGGER.error(ex.getMessage());
      return null;
}
}

-This issue is described in the following url's:

https://stackoverflow.com/questions/11051205/difference-between-java-util-random-and-java-security-securerandom
https://docs.oracle.com/javase/7/docs/api/java/util/Random.html

Attached file "WebserviceClient.java", the issue is in the code line 233

0 Likes
1 Reply
Raphael Hagi Super Contributor.
Super Contributor.

Re: Why did not Fortify detect the following issue?: Cryptography.PoorEntropy

This kind of issue are not present in Fortify Taxonomy, I think this is why the SCA don't recognize your code as vulnerable, check the taxonomy at: https://vulncat.fortify.com/

To help, you can write some custom rules to indentify it...


Data, or do not.
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.